CVE-2025-71070
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ublk: clean up user copy references on ublk server exit
If a ublk server process releases a ublk char device file, any requests dispatched to the ublk server but not yet completed will retain a ref value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify aborting ublk request"), __ublk_fail_req() would decrement the reference count before completing the failed request. However, that commit optimized __ublk_fail_req() to call __ublk_complete_rq() directly without decrementing the request reference count. The leaked reference count incorrectly allows user copy and zero copy operations on the completed ublk request. It also triggers the WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit() and ublk_deinit_queue(). Commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk char dev is closed") already fixed the issue for ublk devices using UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference count leak also affects UBLK_F_USER_COPY, the other reference-counted data copy mode. Fix the condition in ublk_check_and_reset_active_ref() to include all reference-counted data copy modes. This ensures that any ublk requests still owned by the ublk server when it exits have their reference counts reset to 0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | e63d2228ef831af36f963b3ab8604160cfff84c1 < 13456b4f1033d911f8bf3a0a1195656f293ba0f6 | affected |
| Linux | Linux | e63d2228ef831af36f963b3ab8604160cfff84c1 < daa24603d9f0808929514ee62ced30052ca7221c | affected |
| Linux | Linux | e537193fc4a43b48ac51cc6366319e15e32dd540 | affected |
| Linux | Linux | 6.14.6 < 6.15 | affected |
| Linux | Linux | 6.15 | affected |
| Linux | Linux | 0 < 6.15 | unaffected |
| Linux | Linux | 6.18.3 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6
- https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.