FKIE_CVE-2025-71070

Vulnerability from fkie_nvd - Published: 2026-01-13 16:16 - Updated: 2026-04-15 00:35
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ublk: clean up user copy references on ublk server exit If a ublk server process releases a ublk char device file, any requests dispatched to the ublk server but not yet completed will retain a ref value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify aborting ublk request"), __ublk_fail_req() would decrement the reference count before completing the failed request. However, that commit optimized __ublk_fail_req() to call __ublk_complete_rq() directly without decrementing the request reference count. The leaked reference count incorrectly allows user copy and zero copy operations on the completed ublk request. It also triggers the WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit() and ublk_deinit_queue(). Commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk char dev is closed") already fixed the issue for ublk devices using UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference count leak also affects UBLK_F_USER_COPY, the other reference-counted data copy mode. Fix the condition in ublk_check_and_reset_active_ref() to include all reference-counted data copy modes. This ensures that any ublk requests still owned by the ublk server when it exits have their reference counts reset to 0.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: clean up user copy references on ublk server exit\n\nIf a ublk server process releases a ublk char device file, any requests\ndispatched to the ublk server but not yet completed will retain a ref\nvalue of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 (\"ublk: simplify\naborting ublk request\"), __ublk_fail_req() would decrement the reference\ncount before completing the failed request. However, that commit\noptimized __ublk_fail_req() to call __ublk_complete_rq() directly\nwithout decrementing the request reference count.\nThe leaked reference count incorrectly allows user copy and zero copy\noperations on the completed ublk request. It also triggers the\nWARN_ON_ONCE(refcount_read(\u0026io-\u003eref)) warnings in ublk_queue_reinit()\nand ublk_deinit_queue().\nCommit c5c5eb24ed61 (\"ublk: avoid ublk_io_release() called after ublk\nchar dev is closed\") already fixed the issue for ublk devices using\nUBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference\ncount leak also affects UBLK_F_USER_COPY, the other reference-counted\ndata copy mode. Fix the condition in ublk_check_and_reset_active_ref()\nto include all reference-counted data copy modes. This ensures that any\nublk requests still owned by the ublk server when it exits have their\nreference counts reset to 0."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nublk: limpiar referencias de copia de usuario al salir el servidor ublk\n\nSi un proceso de servidor ublk libera un archivo de dispositivo de caracteres ublk, cualquier solicitud despachada al servidor ublk pero a\u00fan no completada retendr\u00e1 un valor de referencia de UBLK_REFCOUNT_INIT. Antes del commit e63d2228ef83 (\u0027ublk: simplificar la anulaci\u00f3n de solicitud ublk\u0027), __ublk_fail_req() decrementar\u00eda el contador de referencias antes de completar la solicitud fallida. Sin embargo, ese commit optimiz\u00f3 __ublk_fail_req() para llamar directamente a __ublk_complete_rq() sin decrementar el contador de referencias de la solicitud.\nEl contador de referencias filtrado permite incorrectamente operaciones de copia de usuario y copia cero en la solicitud ublk completada. Tambi\u00e9n activa las advertencias WARN_ON_ONCE(refcount_read(\u0026amp;io-\u0026gt;ref)) en ublk_queue_reinit() y ublk_deinit_queue().\nEl commit c5c5eb24ed61 (\u0027ublk: evitar que se llame a ublk_io_release() despu\u00e9s de cerrar el dispositivo de caracteres ublk\u0027) ya solucion\u00f3 el problema para dispositivos ublk que utilizan UBLK_F_SUPPORT_ZERO_COPY o UBLK_F_AUTO_BUF_REG. Sin embargo, la fuga del contador de referencias tambi\u00e9n afecta a UBLK_F_USER_COPY, el otro modo de copia de datos con contador de referencias. Corregir la condici\u00f3n en ublk_check_and_reset_active_ref() para incluir todos los modos de copia de datos con contador de referencias. Esto asegura que cualquier solicitud ublk a\u00fan propiedad del servidor ublk cuando este sale tenga sus contadores de referencias restablecidos a 0."
    }
  ],
  "id": "CVE-2025-71070",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {},
  "published": "2026-01-13T16:16:06.413",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Deferred"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.