CVE-2025-71070

Description

In the Linux kernel, the following vulnerability has been resolved:ublk: clean up user copy references on ublk server exitIf a ublk server process releases a ublk char device file, any requestsdispatched to the ublk server but not yet completed will retain a refvalue of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 (ublk: simplifyaborting ublk request), __ublk_fail_req() would decrement the referencecount before completing the failed request. However, that commitoptimized __ublk_fail_req() to call __ublk_complete_rq() directlywithout decrementing the request reference count.The leaked reference count incorrectly allows user copy and zero copyoperations on the completed ublk request. It also triggers theWARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit()and ublk_deinit_queue().Commit c5c5eb24ed61 (ublk: avoid ublk_io_release() called after ublkchar dev is closed) already fixed the issue for ublk devices usingUBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the referencecount leak also affects UBLK_F_USER_COPY, the other reference-counteddata copy mode. Fix the condition in ublk_check_and_reset_active_ref()to include all reference-counted data copy modes. This ensures that anyublk requests still owned by the ublk server when it exits have theirreference counts reset to 0.

Risk Information

Base Score

3.3

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

EPSS Score

Exploitation Probability

0.027

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234