CVE-2025-37759
ublk: fix handling recovery & reissue in ublk_abort_queue()
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
ublk: fix handling recovery & reissue in ublk_abort_queue()
In the Linux kernel, the following vulnerability has been resolved: ublk: fix handling recovery & reissue in ublk_abort_queue() Commit 8284066946e6 ("ublk: grab request reference when the request is handled by userspace") doesn't grab request reference in case of recovery reissue. Then the request can be requeued & re-dispatch & failed when canceling uring command. If it is one zc request, the request can be freed before io_uring returns the zc buffer back, then cause kernel panic: [ 126.773061] BUG: kernel NULL pointer dereference, address: 00000000000000c8 [ 126.773657] #PF: supervisor read access in kernel mode [ 126.774052] #PF: error_code(0x0000) - not-present page [ 126.774455] PGD 0 P4D 0 [ 126.774698] Oops: Oops: 0000 [#1] SMP NOPTI [ 126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 Not tainted 6.14.0_blk+ #182 PREEMPT(full) [ 126.775676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 [ 126.776275] Workqueue: iou_exit io_ring_exit_work [ 126.776651] RIP: 0010:ublk_io_release+0x14/0x130 [ublk_drv] Fixes it by always grabbing request reference for aborting the request.
Reserved 2025-04-16 | Published 2025-05-01 | Updated 2025-05-26 | Assigner Linuxgit.kernel.org/...c/caa5c8a2358604f38bf0a4afaa5eacda13763067
git.kernel.org/...c/5d34a30efac9c9c93e150130caa940c0df6053c1
git.kernel.org/...c/0a21d259ca4d6310fdfcc0284ebbc000e66cbf70
git.kernel.org/...c/6ee6bd5d4fce502a5b5a2ea805e9ff16e6aa890f
Support options
