{"id":"CVE-2025-71070","summary":"ublk: clean up user copy references on ublk server exit","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nublk: clean up user copy references on ublk server exit\n\nIf a ublk server process releases a ublk char device file, any requests\ndispatched to the ublk server but not yet completed will retain a ref\nvalue of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 (\"ublk: simplify\naborting ublk request\"), __ublk_fail_req() would decrement the reference\ncount before completing the failed request. However, that commit\noptimized __ublk_fail_req() to call __ublk_complete_rq() directly\nwithout decrementing the request reference count.\nThe leaked reference count incorrectly allows user copy and zero copy\noperations on the completed ublk request. It also triggers the\nWARN_ON_ONCE(refcount_read(&io-\u003eref)) warnings in ublk_queue_reinit()\nand ublk_deinit_queue().\nCommit c5c5eb24ed61 (\"ublk: avoid ublk_io_release() called after ublk\nchar dev is closed\") already fixed the issue for ublk devices using\nUBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference\ncount leak also affects UBLK_F_USER_COPY, the other reference-counted\ndata copy mode. Fix the condition in ublk_check_and_reset_active_ref()\nto include all reference-counted data copy modes. This ensures that any\nublk requests still owned by the ublk server when it exits have their\nreference counts reset to 0.","modified":"2026-03-20T12:46:33.315605Z","published":"2026-01-13T15:31:24.709Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71070.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71070.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71070"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e63d2228ef831af36f963b3ab8604160cfff84c1"},{"fixed":"13456b4f1033d911f8bf3a0a1195656f293ba0f6"},{"fixed":"daa24603d9f0808929514ee62ced30052ca7221c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"e537193fc4a43b48ac51cc6366319e15e32dd540"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71070.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.15.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71070.json"}}],"schema_version":"1.7.5"}