CVE-2025-37759
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-37759
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37759.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-37759
- Downstream
- Published
- 2025-05-01T13:15:54Z
- Modified
- 2025-08-09T20:01:26Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ublk: fix handling recovery & reissue in ublkabortqueue()
Commit 8284066946e6 ("ublk: grab request reference when the request is handled by userspace") doesn't grab request reference in case of recovery reissue. Then the request can be requeued & re-dispatch & failed when canceling uring command.
If it is one zc request, the request can be freed before io_uring returns the zc buffer back, then cause kernel panic:
[ 126.773061] BUG: kernel NULL pointer dereference, address: 00000000000000c8 [ 126.773657] #PF: supervisor read access in kernel mode [ 126.774052] #PF: errorcode(0x0000) - not-present page [ 126.774455] PGD 0 P4D 0 [ 126.774698] Oops: Oops: 0000 [#1] SMP NOPTI [ 126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 Not tainted 6.14.0blk+ #182 PREEMPT(full) [ 126.775676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 [ 126.776275] Workqueue: iouexit ioringexitwork [ 126.776651] RIP: 0010:ublkiorelease+0x14/0x130 [ublk_drv]
Fixes it by always grabbing request reference for aborting the request.
- References