HIGH
rdma SubDevice Leak
CVE-2025-71157
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add support to add/delete a sub IB device through netlink") grabs a reference using ib_device_get_by_index() before calling ib_del_sub_device_and_put(), we need to drop that reference before returning -EOPNOTSUPP error.
02KernelScan AI Analysis
Risk summary
A reference count leak in the RDMA subsystem allows local attackers (including unprivileged users via user namespaces) to cause resource exhaustion. The vulnerability occurs when deleting RDMA sub-devices through netlink commands, potentially leading to system denial of service over time through accumulated leaked references.
Vulnerability analysis
The ib_del_sub_device_and_put() function was designed to always drop a device reference but had an error path that returned -EOPNOTSUPP without calling ib_device_put(). Since nldev_deldev() grabs a reference via ib_device_get_by_index() before calling this function, the reference becomes permanently leaked when the sub-device has no parent. The fix ensures ib_device_put(sub) is called in all code paths. On default kernels, this can be triggered by an unprivileged user via a user namespace gaining CAP_NET_ADMIN. Systems without RDMA sub-devices or with user namespaces disabled are not affected.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.64 | 20436f2742a9 |
| 6.18 | 6.18.4 | fe8d45608042 |
| mainline | 6.19 | fa3c411d21eb |