CVE-2025-37759

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ublk: fix handling recovery &amp; reissue in ublk_abort_queue()<br /> <br /> Commit 8284066946e6 ("ublk: grab request reference when the request is handled<br /> by userspace") doesn&amp;#39;t grab request reference in case of recovery reissue.<br /> Then the request can be requeued &amp; re-dispatch &amp; failed when canceling<br /> uring command.<br /> <br /> If it is one zc request, the request can be freed before io_uring<br /> returns the zc buffer back, then cause kernel panic:<br /> <br /> [ 126.773061] BUG: kernel NULL pointer dereference, address: 00000000000000c8<br /> [ 126.773657] #PF: supervisor read access in kernel mode<br /> [ 126.774052] #PF: error_code(0x0000) - not-present page<br /> [ 126.774455] PGD 0 P4D 0<br /> [ 126.774698] Oops: Oops: 0000 [#1] SMP NOPTI<br /> [ 126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 Not tainted 6.14.0_blk+ #182 PREEMPT(full)<br /> [ 126.775676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014<br /> [ 126.776275] Workqueue: iou_exit io_ring_exit_work<br /> [ 126.776651] RIP: 0010:ublk_io_release+0x14/0x130 [ublk_drv]<br /> <br /> Fixes it by always grabbing request reference for aborting the request.