CVE-2025-38730

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/net: commit partial buffers on retry<br /> <br /> Ring provided buffers are potentially only valid within the single<br /> execution context in which they were acquired. io_uring deals with this<br /> and invalidates them on retry. But on the networking side, if<br /> MSG_WAITALL is set, or if the socket is of the streaming type and too<br /> little was processed, then it will hang on to the buffer rather than<br /> recycle or commit it. This is problematic for two reasons:<br /> <br /> 1) If someone unregisters the provided buffer ring before a later retry,<br /> then the req-&gt;buf_list will no longer be valid.<br /> <br /> 2) If multiple sockers are using the same buffer group, then multiple<br /> receives can consume the same memory. This can cause data corruption<br /> in the application, as either receive could land in the same<br /> userspace buffer.<br /> <br /> Fix this by disallowing partial retries from pinning a provided buffer<br /> across multiple executions, if ring provided buffers are used.