CVE-2025-71070

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ublk: clean up user copy references on ublk server exit<br /> <br /> If a ublk server process releases a ublk char device file, any requests<br /> dispatched to the ublk server but not yet completed will retain a ref<br /> value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify<br /> aborting ublk request"), __ublk_fail_req() would decrement the reference<br /> count before completing the failed request. However, that commit<br /> optimized __ublk_fail_req() to call __ublk_complete_rq() directly<br /> without decrementing the request reference count.<br /> The leaked reference count incorrectly allows user copy and zero copy<br /> operations on the completed ublk request. It also triggers the<br /> WARN_ON_ONCE(refcount_read(&amp;io-&gt;ref)) warnings in ublk_queue_reinit()<br /> and ublk_deinit_queue().<br /> Commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk<br /> char dev is closed") already fixed the issue for ublk devices using<br /> UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference<br /> count leak also affects UBLK_F_USER_COPY, the other reference-counted<br /> data copy mode. Fix the condition in ublk_check_and_reset_active_ref()<br /> to include all reference-counted data copy modes. This ensures that any<br /> ublk requests still owned by the ublk server when it exits have their<br /> reference counts reset to 0.