Linux Kernel io_uring Wait Handling Vulnerability on Exit

A vulnerability in the Linux kernel's io_uring implementation can lead to hung task detection issues. When the io_uring ring exits, the cleanup process, including canceling requests and waiting for completions, is handled by a worker thread that does not process signals. This can cause the cleanup to wait longer than necessary, especially if the task has been paused with a signal stop. As a result, the hung task detection mechanism can be triggered, which is problematic if the system is configured to panic under such circumstances.

Impact

This vulnerability can cause the hung task detection mechanism to trigger, potentially leading to a system panic if panic-on-hung-task is enabled.

Reproduction

The vulnerability can be reproduced by creating a scenario where an io_uring ring is exited while the owning task is paused (e.g., using SIGSTOP). This will cause the cleanup process to wait for the task to become runnable again, potentially triggering the hung task detection.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed.