Linux Kernel io_uring fget Leak Vulnerability in ocfs2 Filesystem

A vulnerability has been identified in the Linux kernel's io_uring implementation, specifically when handling filesystems that do not support non-wait buffered reads, such as ocfs2. This issue causes a file descriptor leak, which can lead to improper resource management. The vulnerability arises because io_uring incorrectly reassigns the file descriptor for asynchronous operations, allowing the original descriptor to be lost and not properly released.

Impact

The vulnerability causes a resource leak by failing to release file descriptors, which can lead to increased resource usage and potential exhaustion of file descriptor limits.

Reproduction

The vulnerability can be reproduced by mounting an ocfs2 filesystem and using the io_uring 'link-cp' command to copy a file within the mounted filesystem. After the operation, attempting to unmount the filesystem will fail, with the system reporting that the target is busy. This issue occurs because the 'fget' function leaks a file descriptor, as ocfs2 does not support the required buffered read operations. The problem was introduced in version 5.18 of the Linux kernel.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit that addresses this issue is available in the Linux kernel stable tree.