Linux Kernel io_uring POLL_REMOVE Opcode Handling Vulnerability

A vulnerability in the Linux kernel's io_uring implementation has been addressed. The issue arose when the io_uring core was modified to manage completions more consistently and with accurate return codes. This change inadvertently disrupted the POLL_REMOVE opcode when used to update events of a pending POLL_ADD request. If the update caused the POLL_ADD to trigger, the corresponding completion was lost, and a Completion Queue Event (CQE) was not posted. Furthermore, the update process sometimes incorrectly overwrote completion values, leading to potential inconsistencies.

Impact

The vulnerability could result in lost completions for io_uring poll requests, causing applications to miss important event notifications.

Reproduction

To reproduce this issue, initiate a POLL_ADD request and then use POLL_REMOVE to update the request's events. If the update causes the POLL_ADD to trigger, the completion will be lost, and a CQE will not be posted. This can be tested by monitoring the completion queue for missing events after such an update.

Remediation

Users can upgrade to the latest version of the Linux kernel where this issue has been fixed. The specific commit addressing this vulnerability is available in the Linux kernel stable tree.