Linux Kernel io_uring Work Queue Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Linux kernel's io_uring component, specifically within the work queue management. This issue arises when large read operations are queued from certain /dev/msr* files, which do not support the expected read iteration method. As a result, the reads are handled in a way that significantly delays processing, causing tasks to become unresponsive for over 140 seconds. This prolonged blockage interferes with the normal operation of the io-wq exit process, leading to complaints about hung tasks. The vulnerability has been addressed by modifying the work handling loop to check for exit conditions, allowing the system to cancel pending operations more efficiently and prevent such delays.

Impact

Exploitation of this vulnerability can cause a significant delay in the handling of work queue tasks, leading to unresponsive system behavior and potential disruptions in processes that rely on timely task completion.

Reproduction

The vulnerability can be reproduced by queuing large read requests (approximately 2GB each) from /dev/msr* files into the io_uring work queue. Since these files do not support the standard read iteration, the requests are processed in a way that each read takes about 20 seconds to complete. When enough of these reads are queued, the total processing time exceeds 140 seconds, causing the task to be flagged as blocked and interrupting the normal io-wq exit procedure.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.