Linux Kernel io_uring Task Work Flags Manipulation Vulnerability During Ring Resizing

A vulnerability in the Linux kernel's io_uring implementation can lead to improper task work flag management when the ring is being resized. This issue occurs if the DEFER_TASKRUN and SETUP_TASKRUN flags are used simultaneously, allowing a brief window where the OR'ing of IORING_SQ_TASKRUN could be missed as the context switches from old to new rings. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability could cause task work flags to be incorrectly set, potentially leading to missed or delayed task executions in applications using io_uring.

Reproduction

To reproduce this vulnerability, use the DEFER_TASKRUN and SETUP_TASKRUN flags while adding task work. During the ring resizing process, the OR'ing of IORING_SQ_TASKRUN may be missed, creating a race condition. This can be observed by monitoring the task work execution, which may be delayed or skipped entirely.

Remediation

The vulnerability has been addressed by adding a second rings pointer, rings_rcu, which is protected by RCU. This change ensures that task work flags can be manipulated safely, even during ring resizing. Users should update to the latest version of the Linux kernel where this fix has been applied.