Linux Kernel io_uring Poll Multishot Receive Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's io_uring implementation, specifically within the polling mechanism for multishot receive operations. This issue arises when a socket's send and shutdown actions occur in quick succession, causing two wake-up signals to be sent before the receiving task can process the first one. As a result, the polling mechanism can incorrectly handle the event, leading to a situation where the receive operation hangs indefinitely, unable to complete. The vulnerability is present in the Linux kernel stable tree.

Impact

The vulnerability can cause multishot receive operations to hang indefinitely, disrupting normal socket communication and potentially leading to application-level timeouts or failures.

Reproduction

To reproduce this vulnerability, initiate a socket send operation followed immediately by a shutdown of the socket. This sequence will trigger two wake-up events before the receiving task can process the first, causing the polling mechanism to lose track of the shutdown event. As a result, the multishot receive operation will hang indefinitely, waiting for an event that will never arrive.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.