Linux Kernel io_uring Buffer Recycle Vulnerability

A vulnerability in the Linux kernel's io_uring implementation can lead to improper handling of buffer recycling. This issue arises because there is a gap between when a buffer is acquired and when it may be recycled. If the buffer list is empty, it could be upgraded to a ring-provided type, especially when the request is processed via the I/O workqueue. The current legacy recycling process fails to verify if the buffer list is still valid and of the correct type, potentially allowing for incorrect buffer management.

Impact

Exploitation of this vulnerability could disrupt the proper recycling of buffers in the io_uring subsystem, leading to potential memory management issues.

Reproduction

The vulnerability can be reproduced by forcing io_uring requests through the I/O workqueue, which can trigger the improper recycling of legacy buffers. This can be done by submitting io_uring requests that manipulate buffer lists, ensuring that the requests are processed via the I/O workqueue, which creates the conditions for the buffer list to be upgraded to a ring-based type before it is recycled.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed.