Linux Kernel io-wq Hash Management Vulnerability Leading to Use-After-Free

A vulnerability in the Linux kernel's I/O workqueue management can lead to a use-after-free condition. The issue arises in the 'io-wq' component, where the 'io_wq_remove_pending()' function fails to properly verify if a work item predecessor is hashed before updating the workqueue's hash tail. This oversight allows a pointer to a non-hashed I/O control block to be incorrectly stored, creating a dangling pointer once the work item is completed and freed. The flaw persists for the duration of the task, potentially leading to memory corruption when the freed memory is overwritten.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where a pointer to a freed memory area is not properly cleared, allowing for memory corruption when that area is reused.

Reproduction

The vulnerability can be reproduced by enqueuing a hashed work item in bucket-0 of the I/O workqueue, while simultaneously having a non-hashed work item as its predecessor in the worklist. When the hashed work item is cancelled, the 'io_wq_remove_pending()' function incorrectly assumes the predecessor is hashed, and a pointer to the non-hashed work item is stored in the workqueue's hash tail. This stale pointer is not cleared before the non-hashed work item is completed and freed, creating a dangling pointer that persists for the lifetime of the task.

Remediation

The vulnerability has been addressed by adding a check to ensure that a non-hashed predecessor does not inherit a slot in the workqueue's hash tail. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.