Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's io_uring polling mechanism. When a socket send and shutdown() occur back-to-back, both trigger wake-ups before the receiver's task_work can run. The first wake-up gains poll ownership, and the second increments the reference count. During event checking, a recv call reads data and returns a retry signal, but the loop then drains all accumulated references and exits prematurely, even though only the first event was processed. Because shutdown is a persistent state change, no further wake-ups occur, causing the multishot recv to potentially hang indefinitely.

The fix involves specifically checking for the HUP (hang-up) event in the poll loop and ensuring an additional loop runs if multiple poll activations are pending. This prevents losing the shutdown event and avoids the hanging condition.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause the multishot recv operation in the Linux kernel to hang indefinitely when a socket send and shutdown happen in quick succession. This hanging can lead to stalled network communication or resource blocking in applications relying on io_uring for socket polling, potentially degrading system performance or causing application-level timeouts.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by fixing the io_uring poll mechanism in the Linux kernel to properly handle multishot recv wakeups and shutdown events.

Immediate mitigation steps include updating your Linux kernel to a version that contains this fix.

Useful 0 Not Useful 0