CVE-2025-21655: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period (21-01-2025)

Preface: Is io_uring secure? io_uring has produced many security problems. Google has found it necessary to either completely forego io_uring or severely limit its use to trusted code.

Background: io_uring is an asynchronous I/O interface for the Linux kernel. An io_uring is a pair of ring buffers in shared memory that are used as queues between user space and the kernel: Submission queue (SQ): A user space process uses the submission queue to send asynchronous I/O requests to the kernel.

eventfd(2) is a Linux-specific synchronization mechanism. io_uring is capable of posting events on an eventfd instance whenever completions occur.

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_ev_fd, it calls io_eventfd_free() directly if the refcount drops to zero. This isn’t correct, as any potential freeing of the io_ev_fd should be deferred another RCU grace period. Just call io_eventfd_put() rather than open-code the dec-and-test and free, which will correctly defer it another RCU grace period.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-21655

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.