io_uring Buffer Ring UAF

Vulnerability analysis

Root Cause: When a user registers a buffer ring with IORING_REGISTER_PBUF_RING and IOU_PBUF_RING_MMAP flag, the kernel allocates memory and uses remap_pfn_range() to map it to userspace. However, the original code incorrectly relied on normal munmap/release mechanisms to free this memory. Since remap_pfn_range() doesn't provide automatic cleanup on munmap, the allocated pages were not properly freed when the buffer ring was released, causing a memory leak. Additionally, the buffer ring pointer could be accessed after the memory was supposed to be freed.

Attack Surface: This vulnerability affects local users who can create io_uring instances and register buffer rings. The attack requires the ability to call io_uring system calls, specifically IORING_REGISTER_PBUF_RING with the IOU_PBUF_RING_MMAP flag. No special privileges beyond basic process creation are required, making it accessible to unprivileged local users.

Fix Mechanism: The patch introduces a deferred cleanup mechanism by: (1) Adding an io_buf_list hash list to the io_ring_ctx structure to track allocated buffer rings, (2) Creating io_buf_free entries that store pointers to allocated memory when buffer rings are created, (3) Adding io_kbuf_mmap_list_free() function that properly frees all tracked memory during context cleanup, (4) Removing the immediate folio_put() call and deferring cleanup until after the file descriptor is released.