As reported by sam on #gentoo-kernel: ``` The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable kernel buffer free. Most files implement the file op function read_iter. However, if they don't (such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to manually perform the iterative read/write of a file. The pointer in req->rw.addr is incremented by the size of the read/write after each segment. In normal cases, req->rw.addr contains a pointer to a userspace buffer to read/write from. However, a user can use the IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations. If this is the case, req->rw.addr contains a pointer to a kernel buffer (io_buffer structure). This buffer is later freed in io_put_kbuf after the read/write request completes. This gives the ability to free adjacent buffers at a controllable offset. It is accessible from unprivileged, and straight forward to exploit for local privilege escalation. I plan to share the specifics for exploitation in the future. ```
Not certain this is a real bug, the commit of the 'Fixes' tag is in the same releases as the fix.