As reported by sam on #gentoo-kernel:
The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable
kernel buffer free.
Most files implement the file op function read_iter. However, if they don't
(such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to
manually perform the iterative read/write of a file. The pointer
in req->rw.addr is incremented by the size of the read/write after each
segment. In normal cases, req->rw.addr contains a pointer to a userspace
buffer to read/write from. However, a user can use the
IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations.
If this is the case, req->rw.addr contains a pointer to a kernel buffer
(io_buffer structure). This buffer is later freed in io_put_kbuf after the
read/write request completes.
This gives the ability to free adjacent buffers at a controllable offset.
It is accessible from unprivileged, and straight forward to exploit for
local privilege escalation. I plan to share the specifics for exploitation
in the future.
Not certain this is a real bug, the commit of the 'Fixes' tag is in the same releases as the fix.