CVE-2023-54041

The vulnerability resides in the Linux kernel's io_uring subsystem, specifically in the code path that removes provided buffers. When buffers are removed, the io_buffer structures that manage them are not properly disposed of, leading to a memory leak. These structures are allocated in page-sized groups, so they cannot be freed individually; they need to be returned to a free list such as io_buffers_cache.

The leak occurs because the callers that remove buffers do not always add the freed buffer groups to the appropriate free list. The fix involves ensuring that all callers, particularly during buffer destruction, properly add the freed memory to the cache. The destruction path previously did not hold the necessary lock (uring_lock), so the patch extends the lock coverage to safely update the free list.

An attacker with local access and the ability to trigger repeated buffer removals could exploit this leak to exhaust system memory, potentially leading to a denial-of-service condition. No other privileges beyond standard user access to io_uring are required.

The issue is fixed in the Linux kernel with commits [1] and [2], which have been backported to stable releases. Users should update their kernel to the latest patched version to mitigate the vulnerability.