In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix link timeout refs
WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcountwarnsaturate+0x15b/0x1a0 lib/refcount.c:28 RIP: 0010:refcountwarnsaturate+0x15b/0x1a0 lib/refcount.c:28 Call Trace: _refcountsubandtest include/linux/refcount.h:283 [inline] _refcountdecandtest include/linux/refcount.h:315 [inline] refcountdecandtest include/linux/refcount.h:333 [inline] ioputreq fs/iouring.c:2140 [inline] ioqueuelinkedtimeout fs/iouring.c:6300 [inline] _ioqueuesqe+0xbef/0xec0 fs/iouring.c:6354 iosubmitsqe fs/iouring.c:6534 [inline] iosubmitsqes+0x2bbd/0x7c50 fs/iouring.c:6660 _dosysiouringenter fs/iouring.c:9240 [inline] _sesysiouringenter+0x256/0x1d60 fs/iouring.c:9182
iolinktimeoutfn() should put only one reference of the linked timeout request, however in case of racing with the master request's completion first ioreqcomplete() puts one and then ioputreqdeferred() is called.