How to handle people dismissing io_uring as insecure?

[cmazakas]

I'm working on, from what I can tell, the most sophisticated open-source io_uring runtime and every time I try to shill it, developers will simply scoff at io_uring, saying, "isn't io_uring horribly insecure?"

While I'm aware of the CVEs filed in the past and their subsequent fixes, others aren't. And I'm finding it hard to change the reputation by myself.

How can I help people out when they tell me that io_uring is insecure?

[axboe]

As I'm sure you know, this is all mostly centered around a) google using an old kernel on android, b) the older kernel had a design issue around async offload, and c) google paying out money for exploits / security issues found there. It's not secret that the initial async offload design in io_uring was not great, which is why 5.10-stable and all later kernels changed the thread model for that to not use kthreads at all. Then they put out the announcement last year, and that's all most people know about it.

My hope is that this reputation will go away eventually, as less issues are found in the code. There are no inherent problems with io_uring since the above got sorted out, and we're obviously very careful with new features. That said, a performant async framework is very hard work, and particularly one with a user facing API. It was to be expected that issues would be found initially, it's just impossible to avoid. Perhaps if it had been written in Rust we would've been better off ;-). We continually add more test cases and all new features are accompanied by both functional and stress tests on the liburing side. We're most certainly doing what we can to ensure the base is solid.

We're running this in production at Meta, mostly storage for now, but networking is being heavily tested and will be rolled out in the very near future. We certainly think it's fine... Fact is that security issues are found in the kernel every day, and io_uring isn't any less secure than anything else. One of the more recent issues that I saw got tagged as an io_uring issue (credential ref count overflows) isn't an io_uring issue, it's just that io_uring was the method used to trigger it. It's very much possible to hit without io_uring, and in fact methods for doing so were known, it just required more memory to do so.

[krisman]

As someone working on the enterprise distro support, I just want to add that io_uring interest is growing fast in the enterprise world, and we see more questions from customers regarding adopting it everyday. We have people dedicated to io_uring at suse and surely the other distros also look at it with the same level of interest. I'd say the perception from the Google/Android world, although noisy, is far from dominant, and mostly based on the older implementation, as Jens pointed out.

I didn't look at any data to back the claim, but I think the CVEs reported against io_uring have decreased in complexity and number in the past months, and the most complex issues were reported against stable/older kernels anyway.

[YoSTEALTH]

I have had to deal with handful of these people from different sectors as well. Since I am actively working on project based on io_uring, I have had people saying all kinds of hmm... "crap", its so baseless! Can't even talk to them with actual facts. I even had one person tell me to quit working on my projects!!!