In the Linux kernel, the following vulnerability has been resolved:
io_uring/af_unix: defer registered files gc to io_uring release
Instead of putting io_urings registered files in unix_gc() we want it to be done by io_uring itself. The trick here is to consider io_uring registered files for cycle detection but not actually putting them down. Because io_uring cant register other ring instances, this will remove all refs to the ring file triggering the ->release path and clean up with io_ring_ctx_free().
[axboe: add kerneldoc comment to skb, fold in skb leak fix]