How to handle people dismissing io_uring as insecure?

As I'm sure you know, this is all mostly centered around a) google using an old kernel on android, b) the older kernel had a design issue around async offload, and c) google paying out money for exploits / security issues found there. It's not secret that the initial async offload design in io_uring was not great, which is why 5.10-stable and all later kernels changed the thread model for that to not use kthreads at all. Then they put out the announcement last year, and that's all most people know about it.

My hope is that this reputation will go away eventually, as less issues are found in the code. There are no inherent problems with io_uring since the above got sorted out, and we're obviously very careful with new features. That said, a performant async framework is very hard work, and particularly one with a user facing API. It was to be expected that issues would be found initially, it's just impossible to avoid. Perhaps if it had been written in Rust we would've been better off ;-). We continually add more test cases and all new features are accompanied by both functional and stress tests on the liburing side. We're most certainly doing what we can to ensure the base is solid.

We're running this in production at Meta, mostly storage for now, but networking is being heavily tested and will be rolled out in the very near future. We certainly think it's fine... Fact is that security issues are found in the kernel every day, and io_uring isn't any less secure than anything else. One of the more recent issues that I saw got tagged as an io_uring issue (credential ref count overflows) isn't an io_uring issue, it's just that io_uring was the method used to trigger it. It's very much possible to hit without io_uring, and in fact methods for doing so were known, it just required more memory to do so.