loop_rw_iter in fs/io_uring.c in the Linux kernel allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2007568]
There was no shipped kernel version that was seen affected by this problem. These files are not built in our source code.