Will the kmod-oracleasm packages be shipped with RHEL 9?

Environment

• Red Hat Enterprise Linux (RHEL) 9
• Oracle Database
• kmod-oracleasm

Issue

• Will the kmod-oracleasm package be available for RHEL 9?
• Will Oracle ASMLib be available for RHEL9?

Resolution

Since the release of Oracle ASMLib V3, Red Hat no longer provides the kmod-oracleasm kernel drivers for Red Hat Enterprise Linux 9. These drivers are no longer needed as Oracle's ASMLib V3 implements a different I/O strategy.
Oracle now supports ASMLib V3 using only the library and userspace packages, with io_uring as the default I/O interface.

On RHEL 9, io_uring is currently a Technology Preview feature (as of RHEL9.3):

• Is io_uring supported in Red Hat Enterprise Linux?

Therefore, the only production-supported method for Oracle on RHEL 9 is using udev rules:

• How are custom persistent names assigned for SCSI devices using udev in Red Hat Enterprise Linux 7 and later kernels?
• How to create Oracle ASM disks using disk or multipath devices in Red Hat Enterprise Linux?

While io_uring is a new and effective asynchronous I/O interface, its internal complexity introduces security and stability challenges:

• io_uring interacts with kernel memory structures, including pinned pages, shared memory, buffer pools, and file descriptor tables.
• Mismanagement of reference counts, pointer dereferencing, or cross-CPU synchronization can lead to critical vulnerabilities such as:
  • Use-After-Free (UAF) issues,
  • double frees,
  • kernel memory corruption,
  • and information leaks.

There have been several high-profile CVEs against io_uring. Here are a few examples:

CVE-2023-2598: io_uring UAF vulnerability allowing local privilege escalation (LPE), on kernel 6.1 and earlier.
CVE-2023-2002: io_uring UAF race in file reference management, on kernel 6.3 and earlier.
CVE-2023-32233: io_uring information leak and possible code execution via buffer registration, on Kernel 6.1 and earlier.

Some Linux distributions and container runtimes mitigate this risk by restricting or disabling io_uring for untrusted workloads. Examples:

• Certain container runtimes (e.g., Docker, Kata Containers) restrict io_uring features.
• Google's kernel container fuzzing platform (kCTF) specifically targets io_uring due to its high vulnerability density.
• Enterprise distros (including RHEL and Ubuntu LTS) have backported fixes, but may gate certain features behind capabilities.

Because io_uring enables high-performance I/O operations from unprivileged user space, it has become an attractive target for attackers seeking local privilege escalation (LPE), since any flaw in its interface could potentially allow a regular user process to escalate privileges and compromise the kernel.

Once Red Hat fully supports io_uring on RHEL 9+, customers will be able to leverage it for Oracle.
Red Hat does not yet have a timeline for the full support of io_uring on RHEL 9.

Root Cause

io_uring offers powerful, high-performance I/O capabilities that make it very appealing for modern workloads. However, its complexity significantly increases the kernel’s attack surface, which has led to multiple security vulnerabilities over time. Although kernel developers continue to improve its security and stability, issues can still occur. As a result, io_uring remains under close scrutiny by security researchers and exploit developers alike. Once Red Hat provides full support for io_uring, customers can confidently use it for Oracle workloads on RHEL 9 and future versions.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.