Linux Kernel rxrpc Data Race Vulnerability in Connection Handling

A data race vulnerability has been identified in the Linux kernel's rxrpc implementation, specifically within the function rxrpc_wait_to_be_connected(). The issue arises because the function checks the call's error state before verifying if the call has completed, potentially leading to unexpected behavior. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability could lead to a data race condition, where two tasks concurrently access shared data, causing inconsistencies and unpredictable behavior in the application.

Reproduction

The vulnerability can be reproduced by invoking the rxrpc_wait_to_be_connected() function in a scenario where the call's error state is modified by one task while another task is reading the same state. This can be achieved by sending messages over an rxrpc socket using the __sys_sendmmsg system call, which can be done in a loop to simulate concurrent access.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.