Linux Kernel Circular Locking Dependency Vulnerability in RDS TCP Tuning

A circular locking dependency vulnerability has been identified in the Linux kernel's RDS (Reliable Datagram Sockets) TCP tuning function. This issue arises because the function `sk_net_refcnt_upgrade()` is called while holding the socket lock, leading to a potential deadlock. The problem was reported by syzbot, which detected that a worker thread was trying to acquire a lock related to file system reclamation while another lock, the socket lock for IPv6, was already held. This situation creates a circular dependency, as the memory allocation performed by `sk_net_refcnt_upgrade()` can trigger a reclaim operation, conflicting with the held socket lock. The vulnerability affects the Linux kernel stable group.

Impact

Exploitation of this vulnerability can lead to a deadlock situation, where two or more processes are unable to proceed because each is waiting for the other to release a lock, potentially causing system hangs or degraded performance.

Reproduction

The vulnerability can be reproduced by invoking the RDS TCP tuning function on a socket while the socket lock is held. This can be done by manually locking a socket in IPv6 and then calling the `rds_tcp_tune()` function, which will trigger the circular locking dependency.

Remediation

The vulnerability has been addressed by modifying the `rds_tcp_tune()` function to call `sk_net_refcnt_upgrade()` before acquiring the socket lock. This change prevents the circular dependency by ensuring that the memory allocation can be performed without holding a lock that could interfere with the file system reclamation process.