Linux Kernel RDS Connection State Management Vulnerability

A vulnerability in the Linux kernel's Reliable Datagram Sockets (RDS) implementation has been addressed. This issue arises from improper handling of connection states, particularly the 'RDS_CONN_ERROR' state. When a connection enters this state, it is expected to follow a shutdown process. However, recent changes to the RDS over TCP multipath handling introduced a shortcut that bypasses this requirement, allowing connections to improperly transition back to an active state. This can lead to a situation where the connection management code encounters an unexpected state, causing it to erroneously drop the connection and leave certain shutdown processes uncompleted, potentially leading to resource leaks.

Impact

Exploitation of this vulnerability can disrupt normal connection management processes, causing connections to be improperly closed while leaving associated shutdown tasks pending. This can lead to resource leaks and degraded performance in applications relying on RDS over TCP.

Reproduction

To reproduce this issue, establish an RDS connection that encounters an error, causing it to enter the 'RDS_CONN_ERROR' state. Then, trigger the RDS over TCP multipath handling, which will incorrectly shortcut the connection back to 'RDS_CONN_CONNECTING', bypassing the necessary shutdown process. After this, the connection will transition to 'RDS_CONN_RESETTING', but the shutdown process will not be properly managed, leading to the connection being dropped with an 'DR_INV_CONN_STATE' error. This sequence of state transitions can be monitored and verified through the connection management logs.

Remediation

The vulnerability has been fixed in the Linux kernel stable releases. Users should upgrade to the latest version of the Linux kernel to apply this fix.