Linux Kernel xprtrdma Early Exit Path re_receiving Decrement Vulnerability Causes Denial-of-Service

A denial-of-service vulnerability has been identified in the Linux kernel's xprtrdma component. This issue arises when the rpcrdma_post_recvs() function fails to allocate memory for a work request or exits prematurely. In such cases, the re_receiving counter is not decremented, leading to a hang in the rpcrdma_xprt_drain() function. This hang prevents the completion of the operation, causing a task to be blocked for an extended period. On systems under high memory pressure, this can result in noticeable performance degradation, with tasks being reported as hung for over 120 seconds.

Impact

Exploitation of this vulnerability leads to a hung task condition, where the system's workqueue becomes blocked, causing delays in processing and potential performance issues.

Reproduction

To reproduce this vulnerability, induce a memory allocation failure in the rpcrdma_post_recvs() function while it is managing the re_receiving counter. This can be done by simulating high memory pressure conditions that prevent successful memory allocation. Once the function exits early without decrementing the re_receiving counter, the rpcrdma_xprt_drain() function will hang, as the counter will not reach zero, leaving the completion process untriggered.

Remediation

This vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.