Linux Kernel RDS Zero-Copy Send Cleanup Vulnerability

A vulnerability in the Linux kernel's RDS (Reliable Datagram Sockets) implementation can lead to improper handling of zero-copy send operations. This issue arises because a zero-copy send can fail after user pages have been pinned, but before the message is queued on the sending socket. The current cleanup process mistakenly assumes that unqueued messages follow the same rules as normal payload messages, leading to potential inconsistencies. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause early send failures in zero-copy operations to be mishandled, potentially leading to memory management issues by not properly accounting for pinned pages.

Reproduction

To reproduce this vulnerability, initiate a zero-copy send operation in RDS before the message is queued on the socket. This can be done by pinning user pages for the send operation and then triggering a send failure before the message is fully queued. The improper cleanup will occur if the purge process infers the zero-copy state from the message's socket association, allowing the message to be cleaned up as if it were using normal payload pages.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.