CVE-2022-50676

Vulnerability

Overview

In CVE-2022-50676, the Linux kernel's RDS (Reliable Datagram Sockets) TCP implementation contains a lock ordering issue in rds_tcp_reset_callbacks(). The function holds the socket lock (lock_sock()) while calling cancel_delayed_work_sync(), but rds_send_xmit()—which is invoked by the work being cancelled—also tries to acquire the same socket lock [1]. This creates a potential deadlock, as reported by syzbot via a lockdep warning [2].

Exploitation and

Attack Surface

To trigger the issue, an attacker would need to cause a TCP reset on an RDS connection, leading to rds_tcp_reset_callbacks() being called. While no authentication is required beyond being able to interact with an RDS socket, the bug is primarily a locking mistake rather than a direct remote exploit. The resulting lockdep warning indicates a risk of system deadlock or hang if the race condition occurs [3].

Impact

If the deadlock is realized, the kernel can become unresponsive, leading to a denial-of-service condition on the affected system. The vulnerability does not directly allow code execution or privilege escalation, but a locked kernel can compromise system availability [4].

Mitigation

The fix, incorporated into mainline and stable kernels, removes the lock_sock() protection from the cancel_delayed_work_sync() call, because re-queued work will be a no-op when the connection is not up. Users should update their kernels to a version containing the patch from the referenced stable commits [1][2][3][4].