A flaw found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user.
It is known how to trigger this, which causes an OOB access, and a lock corruption.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2173441]
This was fixed for Fedora with the 6.1.12 stable kernel updates.