CVE-2022-49207

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix memleak in skpsockqueue_msg

If tcpbpfsendmsg is running during a tear down operation we may enqueue data on the ingress msg queue while tear down is trying to free it.

sk1 (redirect sk2) sk2 ------------------- --------------- tcpbpfsendmsg() tcpbpfsendverdict() tcpbpfsendmsgredir() bpftcpingress() sockmapclose() locksock() locksock() ... blocking skpsockstop skpsockclearstate(psock, SKPSOCKTXENABLED); releasesock(sk); locksock() skmemcharge() getpage() skpsockqueuemsg() skpsockteststate(psock, SKPSOCKTXENABLED); dropskmsg() release_sock()

While dropskmsg(), the msg has charged memory form sk by skmemcharge and has sg pages need to put. To fix we use skmsgfree() and then kfee() msg.

This issue can cause the following info: WARNING: CPU: 0 PID: 9202 at net/core/stream.c:205 skstreamkillqueues+0xc8/0xe0 Call Trace: <IRQ> inetcskdestroysock+0x55/0x110 tcprcvstateprocess+0xe5f/0xe90 ? skfiltertrimcap+0x10d/0x230 ? tcpv4dorcv+0x161/0x250 tcpv4dorcv+0x161/0x250 tcpv4rcv+0xc3a/0xce0 ipprotocoldeliverrcu+0x3d/0x230 iplocaldeliverfinish+0x54/0x60 iplocaldeliver+0xfd/0x110 ? ipprotocoldeliverrcu+0x230/0x230 iprcv+0xd6/0x100 ? iplocaldeliver+0x110/0x110 _netifreceiveskbonecore+0x85/0xa0 processbacklog+0xa4/0x160 _napipoll+0x29/0x1b0 netrxaction+0x287/0x300 _dosoftirq+0xff/0x2fc do_softirq+0x79/0x90 </IRQ>

WARNING: CPU: 0 PID: 531 at net/ipv4/afinet.c:154 inetsockdestruct+0x175/0x1b0 Call Trace: <TASK> _skdestruct+0x24/0x1f0 skpsockdestroy+0x19b/0x1c0 processonework+0x1b3/0x3c0 ? processonework+0x3c0/0x3c0 workerthread+0x30/0x350 ? processonework+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthreadcompleteandexit+0x20/0x20 retfrom_fork+0x22/0x30 </TASK>