In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix request_sock leak in sk lookup helpers
A customer reported a requestsocket leak in a Calico cloud environment. We found that a BPF program was doing a socket lookup with takes a refcnt on the socket and that it was finding the requestsocket but returning the parent LISTEN socket via sktofullsk() without decrementing the child request socket 1st, resulting in requestsock slab object leak. This patch retains the existing behaviour of returning full socks to the caller but it also decrements the child request_socket if one is present before doing so to prevent the leak.
Thanks to Curtis Taylor for all the help in diagnosing and testing this. And thanks to Antoine Tenart for the reproducer and patch input.
v2 of this patch contains, refactor as per Daniel Borkmann's suggestions to validate RCU flags on the listen socket so that it balances with bpfskrelease() and update comments as per Martin KaFai Lau's suggestion. One small change to Daniels suggestion, put "sk = sk2" under "if (sk2 != sk)" to avoid an extra instruction.
[
    {
        "id": "CVE-2022-49697-06a4fabe",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "216407118971983460415108275410487147752",
                "30791680322251510702126669382947537975",
                "319519615543015329429293739560723341145",
                "267410646708363654784184690309170770002",
                "93003473216757681127011449670982673210",
                "261531262933850995023731118706299919868",
                "256051023576896374171133688933787049198",
                "218878913712525323370458831554114307088",
                "77699833788626035036825314859999067442",
                "319519615543015329429293739560723341145",
                "267410646708363654784184690309170770002",
                "93003473216757681127011449670982673210",
                "261531262933850995023731118706299919868",
                "256051023576896374171133688933787049198"
            ]
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ffe2e50e9678c8373027492035f094b130437f1",
        "target": {
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-12241926",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "216407118971983460415108275410487147752",
                "30791680322251510702126669382947537975",
                "319519615543015329429293739560723341145",
                "267410646708363654784184690309170770002",
                "93003473216757681127011449670982673210",
                "261531262933850995023731118706299919868",
                "256051023576896374171133688933787049198",
                "218878913712525323370458831554114307088",
                "77699833788626035036825314859999067442",
                "319519615543015329429293739560723341145",
                "267410646708363654784184690309170770002",
                "93003473216757681127011449670982673210",
                "261531262933850995023731118706299919868",
                "256051023576896374171133688933787049198"
            ]
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3046a827316c0e55fc563b4fb78c93b9ca5c7c37",
        "target": {
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-12a6fb74",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 308.0,
            "function_hash": "58234445629484196640527416502323253397"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@516760f1d2979903eaad5b437256913c5cd98416",
        "target": {
            "function": "bpf_sk_lookup",
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-1a6386a5",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 308.0,
            "function_hash": "58234445629484196640527416502323253397"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ffe2e50e9678c8373027492035f094b130437f1",
        "target": {
            "function": "bpf_sk_lookup",
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-5f94f809",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 354.0,
            "function_hash": "191433098567398937197409700715951240022"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3046a827316c0e55fc563b4fb78c93b9ca5c7c37",
        "target": {
            "function": "__bpf_sk_lookup",
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-6005dbd3",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "216407118971983460415108275410487147752",
                "30791680322251510702126669382947537975",
                "319519615543015329429293739560723341145",
                "267410646708363654784184690309170770002",
                "93003473216757681127011449670982673210",
                "261531262933850995023731118706299919868",
                "256051023576896374171133688933787049198",
                "218878913712525323370458831554114307088",
                "77699833788626035036825314859999067442",
                "319519615543015329429293739560723341145",
                "267410646708363654784184690309170770002",
                "93003473216757681127011449670982673210",
                "261531262933850995023731118706299919868",
                "256051023576896374171133688933787049198"
            ]
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a62b5ba4c0ce8315b6382cd4ace81b48cd121cd",
        "target": {
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-af1fd88d",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 354.0,
            "function_hash": "191433098567398937197409700715951240022"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b03607437ea81b850599f705096b05b85e7a4a71",
        "target": {
            "function": "__bpf_sk_lookup",
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-b2246804",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "216407118971983460415108275410487147752",
                "30791680322251510702126669382947537975",
                "319519615543015329429293739560723341145",
                "267410646708363654784184690309170770002",
                "93003473216757681127011449670982673210",
                "261531262933850995023731118706299919868",
                "256051023576896374171133688933787049198",
                "218878913712525323370458831554114307088",
                "77699833788626035036825314859999067442",
                "319519615543015329429293739560723341145",
                "267410646708363654784184690309170770002",
                "93003473216757681127011449670982673210",
                "261531262933850995023731118706299919868",
                "256051023576896374171133688933787049198"
            ]
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@516760f1d2979903eaad5b437256913c5cd98416",
        "target": {
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-c0226494",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 308.0,
            "function_hash": "58234445629484196640527416502323253397"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a62b5ba4c0ce8315b6382cd4ace81b48cd121cd",
        "target": {
            "function": "bpf_sk_lookup",
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-c24ef9b9",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 354.0,
            "function_hash": "191433098567398937197409700715951240022"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ffe2e50e9678c8373027492035f094b130437f1",
        "target": {
            "function": "__bpf_sk_lookup",
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-c8a47dff",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 354.0,
            "function_hash": "191433098567398937197409700715951240022"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@516760f1d2979903eaad5b437256913c5cd98416",
        "target": {
            "function": "__bpf_sk_lookup",
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-f7983724",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 308.0,
            "function_hash": "58234445629484196640527416502323253397"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b03607437ea81b850599f705096b05b85e7a4a71",
        "target": {
            "function": "bpf_sk_lookup",
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-f9072f6e",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "216407118971983460415108275410487147752",
                "30791680322251510702126669382947537975",
                "319519615543015329429293739560723341145",
                "267410646708363654784184690309170770002",
                "93003473216757681127011449670982673210",
                "261531262933850995023731118706299919868",
                "256051023576896374171133688933787049198",
                "218878913712525323370458831554114307088",
                "77699833788626035036825314859999067442",
                "319519615543015329429293739560723341145",
                "267410646708363654784184690309170770002",
                "93003473216757681127011449670982673210",
                "261531262933850995023731118706299919868",
                "256051023576896374171133688933787049198"
            ]
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b03607437ea81b850599f705096b05b85e7a4a71",
        "target": {
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-fa7f56ea",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 308.0,
            "function_hash": "58234445629484196640527416502323253397"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3046a827316c0e55fc563b4fb78c93b9ca5c7c37",
        "target": {
            "function": "bpf_sk_lookup",
            "file": "net/core/filter.c"
        }
    },
    {
        "id": "CVE-2022-49697-ff434c6c",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 354.0,
            "function_hash": "191433098567398937197409700715951240022"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a62b5ba4c0ce8315b6382cd4ace81b48cd121cd",
        "target": {
            "function": "__bpf_sk_lookup",
            "file": "net/core/filter.c"
        }
    }
]