CVE-2022-50838

In the Linux kernel, the following vulnerability has been resolved:

net: stream: purge skerrorqueue in skstreamkill_queues()

Changheon Lee reported TCP socket leaks, with a nice repro.

It seems we leak TCP sockets with the following sequence:

1) SOFTIMESTAMPINGTX_ACK is enabled on the socket.

Each ACK will cook an skb put in error queue, from __skbtstamptx(). __skbtstamptx() is using skbclone(), unless SOFTIMESTAMPINGOPTTSONLY was also requested.

2) If the application is also using MSGZEROCOPY, then we put in the error queue cloned skbs that had a struct ubufinfo attached to them.

Whenever an struct ubufinfo is allocated, sockzerocopyalloc() does a sockhold().

As long as the cloned skbs are still in skerrorqueue, socket refcount is kept elevated.

3) Application closes the socket, while error queue is not empty.

Since tcp_close() no longer purges the socket error queue, we might end up with a TCP socket with at least one skb in error queue keeping the socket alive forever.

This bug can be (ab)used to consume all kernel memory and freeze the host.

We need to purge the error queue, with proper synchronization against concurrent writers.