CVE-2022-49198

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb<br /> <br /> Got crash when doing pressure test of mptcp:<br /> <br /> ===========================================================================<br /> dst_release: dst:ffffa06ce6e5c058 refcnt:-1<br /> kernel tried to execute NX-protected page - exploit attempt? (uid: 0)<br /> BUG: unable to handle kernel paging request at ffffa06ce6e5c058<br /> PGD 190a01067 P4D 190a01067 PUD 43fffb067 PMD 22e403063 PTE 8000000226e5c063<br /> Oops: 0011 [#1] SMP PTI<br /> CPU: 7 PID: 7823 Comm: kworker/7:0 Kdump: loaded Tainted: G E<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.2.1 04/01/2014<br /> Call Trace:<br /> ? skb_release_head_state+0x68/0x100<br /> ? skb_release_all+0xe/0x30<br /> ? kfree_skb+0x32/0xa0<br /> ? mptcp_sendmsg_frag+0x57e/0x750<br /> ? __mptcp_retrans+0x21b/0x3c0<br /> ? __switch_to_asm+0x35/0x70<br /> ? mptcp_worker+0x25e/0x320<br /> ? process_one_work+0x1a7/0x360<br /> ? worker_thread+0x30/0x390<br /> ? create_worker+0x1a0/0x1a0<br /> ? kthread+0x112/0x130<br /> ? kthread_flush_work_fn+0x10/0x10<br /> ? ret_from_fork+0x35/0x40<br /> ===========================================================================<br /> <br /> In __mptcp_alloc_tx_skb skb was allocated and skb-&gt;tcp_tsorted_anchor will<br /> be initialized, in under memory pressure situation sk_wmem_schedule will<br /> return false and then kfree_skb. In this case skb-&gt;_skb_refdst is not null<br /> because_skb_refdst and tcp_tsorted_anchor are stored in the same mem, and<br /> kfree_skb will try to release dst and cause crash.