CVE-2022-49205

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, sockmap: Fix double uncharge the mem of sk_msg<br /> <br /> If tcp_bpf_sendmsg is running during a tear down operation, psock may be<br /> freed.<br /> <br /> tcp_bpf_sendmsg()<br /> tcp_bpf_send_verdict()<br /> sk_msg_return()<br /> tcp_bpf_sendmsg_redir()<br /> unlikely(!psock))<br /> sk_msg_free()<br /> <br /> The mem of msg has been uncharged in tcp_bpf_send_verdict() by<br /> sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock<br /> is null, we can simply returning an error code, this would then trigger<br /> the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have<br /> the side effect of throwing an error up to user space. This would be a<br /> slight change in behavior from user side but would look the same as an<br /> error if the redirect on the socket threw an error.<br /> <br /> This issue can cause the following info:<br /> WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260<br /> Call Trace:<br /> <br /> __sk_destruct+0x24/0x1f0<br /> sk_psock_destroy+0x19b/0x1c0<br /> process_one_work+0x1b3/0x3c0<br /> worker_thread+0x30/0x350<br /> ? process_one_work+0x3c0/0x3c0<br /> kthread+0xe6/0x110<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x22/0x30<br />