CVE-2022-49814

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kcm: close race conditions on sk_receive_queue<br /> <br /> sk-&gt;sk_receive_queue is protected by skb queue lock, but for KCM<br /> sockets its RX path takes mux-&gt;rx_lock to protect more than just<br /> skb queue. However, kcm_recvmsg() still only grabs the skb queue<br /> lock, so race conditions still exist.<br /> <br /> We can teach kcm_recvmsg() to grab mux-&gt;rx_lock too but this would<br /> introduce a potential performance regression as struct kcm_mux can<br /> be shared by multiple KCM sockets.<br /> <br /> So we have to enforce skb queue lock in requeue_rx_msgs() and handle<br /> skb peek case carefully in kcm_wait_data(). Fortunately,<br /> skb_recv_datagram() already handles it nicely and is widely used by<br /> other sockets, we can just switch to skb_recv_datagram() after<br /> getting rid of the unnecessary sock lock in kcm_recvmsg() and<br /> kcm_splice_read(). Side note: SOCK_DONE is not used by KCM sockets,<br /> so it is safe to get rid of this check too.<br /> <br /> I ran the original syzbot reproducer for 30 min without seeing any<br /> issue.