CVE-2022-50536

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data<br /> <br /> In tcp_bpf_send_verdict() redirection, the eval variable is assigned to<br /> __SK_REDIRECT after the apply_bytes data is sent, if msg has more_data,<br /> sock_put() will be called multiple times.<br /> <br /> We should reset the eval variable to __SK_NONE every time more_data<br /> starts.<br /> <br /> This causes:<br /> <br /> IPv4: Attempt to release TCP socket in state 1 00000000b4c925d7<br /> ------------[ cut here ]------------<br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110<br /> Modules linked in:<br /> CPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1<br /> Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014<br /> Call Trace:<br /> <br /> __tcp_transmit_skb+0xa1b/0xb90<br /> ? __alloc_skb+0x8c/0x1a0<br /> ? __kmalloc_node_track_caller+0x184/0x320<br /> tcp_write_xmit+0x22a/0x1110<br /> __tcp_push_pending_frames+0x32/0xf0<br /> do_tcp_sendpages+0x62d/0x640<br /> tcp_bpf_push+0xae/0x2c0<br /> tcp_bpf_sendmsg_redir+0x260/0x410<br /> ? preempt_count_add+0x70/0xa0<br /> tcp_bpf_send_verdict+0x386/0x4b0<br /> tcp_bpf_sendmsg+0x21b/0x3b0<br /> sock_sendmsg+0x58/0x70<br /> __sys_sendto+0xfa/0x170<br /> ? xfd_validate_state+0x1d/0x80<br /> ? switch_fpu_return+0x59/0xe0<br /> __x64_sys_sendto+0x24/0x30<br /> do_syscall_64+0x37/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd