CVE-2022-49697

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix request_sock leak in sk lookup helpers<br /> <br /> A customer reported a request_socket leak in a Calico cloud environment. We<br /> found that a BPF program was doing a socket lookup with takes a refcnt on<br /> the socket and that it was finding the request_socket but returning the parent<br /> LISTEN socket via sk_to_full_sk() without decrementing the child request socket<br /> 1st, resulting in request_sock slab object leak. This patch retains the<br /> existing behaviour of returning full socks to the caller but it also decrements<br /> the child request_socket if one is present before doing so to prevent the leak.<br /> <br /> Thanks to Curtis Taylor for all the help in diagnosing and testing this. And<br /> thanks to Antoine Tenart for the reproducer and patch input.<br /> <br /> v2 of this patch contains, refactor as per Daniel Borkmann&amp;#39;s suggestions to<br /> validate RCU flags on the listen socket so that it balances with bpf_sk_release()<br /> and update comments as per Martin KaFai Lau&amp;#39;s suggestion. One small change to<br /> Daniels suggestion, put "sk = sk2" under "if (sk2 != sk)" to avoid an extra<br /> instruction.