CVE-2022-49207 Information
Description
In the Linux kernel the following vulnerability has been resolved:
bpf sockmap: Fix memleak in sk_psock_queue_msg
If tcp_bpf_sendmsg is running during a tear down operation we may enqueue data on the ingress msg queue while tear down is trying to free it.
sk1 (redirect sk2) sk2
tcp_bpf_sendmsg() tcp_bpf_send_verdict() tcp_bpf_sendmsg_redir() bpf_tcp_ingress() sock_map_close() lock_sock() lock_sock() … blocking sk_psock_stop sk_psock_clear_state(psock SK_PSOCK_TX_ENABLED); release_sock(sk); lock_sock() sk_mem_charge() get_page() sk_psock_queue_msg() sk_psock_test_state(psock SK_PSOCK_TX_ENABLED); drop_sk_msg() release_sock()
While drop_sk_msg() the msg has charged memory form sk by sk_mem_charge and has sg pages need to put. To fix we use sk_msg_free() and then kfee() msg.
This issue can cause the following info:
WARNING: CPU: 0 PID: 9202 at net/core/stream.c:205 sk_stream_kill_queues+0xc8/0xe0
Call Trace:
WARNING: CPU: 0 PID: 531 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x175/0x1b0
Call Trace:
Reference
https://git.kernel.org/stable/c/03948ed6553960db62f1c33bec29e64d7c191a3f https://git.kernel.org/stable/c/4dd2e947d3be13a4de3b3028859b9a6497266bcf https://git.kernel.org/stable/c/938d3480b92fa5e454b7734294f12a7b75126f09 https://git.kernel.org/stable/c/ef9785f429794567792561a584901faa9291d3ee
Share on: