CVE-2022-49207

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49207
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49207.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49207
Downstream
Related
Published
2025-02-26T01:55:46Z
Modified
2025-10-15T19:49:09.504095Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
bpf, sockmap: Fix memleak in sk_psock_queue_msg
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix memleak in skpsockqueue_msg

If tcpbpfsendmsg is running during a tear down operation we may enqueue data on the ingress msg queue while tear down is trying to free it.

sk1 (redirect sk2) sk2 ------------------- --------------- tcpbpfsendmsg() tcpbpfsendverdict() tcpbpfsendmsgredir() bpftcpingress() sockmapclose() locksock() locksock() ... blocking skpsockstop skpsockclearstate(psock, SKPSOCKTXENABLED); releasesock(sk); locksock() skmemcharge() getpage() skpsockqueuemsg() skpsockteststate(psock, SKPSOCKTXENABLED); dropskmsg() release_sock()

While dropskmsg(), the msg has charged memory form sk by skmemcharge and has sg pages need to put. To fix we use skmsgfree() and then kfee() msg.

This issue can cause the following info: WARNING: CPU: 0 PID: 9202 at net/core/stream.c:205 skstreamkillqueues+0xc8/0xe0 Call Trace: <IRQ> inetcskdestroysock+0x55/0x110 tcprcvstateprocess+0xe5f/0xe90 ? skfiltertrimcap+0x10d/0x230 ? tcpv4dorcv+0x161/0x250 tcpv4dorcv+0x161/0x250 tcpv4rcv+0xc3a/0xce0 ipprotocoldeliverrcu+0x3d/0x230 iplocaldeliverfinish+0x54/0x60 iplocaldeliver+0xfd/0x110 ? ipprotocoldeliverrcu+0x230/0x230 iprcv+0xd6/0x100 ? iplocaldeliver+0x110/0x110 _netifreceiveskbonecore+0x85/0xa0 processbacklog+0xa4/0x160 _napipoll+0x29/0x1b0 netrxaction+0x287/0x300 _dosoftirq+0xff/0x2fc do_softirq+0x79/0x90 </IRQ>

WARNING: CPU: 0 PID: 531 at net/ipv4/afinet.c:154 inetsockdestruct+0x175/0x1b0 Call Trace: <TASK> _skdestruct+0x24/0x1f0 skpsockdestroy+0x19b/0x1c0 processonework+0x1b3/0x3c0 ? processonework+0x3c0/0x3c0 workerthread+0x30/0x350 ? processonework+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthreadcompleteandexit+0x20/0x20 retfrom_fork+0x22/0x30 </TASK>

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9635720b7c88592214562cb72605bdab6708006c
Fixed
ef9785f429794567792561a584901faa9291d3ee
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9635720b7c88592214562cb72605bdab6708006c
Fixed
4dd2e947d3be13a4de3b3028859b9a6497266bcf
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9635720b7c88592214562cb72605bdab6708006c
Fixed
03948ed6553960db62f1c33bec29e64d7c191a3f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9635720b7c88592214562cb72605bdab6708006c
Fixed
938d3480b92fa5e454b7734294f12a7b75126f09

Affected versions

v5.*

v5.14
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.14.0
Fixed
5.15.33
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.19
Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
5.17.2