CVE-2022-49209

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix memleak in tcpbpfsendmsg while sk msg is full

If tcpbpfsendmsg() is running while sk msg is full. When skmsgalloc() returns -ENOMEM error, tcpbpfsendmsg() goes to waitformemory. If partial memory has been alloced by skmsgalloc(), that is, msgtx->sg.size is greater than osize after skmsgalloc(), memleak occurs. To fix we use skmsg_trim() to release the allocated memory, then goto wait for memory.

Other call paths of skmsgalloc() have the similar issue, such as tlsswsendmsg(), so handle skmsgtrim logic inside skmsgalloc(), as Cong Wang suggested.

This issue can cause the following info: WARNING: CPU: 3 PID: 7950 at net/core/stream.c:208 skstreamkillqueues+0xd4/0x1a0 Call Trace: <TASK> inetcskdestroysock+0x55/0x110 __tcpclose+0x279/0x470 tcpclose+0x1f/0x60 inet_release+0x3f/0x80 __sockrelease+0x3d/0xb0 sockclose+0x11/0x20 __fput+0x92/0x250 taskworkrun+0x6a/0xa0 doexit+0x33b/0xb60 dogroupexit+0x2f/0xa0 getsignal+0xb6/0x950 archdosignalorrestart+0xac/0x2a0 exittousermodeprepare+0xa9/0x200 syscallexittousermode+0x12/0x30 dosyscall64+0x46/0x80 entrySYSCALL64afterhwframe+0x44/0xae </TASK>

WARNING: CPU: 3 PID: 2094 at net/ipv4/afinet.c:155 inetsock_destruct+0x13c/0x260 Call Trace: <TASK> _skdestruct+0x24/0x1f0 skpsockdestroy+0x19b/0x1c0 processonework+0x1b3/0x3c0 kthread+0xe6/0x110 retfromfork+0x22/0x30 </TASK>