CVE-2022-49979

In the Linux kernel, the following vulnerability has been resolved:

net: fix refcount bug in skpsockget (2)

Syzkaller reports refcount bug as follows: ------------[ cut here ]------------ refcountt: saturated; leaking memory. WARNING: CPU: 1 PID: 3605 at lib/refcount.c:19 refcountwarn_saturate+0xf4/0x1e0 lib/refcount.c:19 Modules linked in: CPU: 1 PID: 3605 Comm: syz-executor208 Not tainted 5.18.0-syzkaller-03023-g7e062cda7d90 #0 <TASK> __refcountaddnot_zero include/linux/refcount.h:163 [inline] __refcountincnotzero include/linux/refcount.h:227 [inline] refcountincnotzero include/linux/refcount.h:245 [inline] skpsockget+0x3bc/0x410 include/linux/skmsg.h:439 tlsdataready+0x6d/0x1b0 net/tls/tlssw.c:2091 tcpdataready+0x106/0x520 net/ipv4/tcpinput.c:4983 tcpdataqueue+0x25f2/0x4c90 net/ipv4/tcpinput.c:5057 tcprcvstateprocess+0x1774/0x4e80 net/ipv4/tcpinput.c:6659 tcpv4dorcv+0x339/0x980 net/ipv4/tcpipv4.c:1682 skbacklog_rcv include/net/sock.h:1061 [inline] __releasesock+0x134/0x3b0 net/core/sock.c:2849 releasesock+0x54/0x1b0 net/core/sock.c:3404 inetshutdown+0x1e0/0x430 net/ipv4/afinet.c:909 __sysshutdownsock net/socket.c:2331 [inline] __sysshutdownsock net/socket.c:2325 [inline] __sys_shutdown+0xf1/0x1b0 net/socket.c:2343 __dosysshutdown net/socket.c:2351 [inline] __sesysshutdown net/socket.c:2349 [inline] __x64sysshutdown+0x50/0x70 net/socket.c:2349 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x46/0xb0 </TASK>

During SMC fallback process in connect syscall, kernel will replaces TCP with SMC. In order to forward wakeup smc socket waitqueue after fallback, kernel will sets clcsk->skuserdata to origin smc socket in smcfbackreplace_callbacks().

Later, in shutdown syscall, kernel will calls skpsockget(), which treats the clcsk->skuserdata as psock type, triggering the refcnt warning.

So, the root cause is that smc and psock, both will use skuserdata field. So they will mismatch this field easily.

This patch solves it by using another bit(defined as SKUSERDATAPSOCK) in PTRMASK, to mark whether skuserdata points to a psock object or not. This patch depends on a PTRMASK introduced in commit f1ff5ce2cd5e ("net, skmsg: Clear skuserdata pointer on clone if tagged").

For there will possibly be more flags in the skuserdata field, this patch also refactor skuserdata flags code to be more generic to improve its maintainability.