CVE-2022-50536

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix repeated calls to sockput() when msg has moredata

In tcpbpfsend_verdict() redirection, the eval variable is assigned to __SKREDIRECT after the applybytes data is sent, if msg has moredata, sockput() will be called multiple times.

We should reset the eval variable to __SKNONE every time moredata starts.

This causes:

IPv4: Attempt to release TCP socket in state 1 00000000b4c925d7 ------------[ cut here ]------------ refcountt: addition on 0; use-after-free. WARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcountwarnsaturate+0x7d/0x110 Modules linked in: CPU: 5 PID: 4482 Comm: sockhashbypass Kdump: loaded Not tainted 6.0.0 #1 Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014 Call Trace: <TASK> __tcptransmitskb+0xa1b/0xb90 ? __alloc_skb+0x8c/0x1a0 ? __kmallocnodetrackcaller+0x184/0x320 tcpwrite_xmit+0x22a/0x1110 __tcppushpendingframes+0x32/0xf0 dotcpsendpages+0x62d/0x640 tcpbpfpush+0xae/0x2c0 tcpbpfsendmsgredir+0x260/0x410 ? preemptcountadd+0x70/0xa0 tcpbpfsendverdict+0x386/0x4b0 tcpbpfsendmsg+0x21b/0x3b0 socksendmsg+0x58/0x70 __syssendto+0xfa/0x170 ? xfdvalidate_state+0x1d/0x80 ? switchfpureturn+0x59/0xe0 __x64syssendto+0x24/0x30 dosyscall64+0x37/0x90 entrySYSCALL64afterhwframe+0x63/0xcd