{
  "threat_severity" : "Low",
  "public_date" : "2025-06-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: fix refcount bug in sk_psock_get (2)",
    "id" : "2373406",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373406"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: fix refcount bug in sk_psock_get (2)\nSyzkaller reports refcount bug as follows:\n------------[ cut here ]------------\nrefcount_t: saturated; leaking memory.\nWARNING: CPU: 1 PID: 3605 at lib/refcount.c:19 refcount_warn_saturate+0xf4/0x1e0 lib/refcount.c:19\nModules linked in:\nCPU: 1 PID: 3605 Comm: syz-executor208 Not tainted 5.18.0-syzkaller-03023-g7e062cda7d90 #0\n<TASK>\n__refcount_add_not_zero include/linux/refcount.h:163 [inline]\n__refcount_inc_not_zero include/linux/refcount.h:227 [inline]\nrefcount_inc_not_zero include/linux/refcount.h:245 [inline]\nsk_psock_get+0x3bc/0x410 include/linux/skmsg.h:439\ntls_data_ready+0x6d/0x1b0 net/tls/tls_sw.c:2091\ntcp_data_ready+0x106/0x520 net/ipv4/tcp_input.c:4983\ntcp_data_queue+0x25f2/0x4c90 net/ipv4/tcp_input.c:5057\ntcp_rcv_state_process+0x1774/0x4e80 net/ipv4/tcp_input.c:6659\ntcp_v4_do_rcv+0x339/0x980 net/ipv4/tcp_ipv4.c:1682\nsk_backlog_rcv include/net/sock.h:1061 [inline]\n__release_sock+0x134/0x3b0 net/core/sock.c:2849\nrelease_sock+0x54/0x1b0 net/core/sock.c:3404\ninet_shutdown+0x1e0/0x430 net/ipv4/af_inet.c:909\n__sys_shutdown_sock net/socket.c:2331 [inline]\n__sys_shutdown_sock net/socket.c:2325 [inline]\n__sys_shutdown+0xf1/0x1b0 net/socket.c:2343\n__do_sys_shutdown net/socket.c:2351 [inline]\n__se_sys_shutdown net/socket.c:2349 [inline]\n__x64_sys_shutdown+0x50/0x70 net/socket.c:2349\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\n</TASK>\nDuring SMC fallback process in connect syscall, kernel will\nreplaces TCP with SMC. In order to forward wakeup\nsmc socket waitqueue after fallback, kernel will sets\nclcsk->sk_user_data to origin smc socket in\nsmc_fback_replace_callbacks().\nLater, in shutdown syscall, kernel will calls\nsk_psock_get(), which treats the clcsk->sk_user_data\nas psock type, triggering the refcnt warning.\nSo, the root cause is that smc and psock, both will use\nsk_user_data field. So they will mismatch this field\neasily.\nThis patch solves it by using another bit(defined as\nSK_USER_DATA_PSOCK) in PTRMASK, to mark whether\nsk_user_data points to a psock object or not.\nThis patch depends on a PTRMASK introduced in commit f1ff5ce2cd5e\n(\"net, sk_msg: Clear sk_user_data pointer on clone if tagged\").\nFor there will possibly be more flags in the sk_user_data field,\nthis patch also refactor sk_user_data flags code to be more generic\nto improve its maintainability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49979\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49979\nhttps://lore.kernel.org/linux-cve-announce/2025061820-CVE-2022-49979-f695@gregkh/T" ],
  "name" : "CVE-2022-49979",
  "csaw" : false
}