CVE-2022-49979 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
net: fix refcount bug in sk_psock_get (2)
Syzkaller reports refcount bug as follows: ------------[ cut here ]------------
refcount_t: saturated; leaking memory. WARNING: CPU: 1 PID: 3605 at lib/refcount.c:19 refcount_warn_saturate+0xf4/0x1e0 lib/refcount.c:19 Modules linked in: CPU: 1 PID: 3605 Comm: syz-executor208 Not tainted 5.18.0-syzkaller-03023-g7e062cda7d90 #0 <TASK> __refcount_add_not_zero include/linux/refcount.h:163 [inline]
__refcount_inc_not_zero include/linux/refcount.h:227 [inline]
refcount_inc_not_zero include/linux/refcount.h:245 [inline]
sk_psock_get+0x3bc/0x410 include/linux/skmsg.h:439 tls_data_ready+0x6d/0x1b0 net/tls/tls_sw.c:2091 tcp_data_ready+0x106/0x520 net/ipv4/tcp_input.c:4983 tcp_data_queue+0x25f2/0x4c90 net/ipv4/tcp_input.c:5057 tcp_rcv_state_process+0x1774/0x4e80 net/ipv4/tcp_input.c:6659 tcp_v4_do_rcv+0x339/0x980 net/ipv4/tcp_ipv4.c:1682 sk_backlog_rcv include/net/sock.h:1061 [inline]
__release_sock+0x134/0x3b0 net/core/sock.c:2849 release_sock+0x54/0x1b0 net/core/sock.c:3404 inet_shutdown+0x1e0/0x430 net/ipv4/af_inet.c:909 __sys_shutdown_sock net/socket.c:2331 [inline]
__sys_shutdown_sock net/socket.c:2325 [inline]
__sys_shutdown+0xf1/0x1b0 net/socket.c:2343 __do_sys_shutdown net/socket.c:2351 [inline]
__se_sys_shutdown net/socket.c:2349 [inline]
__x64_sys_shutdown+0x50/0x70 net/socket.c:2349 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 </TASK>
During SMC fallback process in connect syscall, kernel will replaces TCP with SMC. In order to forward wakeup smc socket waitqueue after fallback, kernel will sets clcsk->sk_user_data to origin smc socket in smc_fback_replace_callbacks().
Later, in shutdown syscall, kernel will calls sk_psock_get(), which treats the clcsk->sk_user_data as psock type, triggering the refcnt warning.
So, the root cause is that smc and psock, both will use sk_user_data field. So they will mismatch this field easily.
This patch solves it by using another bit(defined as SK_USER_DATA_PSOCK) in PTRMASK, to mark whether sk_user_data points to a psock object or not. This patch depends on a PTRMASK introduced in commit f1ff5ce2cd5e ("net, sk_msg: Clear sk_user_data pointer on clone if tagged").
For there will possibly be more flags in the sk_user_data field, this patch also refactor sk_user_data flags code to be more generic to improve its maintainability.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/30/2025
The vulnerability CVE-2022-49979 represents a critical reference count bug within the Linux kernel's networking subsystem, specifically affecting the socket protocol handling mechanism. This issue manifests during the SMC (Scalable Memory Communication) fallback process, where the kernel transitions from TCP to SMC communication protocols. The bug stems from improper handling of the sk_user_data field, which serves as a generic pointer field for various socket protocol contexts. When a TCP socket undergoes SMC fallback during a connect syscall, the kernel replaces the TCP socket with an SMC socket and attempts to forward wakeups by setting the clcsk->sk_user_data field to point to the original SMC socket. However, during subsequent shutdown operations, the kernel invokes sk_psock_get() which incorrectly treats this sk_user_data pointer as a psock type object, leading to a reference count saturation condition. This particular vulnerability was identified through syzkaller's automated testing framework, which detected the memory leak condition and generated the warning message indicating refcount_t saturation.
The technical flaw resides in the fundamental conflict between SMC and psock protocol handling mechanisms that both utilize the same sk_user_data field for different purposes. The kernel's socket implementation employs sk_user_data as a flexible pointer field, but when SMC fallback occurs, the original socket's sk_user_data field gets overwritten with a pointer to the SMC socket context. Later, when shutdown syscall processes this socket, the sk_psock_get function attempts to treat this pointer as a psock object, causing reference count manipulation errors. This creates a scenario where the reference counter becomes saturated due to improper type casting and management of the shared sk_user_data field. The vulnerability is classified under CWE-476 as a NULL pointer dereference, though the specific manifestation involves reference count overflow conditions rather than simple dereference failures. The issue directly impacts the kernel's memory management subsystem and can lead to resource exhaustion.
The operational impact of this vulnerability extends beyond simple memory leaks, potentially causing system instability and denial of service conditions. When the reference count saturates, the kernel's memory management system becomes compromised, leading to memory leaks that can accumulate over time and eventually exhaust available memory resources. This vulnerability particularly affects systems that frequently use SMC fallback mechanisms during network communication, which includes high-performance computing environments and network-intensive applications. The attack surface is significant as it involves core networking operations such as connect and shutdown syscalls that are fundamental to network communication. The vulnerability also relates to ATT&CK technique T1499.004, which involves resource exhaustion attacks, as the saturated reference count can lead to system resource depletion. Additionally, this issue can be leveraged to create persistent memory leaks that may not immediately crash the system but gradually degrade performance.
The patch addressing this vulnerability implements a sophisticated solution by introducing a new bit flag SK_USER_DATA_PSOCK within the PTRMASK mechanism that was previously introduced in commit f1ff5ce2cd5e. This approach allows the kernel to distinguish between different types of objects stored in the sk_user_data field by using a dedicated bit to indicate whether the pointer references a psock object or another type of socket context. The solution refactors the existing sk_user_data flags handling code to be more generic and maintainable, reducing the likelihood of similar conflicts in the future. The patch specifically addresses the root cause by ensuring that when SMC fallback occurs, the kernel properly tags the sk_user_data field to indicate its actual type, preventing the misinterpretation that leads to reference count saturation. This approach aligns with security best practices by implementing proper type safety mechanisms in kernel memory management operations and follows the principle of least privilege by ensuring that pointer types are properly validated before use. The fix also improves the overall maintainability of the networking subsystem by creating a more robust framework for managing shared socket context pointers.