{"id":"CVE-2022-49198","summary":"mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb\n\nGot crash when doing pressure test of mptcp:\n\n===========================================================================\ndst_release: dst:ffffa06ce6e5c058 refcnt:-1\nkernel tried to execute NX-protected page - exploit attempt? (uid: 0)\nBUG: unable to handle kernel paging request at ffffa06ce6e5c058\nPGD 190a01067 P4D 190a01067 PUD 43fffb067 PMD 22e403063 PTE 8000000226e5c063\nOops: 0011 [#1] SMP PTI\nCPU: 7 PID: 7823 Comm: kworker/7:0 Kdump: loaded Tainted: G            E\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.2.1 04/01/2014\nCall Trace:\n ? skb_release_head_state+0x68/0x100\n ? skb_release_all+0xe/0x30\n ? kfree_skb+0x32/0xa0\n ? mptcp_sendmsg_frag+0x57e/0x750\n ? __mptcp_retrans+0x21b/0x3c0\n ? __switch_to_asm+0x35/0x70\n ? mptcp_worker+0x25e/0x320\n ? process_one_work+0x1a7/0x360\n ? worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n ? kthread+0x112/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ? ret_from_fork+0x35/0x40\n===========================================================================\n\nIn __mptcp_alloc_tx_skb skb was allocated and skb-\u003etcp_tsorted_anchor will\nbe initialized, in under memory pressure situation sk_wmem_schedule will\nreturn false and then kfree_skb. In this case skb-\u003e_skb_refdst is not null\nbecause_skb_refdst and tcp_tsorted_anchor are stored in the same mem, and\nkfree_skb will try to release dst and cause crash.","modified":"2026-04-02T08:27:23.456562Z","published":"2025-02-26T01:55:41.631Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49198.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3ef3905aa3b5b3e222ee6eb0210bfd999417a8cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4d54181eba4b077fb74033a7186898ad4000a7a5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/752add6f5ce5305e55d8bda4ac8d69be3a09f14d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/af61a8f7603926c26158153d0a0755764d82657c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49198.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49198"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"289f2f58266777f45a52cd55dea96d736e6244c9"},{"fixed":"af61a8f7603926c26158153d0a0755764d82657c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f70cad1085d1e01d3ec73c1078405f906237feee"},{"fixed":"752add6f5ce5305e55d8bda4ac8d69be3a09f14d"},{"fixed":"4d54181eba4b077fb74033a7186898ad4000a7a5"},{"fixed":"3ef3905aa3b5b3e222ee6eb0210bfd999417a8cc"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49198.json"}}],"schema_version":"1.7.5"}