Linux Kernel Refcount Bug in sk_psock_get Function

A refcount bug has been identified in the Linux kernel within the net subsystem. This vulnerability arises when the kernel's socket management incorrectly handles reference counts, leading to memory leaks. The issue occurs during the Socket Memory Copy (SMC) fallback process in the connect system call, where the kernel replaces TCP with SMC. This replacement process can cause a mismatch in the sk_user_data field, as both SMC and protocol sockets (psock) use this field to store data. The vulnerability has been observed in Linux kernel version 5.18.0.

Impact

Exploitation of this vulnerability causes a reference count warning, indicating a potential memory management issue that could be exploited to leak memory.

Reproduction

The vulnerability can be reproduced by initiating a connection that triggers the SMC fallback process, which replaces the TCP socket with an SMC socket. After the fallback, the kernel sets the sk_user_data of the TCP socket to point to the original SMC socket. When the shutdown system call is later invoked, the kernel mistakenly interprets the sk_user_data as a psock object, leading to the refcount warning.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched.