In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix NULL pointer dereference in skpsockverdictdataready()
syzbot reported the following NULL pointer dereference issue [1]:
BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:0x0 [...] Call Trace: <TASK> skpsockverdictdataready+0x232/0x340 net/core/skmsg.c:1230 unixstreamsendmsg+0x9b4/0x1230 net/unix/afunix.c:2293 socksendmsgnosec net/socket.c:730 [inline] socksendmsg+0x221/0x270 net/socket.c:745 syssendmsg+0x525/0x7d0 net/socket.c:2584 _syssendmsg net/socket.c:2638 [inline] _syssendmsg+0x2b0/0x3a0 net/socket.c:2667 dosyscall64+0xf9/0x240 entrySYSCALL64afterhwframe+0x6f/0x77
If skpsockverdictdataready() and skpsockstopverdict() are called concurrently, psock->saveddata_ready can be NULL, causing the above issue.
This patch fixes this issue by calling the appropriate data ready function using the skpsockdataready() helper and protecting it from concurrency with sk->skcallback_lock.