In the Linux kernel, the following vulnerability has been resolved:
bpf, skmsg: Fix NULL pointer dereference in skpsockskbingressenqueue
Fix NULL pointer data-races in skpsockskbingressenqueue() which syzbot reported [1].
[1] BUG: KCSAN: data-race in skpsockdrop / skpsockskbingressenqueue
write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1: skpsockstopverdict net/core/skmsg.c:1257 [inline] skpsockdrop+0x13e/0x1f0 net/core/skmsg.c:843 skpsockput include/linux/skmsg.h:459 [inline] sockmapclose+0x1a7/0x260 net/core/sockmap.c:1648 unixrelease+0x4b/0x80 net/unix/afunix.c:1048 _sockrelease net/socket.c:659 [inline] sockclose+0x68/0x150 net/socket.c:1421 _fput+0x2c1/0x660 fs/filetable.c:422 _fputsync+0x44/0x60 fs/filetable.c:507 _dosysclose fs/open.c:1556 [inline] _sesysclose+0x101/0x1b0 fs/open.c:1541 _x64sysclose+0x1f/0x30 fs/open.c:1541 dosyscall64+0xd3/0x1d0 entrySYSCALL64after_hwframe+0x6d/0x75
read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0: skpsockdataready include/linux/skmsg.h:464 [inline] skpsockskbingressenqueue+0x32d/0x390 net/core/skmsg.c:555 skpsockskbingressself+0x185/0x1e0 net/core/skmsg.c:606 skpsockverdictapply net/core/skmsg.c:1008 [inline] skpsockverdictrecv+0x3e4/0x4a0 net/core/skmsg.c:1202 unixreadskb net/unix/afunix.c:2546 [inline] unixstreamreadskb+0x9e/0xf0 net/unix/afunix.c:2682 skpsockverdictdataready+0x77/0x220 net/core/skmsg.c:1223 unixstreamsendmsg+0x527/0x860 net/unix/afunix.c:2339 socksendmsgnosec net/socket.c:730 [inline] socksendmsg+0x140/0x180 net/socket.c:745 syssendmsg+0x312/0x410 net/socket.c:2584 _syssendmsg net/socket.c:2638 [inline] _syssendmsg+0x1e9/0x280 net/socket.c:2667 _dosyssendmsg net/socket.c:2676 [inline] _sesyssendmsg net/socket.c:2674 [inline] _x64syssendmsg+0x46/0x50 net/socket.c:2674 dosyscall64+0xd3/0x1d0 entrySYSCALL64after_hwframe+0x6d/0x75
value changed: 0xffffffff83d7feb0 -> 0x0000000000000000
Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer dereference in skpsockverdictdataready()") fixed one NULL pointer similarly due to no protection of saveddataready. Here is another different caller causing the same issue because of the same reason. So we should protect it with skcallbacklock read lock because the writer side in the skpsockdrop() uses "writelockbh(&sk->skcallbacklock);".
To avoid errors that could happen in future, I move those two pairs of lock into the skpsockdata_ready(), which is suggested by John Fastabend.