CVE-2024-26731

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()<br /> <br /> syzbot reported the following NULL pointer dereference issue [1]:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [...]<br /> RIP: 0010:0x0<br /> [...]<br /> Call Trace:<br /> <br /> sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230<br /> unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x221/0x270 net/socket.c:745<br /> ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584<br /> ___sys_sendmsg net/socket.c:2638 [inline]<br /> __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667<br /> do_syscall_64+0xf9/0x240<br /> entry_SYSCALL_64_after_hwframe+0x6f/0x77<br /> <br /> If sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called<br /> concurrently, psock-&gt;saved_data_ready can be NULL, causing the above issue.<br /> <br /> This patch fixes this issue by calling the appropriate data ready function<br /> using the sk_psock_data_ready() helper and protecting it from concurrency<br /> with sk-&gt;sk_callback_lock.