CVE-2026-22983

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: do not write to msg_get_inq in callee<br /> <br /> NULL pointer dereference fix.<br /> <br /> msg_get_inq is an input field from caller to callee. Don&amp;#39;t set it in<br /> the callee, as the caller may not clear it on struct reuse.<br /> <br /> This is a kernel-internal variant of msghdr only, and the only user<br /> does reinitialize the field. So this is not critical for that reason.<br /> But it is more robust to avoid the write, and slightly simpler code.<br /> And it fixes a bug, see below.<br /> <br /> Callers set msg_get_inq to request the input queue length to be<br /> returned in msg_inq. This is equivalent to but independent from the<br /> SO_INQ request to return that same info as a cmsg (tp-&gt;recvmsg_inq).<br /> To reduce branching in the hot path the second also sets the msg_inq.<br /> That is WAI.<br /> <br /> This is a fix to commit 4d1442979e4a ("af_unix: don&amp;#39;t post cmsg for<br /> SO_INQ unless explicitly asked for"), which fixed the inverse.<br /> <br /> Also avoid NULL pointer dereference in unix_stream_read_generic if<br /> state-&gt;msg is NULL and msg-&gt;msg_get_inq is written. A NULL state-&gt;msg<br /> can happen when splicing as of commit 2b514574f7e8 ("net: af_unix:<br /> implement splice for stream af_unix sockets").<br /> <br /> Also collapse two branches using a bitwise or.