CVE-2025-38154

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, sockmap: Avoid using sk_socket after free when sending<br /> <br /> The sk-&gt;sk_socket is not locked or referenced in backlog thread, and<br /> during the call to skb_send_sock(), there is a race condition with<br /> the release of sk_socket. All types of sockets(tcp/udp/unix/vsock)<br /> will be affected.<br /> <br /> Race conditions:<br /> &amp;#39;&amp;#39;&amp;#39;<br /> CPU0 CPU1<br /> <br /> backlog::skb_send_sock<br /> sendmsg_unlocked<br /> sock_sendmsg<br /> sock_sendmsg_nosec<br /> close(fd):<br /> ...<br /> ops-&gt;release() -&gt; sock_map_close()<br /> sk_socket-&gt;ops = NULL<br /> free(socket)<br /> sock-&gt;ops-&gt;sendmsg<br /> ^<br /> panic here<br /> &amp;#39;&amp;#39;&amp;#39;<br /> <br /> The ref of psock become 0 after sock_map_close() executed.<br /> &amp;#39;&amp;#39;&amp;#39;<br /> void sock_map_close()<br /> {<br /> ...<br /> if (likely(psock)) {<br /> ...<br /> // !! here we remove psock and the ref of psock become 0<br /> sock_map_remove_links(sk, psock)<br /> psock = sk_psock_get(sk);<br /> if (unlikely(!psock))<br /> goto no_psock; work);