Linux Kernel Race Condition Vulnerability in BPF Sockmap Handling

A race condition vulnerability has been identified in the Linux kernel's BPF sockmap implementation, affecting all socket types (TCP, UDP, Unix, and VSOCK). The issue arises because the socket's reference to sk_socket is not properly managed, leading to a use-after-free scenario. When the backlog thread sends data through skb_send_sock(), it can race with the closure of the socket, causing a panic due to accessing a freed socket structure. This vulnerability has been addressed by synchronizing the closure of sockets with the backlog thread's operations, ensuring that all pending tasks are completed before a socket is closed.

Impact

Exploitation of this vulnerability leads to a general protection fault, causing a kernel panic by accessing a null pointer reference after the socket has been freed.

Reproduction

The vulnerability can be reproduced by creating a socket and sending data using the backlog thread while simultaneously closing the socket from another thread. This race condition will trigger a kernel panic by causing the backlog thread to access a socket that has already been freed.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been patched.