CVE-2026-52938

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix NULL pointer dereference in bpf sk storage clone and diag paths

bpf selem unlink nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpf sk storage clone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference.

general protection fault, probably for non-canonical address 0xdffffc000000000a: KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] RIP: 0010:bpf sk storage clone+0x1cd/0xaa0 net/core/bpf sk storage.c:174 Call Trace: sk clone+0xfed/0x1980 net/core/sock.c:2591 inet csk clone lock+0x30/0x760 net/ipv4/inet connection sock.c:1222 tcp create openreq child+0x35/0x2680 net/ipv4/tcp minisocks.c:571 tcp v4 syn recv sock+0x123/0xf90 net/ipv4/tcp ipv4.c:1729 tcp check req+0x8e1/0x2580 include/net/tcp.h:855 tcp v4 rcv+0x1845/0x3b80 net/ipv4/tcp ipv4.c:2347

Add a NULL check for smap in bpf sk storage clone().

bpf sk storage diag put all() has the same issue. Add a NULL check and pass the validated smap directly to diag get(), which is refactored to take smap as a parameter instead of reading it internally.

bpf sk storage diag put() uses diag->maps[i] which is always valid under its refcount, so diag->maps[i] is passed directly to diag get().