In the Linux kernel, the following vulnerability has been resolved:
net: Fix TOCTOU issue in skisreadable()
sk->skprot->sockisreadable is a valid function pointer when sk resides in a sockmap. After the last skpsockput() (which usually happens when socket is removed from sockmap), sk->skprot gets restored and sk->skprot->sockis_readable becomes NULL.
This makes skisreadable() racy, if the value of sk->sk_prot is reloaded after the initial check. Which in turn may lead to a null pointer dereference.
Ensure the function pointer does not turn NULL after the check.