If the Unix GC's deletion of an SKB races with unix_stream_read_generic() on the socket that the SKB was queued up on, we get a race condition, leading to UAF, because it is supposed to be impossible to run these operations in parallel on the same socket: - unix_stream_read_generic() assumes that `mutex_lock(&u->iolock)` protects `sk->sk_receive_queue` against element removal, so it holds a pointer to an SKB on the `sk->sk_receive_queue` without any other protection - scan_inflight() only takes `spin_lock(&x->sk_receive_queue.lock)` when stealing SKBs from the `sk_receive_queue`
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394