GHSA-C898-7QPG-FW83

Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-03-25 12:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix race in cpumap on PREEMPT_RT

On PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU.

The original code assumes bq_enqueue() and __cpu_map_flush() run atomically with respect to each other on the same CPU, relying on local_bh_disable() to prevent preemption. However, on PREEMPT_RT, local_bh_disable() only calls migrate_disable() (when PREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable preemption, which allows CFS scheduling to preempt a task during bq_flush_to_queue(), enabling another task on the same CPU to enter bq_enqueue() and operate on the same per-CPU bq concurrently.

This leads to several races:

  1. Double __list_del_clearprev(): after bq->count is reset in bq_flush_to_queue(), a preempting task can call bq_enqueue() -> bq_flush_to_queue() on the same bq when bq->count reaches CPU_MAP_BULK_SIZE. Both tasks then call __list_del_clearprev() on the same bq->flush_node, the second call dereferences the prev pointer that was already set to NULL by the first.

  2. bq->count and bq->q[] races: concurrent bq_enqueue() can corrupt the packet queue while bq_flush_to_queue() is processing it.

The race between task A (__cpu_map_flush -> bq_flush_to_queue) and task B (bq_enqueue -> bq_flush_to_queue) on the same CPU:

Task A (xdp_do_flush) Task B (cpu_map_enqueue) ---------------------- ------------------------ bq_flush_to_queue(bq) spin_lock(&q->producer_lock) / flush bq->q[] to ptr_ring / bq->count = 0 spin_unlock(&q->producer_lock) bq_enqueue(rcpu, xdpf) <-- CFS preempts Task A --> bq->q[bq->count++] = xdpf / ... more enqueues until full ... / bq_flush_to_queue(bq) spin_lock(&q->producer_lock) / flush to ptr_ring / spin_unlock(&q->producer_lock) __list_del_clearprev(flush_node) / sets flush_node.prev = NULL / <-- Task A resumes --> __list_del_clearprev(flush_node) flush_node.prev->next = ... / prev is NULL -> kernel oops /

Fix this by adding a local_lock_t to xdp_bulk_queue and acquiring it in bq_enqueue() and __cpu_map_flush(). These paths already run under local_bh_disable(), so use local_lock_nested_bh() which on non-RT is a pure annotation with no overhead, and on PREEMPT_RT provides a per-CPU sleeping lock that serializes access to the bq.

To reproduce, insert an mdelay(100) between bq->count = 0 and __list_del_clearprev() in bq_flush_to_queue(), then run reproducer provided by syzkaller.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-23342"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T11:16:32Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix race in cpumap on PREEMPT_RT\n\nOn PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed\nconcurrently by multiple preemptible tasks on the same CPU.\n\nThe original code assumes bq_enqueue() and __cpu_map_flush() run\natomically with respect to each other on the same CPU, relying on\nlocal_bh_disable() to prevent preemption. However, on PREEMPT_RT,\nlocal_bh_disable() only calls migrate_disable() (when\nPREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable\npreemption, which allows CFS scheduling to preempt a task during\nbq_flush_to_queue(), enabling another task on the same CPU to enter\nbq_enqueue() and operate on the same per-CPU bq concurrently.\n\nThis leads to several races:\n\n1. Double __list_del_clearprev(): after bq-\u003ecount is reset in\n   bq_flush_to_queue(), a preempting task can call bq_enqueue() -\u003e\n   bq_flush_to_queue() on the same bq when bq-\u003ecount reaches\n   CPU_MAP_BULK_SIZE. Both tasks then call __list_del_clearprev()\n   on the same bq-\u003eflush_node, the second call dereferences the\n   prev pointer that was already set to NULL by the first.\n\n2. bq-\u003ecount and bq-\u003eq[] races: concurrent bq_enqueue() can corrupt\n   the packet queue while bq_flush_to_queue() is processing it.\n\nThe race between task A (__cpu_map_flush -\u003e bq_flush_to_queue) and\ntask B (bq_enqueue -\u003e bq_flush_to_queue) on the same CPU:\n\n  Task A (xdp_do_flush)          Task B (cpu_map_enqueue)\n  ----------------------         ------------------------\n  bq_flush_to_queue(bq)\n    spin_lock(\u0026q-\u003eproducer_lock)\n    /* flush bq-\u003eq[] to ptr_ring */\n    bq-\u003ecount = 0\n    spin_unlock(\u0026q-\u003eproducer_lock)\n                                   bq_enqueue(rcpu, xdpf)\n    \u003c-- CFS preempts Task A --\u003e      bq-\u003eq[bq-\u003ecount++] = xdpf\n                                     /* ... more enqueues until full ... */\n                                     bq_flush_to_queue(bq)\n                                       spin_lock(\u0026q-\u003eproducer_lock)\n                                       /* flush to ptr_ring */\n                                       spin_unlock(\u0026q-\u003eproducer_lock)\n                                       __list_del_clearprev(flush_node)\n                                         /* sets flush_node.prev = NULL */\n    \u003c-- Task A resumes --\u003e\n    __list_del_clearprev(flush_node)\n      flush_node.prev-\u003enext = ...\n      /* prev is NULL -\u003e kernel oops */\n\nFix this by adding a local_lock_t to xdp_bulk_queue and acquiring it\nin bq_enqueue() and __cpu_map_flush(). These paths already run under\nlocal_bh_disable(), so use local_lock_nested_bh() which on non-RT is\na pure annotation with no overhead, and on PREEMPT_RT provides a\nper-CPU sleeping lock that serializes access to the bq.\n\nTo reproduce, insert an mdelay(100) between bq-\u003ecount = 0 and\n__list_del_clearprev() in bq_flush_to_queue(), then run reproducer\nprovided by syzkaller.",
  "id": "GHSA-c898-7qpg-fw83",
  "modified": "2026-03-25T12:30:23Z",
  "published": "2026-03-25T12:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23342"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7466ae2aeed483de80c5d8dea0913cf74038b652"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/869c63d5975d55e97f6b168e885452b3da20ea47"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e67299e1044349ad0088d52c6bc5764cc1816c06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.