DEBIAN-CVE-2026-23192

In the Linux kernel, the following vulnerability has been resolved:  linkwatch: use devput() in callers to prevent UAF  After linkwatchdodev() calls devput() to release the linkwatch reference, the device refcount may drop to 1. At this point, netdevruntodo() can proceed (since linkwatchsyncdev() sees an empty list and returns without blocking), wait for the refcount to become 1 via netdevwaitallrefsany(), and then free the device via kobjectput().  This creates a use-after-free when linkwatchrunqueue() tries to call netdevunlockops() on the already-freed device.  Note that adding netdevlockops()/netdevunlockops() pair in netdevruntodo() before kobjectput() would not work, because netdevlockops() is conditional - it only locks when netdevneedopslock() returns true. If the device doesn't require opslock, linkwatch won't hold any lock, and netdevruntodo() acquiring the lock won't provide synchronization.  Fix this by moving devput() from linkwatchdodev() to its callers. The device reference logically pairs with de-listing the device, so it's reasonable for the caller that did the de-listing to release it. This allows placing devput() after all device accesses are complete, preventing UAF.  The bug can be reproduced by adding mdelay(2000) after linkwatchdodev() in linkwatchrunqueue(), then running:    ip tuntap add mode tun name tuntest   ip link set tuntest up   ip link set tuntest carrier off   ip link set tuntest carrier on   sleep 0.5   ip tuntap del mode tun name tuntest  KASAN report:   ==================================================================  BUG: KASAN: use-after-free in netdevneedopslock include/net/netdevlock.h:33 [inline]  BUG: KASAN: use-after-free in netdevunlockops include/net/netdevlock.h:47 [inline]  BUG: KASAN: use-after-free in linkwatchrunqueue+0x865/0x8a0 net/core/linkwatch.c:245  Read of size 8 at addr ffff88804de5c008 by task kworker/u32:10/8123   CPU: 0 UID: 0 PID: 8123 Comm: kworker/u32:10 Not tainted syzkaller #0 PREEMPT(full)  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014  Workqueue: eventsunbound linkwatchevent  Call Trace:   <TASK>   dumpstack lib/dumpstack.c:94 [inline]   dumpstacklvl+0x100/0x190 lib/dumpstack.c:120   printaddressdescription mm/kasan/report.c:378 [inline]   printreport+0x156/0x4c9 mm/kasan/report.c:482   kasanreport+0xdf/0x1a0 mm/kasan/report.c:595   netdevneedopslock include/net/netdevlock.h:33 [inline]   netdevunlockops include/net/netdevlock.h:47 [inline]   _linkwatchrunqueue+0x865/0x8a0 net/core/linkwatch.c:245   linkwatchevent+0x8f/0xc0 net/core/linkwatch.c:304   processonework+0x9c2/0x1840 kernel/workqueue.c:3257   processscheduledworks kernel/workqueue.c:3340 [inline]   workerthread+0x5da/0xe40 kernel/workqueue.c:3421   kthread+0x3b3/0x730 kernel/kthread.c:463   retfromfork+0x754/0xaf0 arch/x86/kernel/process.c:158   retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:246   </TASK>  ==================================================================