DEBIAN-CVE-2026-23294

In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix race in devmap on PREEMPTRT  On PREEMPTRT kernels, the per-CPU xdpdevbulkqueue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU.  The original code assumes bqenqueue() and devflush() run atomically with respect to each other on the same CPU, relying on localbhdisable() to prevent preemption. However, on PREEMPTRT, localbhdisable() only calls migratedisable() (when PREEMPTRTNEEDSBHLOCK is not set) and does not disable preemption, which allows CFS scheduling to preempt a task during bqxmitall(), enabling another task on the same CPU to enter bqenqueue() and operate on the same per-CPU bq concurrently.  This leads to several races:  1. Double-free / use-after-free on bq->q[]: bqxmitall() snapshots    cnt = bq->count, then iterates bq->q[0..cnt-1] to transmit frames.    If preempted after the snapshot, a second task can call bqenqueue()    -> bqxmitall() on the same bq, transmitting (and freeing) the    same frames. When the first task resumes, it operates on stale    pointers in bq->q[], causing use-after-free.  2. bq->count and bq->q[] corruption: concurrent bqenqueue() modifying    bq->count and bq->q[] while bqxmitall() is reading them.  3. devrx/xdpprog teardown race: devflush() clears bq->devrx and    bq->xdpprog after bqxmitall(). If preempted between    bqxmitall() return and bq->devrx = NULL, a preempting    bqenqueue() sees devrx still set (non-NULL), skips adding bq to    the flushlist, and enqueues a frame. When devflush() resumes,    it clears devrx and removes bq from the flushlist, orphaning the    newly enqueued frame.  4. listdelclearprev() on flushnode: similar to the cpumap race,    both tasks can call listdelclearprev() on the same flushnode,    the second dereferences the prev pointer already set to NULL.  The race between task A (devflush -> bqxmitall) and task B (bqenqueue -> bqxmitall) on the same CPU:    Task A (xdpdoflush)          Task B (ndoxdpxmit redirect)   ----------------------         --------------------------------   devflush(flushlist)     bqxmitall(bq)       cnt = bq->count  / e.g. 16 /       / start iterating bq->q[] /     <-- CFS preempts Task A -->                                    bqenqueue(dev, xdpf)                                      bq->count == DEVMAPBULKSIZE                                      bqxmitall(bq, 0)                                        cnt = bq->count  / same 16! /                                        ndoxdpxmit(bq->q[])                                        / frames freed by driver /                                        bq->count = 0     <-- Task A resumes -->       ndoxdpxmit(bq->q[])       / use-after-free: frames already freed! /  Fix this by adding a locallockt to xdpdevbulkqueue and acquiring it in bqenqueue() and devflush(). These paths already run under localbhdisable(), so use locallocknestedbh() which on non-RT is a pure annotation with no overhead, and on PREEMPT_RT provides a per-CPU sleeping lock that serializes access to the bq.