CVE-2026-52910

In the Linux kernel, the following vulnerability has been resolved:

bpf: Free reuseport cBPF prog after RCU grace period.

Eulgyu Kim reported the splat below with a repro. [0]

The repro sets up a UDP reuseport group with a cBPF prog and replaces it with a new one while another thread is sending a UDP packet to the group.

The reuseport prog is freed by skreuseportprogfree(). bpfprogput() is called for "e"BPF prog to destruct through multiple stages while cBPF prog is freed immediately by bpfreleaseorigfilter() and bpfprogfree().

If a reuseport prog is detached from the setsockopt() path (reuseportattachprog() or reuseportdetachprog()), skreuseportprog_free() is called without waiting for RCU readers to complete, resulting in various bugs.

Let's defer freeing the reuseport cBPF prog after one RCU grace period.

Note "e"BPF prog is safe as is unless the fast path starts to touch fields destroyed in bpfprogput_deferred() and _bpfprogputnoref().

Read of size 4 at addr ffffc9000051e004 by task slowme/10208 CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, archcaps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <IRQ> dumpstacklvl+0xe8/0x150 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xca/0x240 mm/kasan/report.c:482 kasanreport+0x118/0x150 mm/kasan/report.c:595 reuseportselectsock+0xedc/0x1220 net/core/sockreuseport.c:596 udp4lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495 __udp4liblookup+0x768/0xe20 net/ipv4/udp.c:723 __udp4liblookup_skb+0x297/0x390 net/ipv4/udp.c:752 __udp4librcv+0x1312/0x2620 net/ipv4/udp.c:2752 ipprotocoldeliverrcu+0x282/0x440 net/ipv4/ipinput.c:207 iplocaldeliverfinish+0x3bb/0x6f0 net/ipv4/ipinput.c:241 NFHOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NFHOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netifreceiveskbonecore net/core/dev.c:6181 [inline] __netifreceiveskb net/core/dev.c:6294 [inline] process_backlog+0xaa4/0x1960 net/core/dev.c:6645 __napipoll+0xae/0x340 net/core/dev.c:7709 napipoll net/core/dev.c:7772 [inline] netrxaction+0x5d7/0xf50 net/core/dev.c:7929 handlesoftirqs+0x22b/0x870 kernel/softirq.c:622 dosoftirq+0x76/0xd0 kernel/softirq.c:523 </IRQ> <TASK> __localbhenableip+0xf8/0x130 kernel/softirq.c:450 localbhenable include/linux/bottomhalf.h:33 [inline] rcureadunlock_bh include/linux/rcupdate.h:924 [inline] __devqueuexmit+0x1dd7/0x3710 net/core/dev.c:4890 neighoutput include/net/neighbour.h:556 [inline] ipfinishoutput2+0xca9/0x1070 net/ipv4/ipoutput.c:237 NFHOOKCOND include/linux/netfilter.h:307 [inline] ipoutput+0x29f/0x450 net/ipv4/ipoutput.c:438 ipsendskb+0x45/0xc0 net/ipv4/ipoutput.c:1508 udpsendskb+0xb04/0x1510 net/ipv4/udp.c:1195 udpsendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485 socksendmsgnosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] __sys_sendto+0x554/0x680 net/socket.c:2206 __dosyssendto net/socket.c:2213 [inline] __sesyssendto net/socket.c:2209 [inline] _x64syssendto+0xde/0x100 net/socket.c:2209 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0x160/0xf80 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x415a2d Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIGRAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003 RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010 R10: 0000000000000000 R11: ---truncated---