CVE-2026-53260

In the Linux kernel, the following vulnerability has been resolved:

tcp: Add preempt_{disable,enable}nested() in reqskqueuehashreq().

syzbot reported a weird reqsk->rsk_refcnt underflow in __inetcskreqskqueuedrop().

The captured reqsk_put() in __inetcskreqskqueuedrop() is called only when it successfully removes reqsk from ehash.

Moreover, reqsktimerhandler() calls another reqsk_put() after that.

This indicates that the reqsk was missing both refcnts for ehash and the timer itself.

Since all the syzbot reports had PREEMPTRT enabled, the only possible scenario is that reqskqueuehashreq() is preempted after modtimer() and before refcountset(), and then the timer triggered after 1s aborts the reqsk due to its listener's close().

Let's wrap modtimer() and refcountset() with preemptdisablenested() and preemptenablenested().

Note that inetehashinsert() holds the normal spinlock() (mutex in PREEMPTRT), so it must be called outside of preemptdisablenested(), but this is fine.

The lookup path just ignores 0 skrefcnt entries in ehash and tries to create another reqsk, but this will fail at inetehash_insert().

WARNING: lib/refcount.c:28 at refcountwarnsaturate+0xb2/0x110 lib/refcount.c:28, CPU#0: ktimers/0/16 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 RIP: 0010:refcountwarnsaturate+0xb2/0x110 lib/refcount.c:28 Code: e4 7d d1 0a 67 48 0f b9 3a eb 4a e8 38 3d 23 fd 48 8d 3d e1 7d d1 0a 67 48 0f b9 3a eb 37 e8 25 3d 23 fd 48 8d 3d de 7d d1 0a <67> 48 0f b9 3a eb 24 e8 12 3d 23 fd 48 8d 3d db 7d d1 0a 67 48 0f RSP: 0000:ffffc90000157948 EFLAGS: 00010246 RAX: ffffffff84a1301b RBX: 0000000000000003 RCX: ffff88801ca98000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffffff8f72ae00 RBP: ffffffff99ae3b01 R08: ffff88801ca98000 R09: 0000000000000005 R10: 0000000000000100 R11: 0000000000000004 R12: ffff8880425ef568 R13: ffff8880425ef4f8 R14: ffff8880425ef578 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff888126386000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7b46710e9c CR3: 000000000dbb6000 CR4: 00000000003526f0 Call Trace: <TASK> __refcountsuband_test include/linux/refcount.h:400 [inline] __refcountdecandtest include/linux/refcount.h:432 [inline] refcountdecandtest include/linux/refcount.h:450 [inline] reqskput include/net/requestsock.h:136 [inline] __inetcskreqskqueuedrop+0x3ce/0x440 net/ipv4/inetconnectionsock.c:1007 reqsktimerhandler+0x651/0xdf0 net/ipv4/inetconnectionsock.c:1137 calltimerfn+0x192/0x5e0 kernel/time/timer.c:1748 expire_timers kernel/time/timer.c:1799 [inline] __run_timers kernel/time/timer.c:2374 [inline] __runtimerbase+0x6a3/0x9f0 kernel/time/timer.c:2386 runtimerbase kernel/time/timer.c:2395 [inline] runtimersoftirq+0x67/0x170 kernel/time/timer.c:2403 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622 __dosoftirq kernel/softirq.c:656 [inline] runktimerd+0x69/0x100 kernel/softirq.c:1151 smpbootthreadfn+0x541/0xa50 kernel/smpboot.c:160 kthread+0x388/0x470 kernel/kthread.c:436 retfromfork+0x514/0xb70 arch/x86/kernel/process.c:158 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:245 </TASK>