{"id":"CVE-2026-23342","summary":"bpf: Fix race in cpumap on PREEMPT_RT","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix race in cpumap on PREEMPT_RT\n\nOn PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed\nconcurrently by multiple preemptible tasks on the same CPU.\n\nThe original code assumes bq_enqueue() and __cpu_map_flush() run\natomically with respect to each other on the same CPU, relying on\nlocal_bh_disable() to prevent preemption. However, on PREEMPT_RT,\nlocal_bh_disable() only calls migrate_disable() (when\nPREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable\npreemption, which allows CFS scheduling to preempt a task during\nbq_flush_to_queue(), enabling another task on the same CPU to enter\nbq_enqueue() and operate on the same per-CPU bq concurrently.\n\nThis leads to several races:\n\n1. Double __list_del_clearprev(): after bq-\u003ecount is reset in\n   bq_flush_to_queue(), a preempting task can call bq_enqueue() -\u003e\n   bq_flush_to_queue() on the same bq when bq-\u003ecount reaches\n   CPU_MAP_BULK_SIZE. Both tasks then call __list_del_clearprev()\n   on the same bq-\u003eflush_node, the second call dereferences the\n   prev pointer that was already set to NULL by the first.\n\n2. bq-\u003ecount and bq-\u003eq[] races: concurrent bq_enqueue() can corrupt\n   the packet queue while bq_flush_to_queue() is processing it.\n\nThe race between task A (__cpu_map_flush -\u003e bq_flush_to_queue) and\ntask B (bq_enqueue -\u003e bq_flush_to_queue) on the same CPU:\n\n  Task A (xdp_do_flush)          Task B (cpu_map_enqueue)\n  ----------------------         ------------------------\n  bq_flush_to_queue(bq)\n    spin_lock(&q-\u003eproducer_lock)\n    /* flush bq-\u003eq[] to ptr_ring */\n    bq-\u003ecount = 0\n    spin_unlock(&q-\u003eproducer_lock)\n                                   bq_enqueue(rcpu, xdpf)\n    \u003c-- CFS preempts Task A --\u003e      bq-\u003eq[bq-\u003ecount++] = xdpf\n                                     /* ... more enqueues until full ... */\n                                     bq_flush_to_queue(bq)\n                                       spin_lock(&q-\u003eproducer_lock)\n                                       /* flush to ptr_ring */\n                                       spin_unlock(&q-\u003eproducer_lock)\n                                       __list_del_clearprev(flush_node)\n                                         /* sets flush_node.prev = NULL */\n    \u003c-- Task A resumes --\u003e\n    __list_del_clearprev(flush_node)\n      flush_node.prev-\u003enext = ...\n      /* prev is NULL -\u003e kernel oops */\n\nFix this by adding a local_lock_t to xdp_bulk_queue and acquiring it\nin bq_enqueue() and __cpu_map_flush(). These paths already run under\nlocal_bh_disable(), so use local_lock_nested_bh() which on non-RT is\na pure annotation with no overhead, and on PREEMPT_RT provides a\nper-CPU sleeping lock that serializes access to the bq.\n\nTo reproduce, insert an mdelay(100) between bq-\u003ecount = 0 and\n__list_del_clearprev() in bq_flush_to_queue(), then run reproducer\nprovided by syzkaller.","modified":"2026-04-02T13:12:22.298673Z","published":"2026-03-25T10:27:30.285Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23342.json"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7466ae2aeed483de80c5d8dea0913cf74038b652"},{"type":"WEB","url":"https://git.kernel.org/stable/c/869c63d5975d55e97f6b168e885452b3da20ea47"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e67299e1044349ad0088d52c6bc5764cc1816c06"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23342.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23342"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3253cb49cbad4772389d6ef55be75db1f97da910"},{"fixed":"7466ae2aeed483de80c5d8dea0913cf74038b652"},{"fixed":"e67299e1044349ad0088d52c6bc5764cc1816c06"},{"fixed":"869c63d5975d55e97f6b168e885452b3da20ea47"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23342.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.18.0"},{"fixed":"6.18.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23342.json"}}],"schema_version":"1.7.5"}