In the Linux kernel, the following vulnerability has been resolved:
xdp: use flags field to disambiguate broadcast redirect
When redirecting a packet using XDP, the bpfredirectmap() helper will set up the redirect destination information in struct bpfredirectinfo (using the _bpfxdpredirectmap() helper function), and the xdpdoredirect() function will read this information after the XDP program returns and pass the frame on to the right redirect destination.
When using the BPFFBROADCAST flag to do multicast redirect to a whole map, _bpfxdpredirectmap() sets the 'map' pointer in struct bpfredirectinfo to point to the destination map to be broadcast. And xdpdoredirect() reacts to the value of this map pointer to decide whether it's dealing with a broadcast or a single-value redirect. However, if the destination map is being destroyed before xdpdoredirect() is called, the map pointer will be cleared out (by bpfclearredirectmap()) without waiting for any XDP programs to stop running. This causes xdpdoredirect() to think that the redirect was to a single target, but the target pointer is also NULL (since broadcast redirects don't have a single target), so this causes a crash when a NULL pointer is passed to devmap_enqueue().
To fix this, change xdpdoredirect() to react directly to the presence of the BPFFBROADCAST flag in the 'flags' value in struct bpfredirectinfo to disambiguate between a single-target and a broadcast redirect. And only read the 'map' pointer if the broadcast flag is set, aborting if that has been cleared out in the meantime. This prevents the crash, while keeping the atomic (cmpxchg-based) clearing of the map pointer itself, and without adding any more checks in the non-broadcast fast path.