CVE-2026-23004

In the Linux kernel, the following vulnerability has been resolved:

dst: fix races in rt6uncachedlistdel() and rtdeluncachedlist()

syzbot was able to crash the kernel in rt6uncachedlistflushdev() in an interesting way [1]

Crash happens in listdelinit()/INITLISTHEAD() while writing list->prev, while the prior write on list->next went well.

static inline void INITLISTHEAD(struct listhead *list) { WRITEONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has been freed. }

Issue here is that rt6uncachedlistdel() did not attempt to lock ul->lock, as listempty(&rt->dst.rtuncached) returned true because the WRITEONCE(list->next, list) happened on the other CPU.

We might use listdelinitcareful() and listemptycareful(), or make sure rt6uncachedlistdel() always grabs the spinlock whenever rt->dst.rtuncachedlist has been set.

A similar fix is neeed for IPv4.

[1]

BUG: KASAN: slab-use-after-free in INITLISTHEAD include/linux/list.h:46 [inline] BUG: KASAN: slab-use-after-free in listdelinit include/linux/list.h:296 [inline] BUG: KASAN: slab-use-after-free in rt6uncachedlistflushdev net/ipv6/route.c:191 [inline] BUG: KASAN: slab-use-after-free in rt6disableip+0x633/0x730 net/ipv6/route.c:5020 Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450

CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: netns cleanupnet Call Trace: <TASK> dumpstacklvl+0xe8/0x150 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xca/0x240 mm/kasan/report.c:482 kasanreport+0x118/0x150 mm/kasan/report.c:595 INITLISTHEAD include/linux/list.h:46 [inline] listdelinit include/linux/list.h:296 [inline] rt6uncachedlistflushdev net/ipv6/route.c:191 [inline] rt6disableip+0x633/0x730 net/ipv6/route.c:5020 addrconfifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 addrconfnotify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 notifiercallchain+0x19d/0x3a0 kernel/notifier.c:85 callnetdevicenotifiersextack net/core/dev.c:2268 [inline] callnetdevicenotifiers net/core/dev.c:2282 [inline] netifclosemany+0x29c/0x410 net/core/dev.c:1785 unregisternetdevicemanynotify+0xb50/0x2330 net/core/dev.c:12353 opsexitrtnllist net/core/netnamespace.c:187 [inline] opsundolist+0x3dc/0x990 net/core/netnamespace.c:248 cleanupnet+0x4de/0x7b0 net/core/netnamespace.c:696 processonework kernel/workqueue.c:3257 [inline] processscheduledworks+0xad1/0x1770 kernel/workqueue.c:3340 workerthread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 retfromfork+0x510/0xa50 arch/x86/kernel/process.c:158 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:246 </TASK>

Allocated by task 803: kasansavestack mm/kasan/common.c:57 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:78 unpoisonslabobject mm/kasan/common.c:340 [inline] __kasanslaballoc+0x6c/0x80 mm/kasan/common.c:366 kasanslaballoc include/linux/kasan.h:253 [inline] slabpostallochook mm/slub.c:4953 [inline] slaballocnode mm/slub.c:5263 [inline] kmemcacheallocnoprof+0x18d/0x6c0 mm/slub.c:5270 dstalloc+0x105/0x170 net/core/dst.c:89 ip6dstalloc net/ipv6/route.c:342 [inline] icmp6dstalloc+0x75/0x460 net/ipv6/route.c:3333 mldsendpack+0x683/0xe60 net/ipv6/mcast.c:1844 mldsendcr net/ipv6/mcast.c:2154 [inline] mldifcwork+0x83e/0xd60 net/ipv6/mcast.c:2693 processonework kernel/workqueue.c:3257 [inline] processscheduledworks+0xad1/0x1770 kernel/workqueue.c:3340 workerthread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 retfromfork+0x510/0xa50 arch/x86/kernel/process.c:158 retfromforkasm+0x1a/0x30 arch/x86/entry/entr ---truncated---