CVE-2026-23192

In the Linux kernel, the following vulnerability has been resolved:

linkwatch: use _devput() in callers to prevent UAF

After linkwatchdodev() calls _devput() to release the linkwatch reference, the device refcount may drop to 1. At this point, netdevruntodo() can proceed (since linkwatchsyncdev() sees an empty list and returns without blocking), wait for the refcount to become 1 via netdevwaitallrefsany(), and then free the device via kobjectput().

This creates a use-after-free when __linkwatchrunqueue() tries to call netdevunlockops() on the already-freed device.

Note that adding netdevlockops()/netdevunlockops() pair in netdevruntodo() before kobjectput() would not work, because netdevlockops() is conditional - it only locks when netdevneedopslock() returns true. If the device doesn't require opslock, linkwatch won't hold any lock, and netdevrun_todo() acquiring the lock won't provide synchronization.

Fix this by moving __devput() from linkwatchdo_dev() to its callers. The device reference logically pairs with de-listing the device, so it's reasonable for the caller that did the de-listing to release it. This allows placing _devput() after all device accesses are complete, preventing UAF.

The bug can be reproduced by adding mdelay(2000) after linkwatchdodev() in __linkwatchrunqueue(), then running:

ip tuntap add mode tun name tuntest ip link set tuntest up ip link set tuntest carrier off ip link set tuntest carrier on sleep 0.5 ip tuntap del mode tun name tun_test

KASAN report:

================================================================== BUG: KASAN: use-after-free in netdevneedopslock include/net/netdevlock.h:33 [inline] BUG: KASAN: use-after-free in netdevunlockops include/net/netdev_lock.h:47 [inline] BUG: KASAN: use-after-free in _linkwatchrunqueue+0x865/0x8a0 net/core/linkwatch.c:245 Read of size 8 at addr ffff88804de5c008 by task kworker/u32:10/8123

CPU: 0 UID: 0 PID: 8123 Comm: kworker/u32:10 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: eventsunbound linkwatchevent Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x100/0x190 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x156/0x4c9 mm/kasan/report.c:482 kasanreport+0xdf/0x1a0 mm/kasan/report.c:595 netdevneedopslock include/net/netdevlock.h:33 [inline] netdevunlockops include/net/netdevlock.h:47 [inline] __linkwatchrunqueue+0x865/0x8a0 net/core/linkwatch.c:245 linkwatchevent+0x8f/0xc0 net/core/linkwatch.c:304 processonework+0x9c2/0x1840 kernel/workqueue.c:3257 processscheduledworks kernel/workqueue.c:3340 [inline] workerthread+0x5da/0xe40 kernel/workqueue.c:3421 kthread+0x3b3/0x730 kernel/kthread.c:463 retfromfork+0x754/0xaf0 arch/x86/kernel/process.c:158 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:246 </TASK> ==================================================================