DEBIAN-CVE-2026-23192

In the Linux kernel, the following vulnerability has been resolved: linkwatch: use __devput() in callers to prevent UAF After linkwatchdo_dev() calls __devput() to release the linkwatch reference, the device refcount may drop to 1. At this point, netdevrun_todo() can proceed (since linkwatchsyncdev() sees an empty list and returns without blocking), wait for the refcount to become 1 via netdevwaitallrefsany(), and then free the device via kobjectput(). This creates a use-after-free when __linkwatchrunqueue() tries to call netdev_unlockops() on the already-freed device. Note that adding netdevlockops()/netdevunlockops() pair in netdevruntodo() before kobjectput() would not work, because netdevlockops() is conditional - it only locks when netdevneedopslock() returns true. If the device doesn't require opslock, linkwatch won't hold any lock, and netdevruntodo() acquiring the lock won't provide synchronization. Fix this by moving __devput() from linkwatchdo_dev() to its callers. The device reference logically pairs with de-listing the device, so it's reasonable for the caller that did the de-listing to release it. This allows placing __devput() after all device accesses are complete, preventing UAF. The bug can be reproduced by adding mdelay(2000) after linkwatchdo_dev() in __linkwatchrunqueue(), then running: ip tuntap add mode tun name tuntest ip link set tuntest up ip link set tuntest carrier off ip link set tuntest carrier on sleep 0.5 ip tuntap del mode tun name tuntest KASAN report: ================================================================== BUG: KASAN: use-after-free in netdevneedopslock include/net/netdevlock.h:33 [inline] BUG: KASAN: use-after-free in netdevunlockops include/net/netdevlock.h:47 [inline] BUG: KASAN: use-after-free in __linkwatchrunqueue+0x865/0x8a0 net/core/linkwatch.c:245 Read of size 8 at addr ffff88804de5c008 by task kworker/u32:10/8123 CPU: 0 UID: 0 PID: 8123 Comm: kworker/u32:10 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: eventsunbound linkwatch_event Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x100/0x190 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x156/0x4c9 mm/kasan/report.c:482 kasanreport+0xdf/0x1a0 mm/kasan/report.c:595 netdevneedopslock include/net/netdevlock.h:33 [inline] netdevunlockops include/net/netdevlock.h:47 [inline] __linkwatchrunqueue+0x865/0x8a0 net/core/linkwatch.c:245 linkwatchevent+0x8f/0xc0 net/core/linkwatch.c:304 processonework+0x9c2/0x1840 kernel/workqueue.c:3257 processscheduledworks kernel/workqueue.c:3340 [inline] workerthread+0x5da/0xe40 kernel/workqueue.c:3421 kthread+0x3b3/0x730 kernel/kthread.c:463 retfromfork+0x754/0xaf0 arch/x86/kernel/process.c:158 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:246 </TASK> ==================================================================