CVE-2026-53089

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix use-after-free in offloaded map/prog info fill

When querying info for an offloaded BPF map or program, bpf map offload info fill ns() and bpf prog offload info fill ns() obtain the network namespace with get net(dev net(offmap->netdev)). However, the associated netdev's netns may be racing with teardown during netns destruction. If the netns refcount has already reached 0, get net() performs a refcount t increment on 0, triggering:

refcount t: addition on 0; use-after-free.

Although rtnl lock and bpf devs lock ensure the netdev pointer remains valid, they cannot prevent the netns refcount from reaching zero.

Fix this by using maybe get net() instead of get net(). maybe get net() uses refcount inc not zero() and returns NULL if the refcount is already zero, which causes ns get path cb() to fail and the caller to return -ENOENT -- the correct behavior when the netns is being destroyed.