CVE-2026-53094

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix stale offload->prog pointer after constant blinding

When a dev-bound-only BPF program (BPF F XDP DEV BOUND ONLY) undergoes JIT compilation with constant blinding enabled (bpf jit harden >= 2), bpf jit blind constants() clones the program. The original prog is then freed in bpf jit prog release other(), which updates aux->prog to point to the surviving clone, but fails to update offload->prog.

This leaves offload->prog pointing to the freed original program. When the network namespace is subsequently destroyed, cleanup net() triggers bpf dev bound netdev unregister(), which iterates ondev->progs and calls bpf prog offload destroy(offload->prog). Accessing the freed prog causes a page fault:

BUG: unable to handle page fault for address: ffffc900085f1038 Workqueue: netns cleanup net RIP: 0010: bpf prog offload destroy+0xc/0x80 Call Trace: bpf offload dev netdev unregister+0x257/0x350 bpf dev bound netdev unregister+0x4a/0x90 unregister netdevice many notify+0x2a2/0x660 ... cleanup net+0x21a/0x320

The test sequence that triggers this reliably is:

Dev-bound-only programs are unique in that they have an offload structure but go through the normal JIT path instead of bpf prog offload compile(). This means they are subject to constant blinding's prog clone-and-replace, while also having offload->prog that must stay in sync.

Fix this by updating offload->prog in bpf jit prog release other(), alongside the existing aux->prog update. Both are back-pointers to the prog that must be kept in sync when the prog is replaced.