CVE-2026-53111

In the Linux kernel, the following vulnerability has been resolved:

bpf: test run: Fix the null pointer dereference issue in bpf lwt xmit push encap

The bpf lwt xmit push encap helper needs to access skb dst(skb)->dev to calculate the needed headroom:

err = skb cow head(skb,
		  len + LL RESERVED SPACE(skb dst(skb)->dev));

But skb-> skb refdst may not be initialized when the skb is set up by bpf prog test run skb function. Executing bpf lwt push ip encap function in this scenario will trigger null pointer dereference, causing a kernel crash as Yinhao reported:

[ 105.186365] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 105.186382] #PF: supervisor read access in kernel mode [ 105.186388] #PF: error code(0x0000) - not-present page [ 105.186393] PGD 121d3d067 P4D 121d3d067 PUD 106c83067 PMD 0 [ 105.186404] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 105.186412] CPU: 3 PID: 3250 Comm: poc Kdump: loaded Not tainted 6.19.0-rc5 #1 [ 105.186423] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 105.186427] RIP: 0010:bpf lwt push ip encap+0x1eb/0x520 [ 105.186443] Code: 0f 84 de 01 00 00 0f b7 4a 04 66 85 c9 0f 85 47 01 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8b 73 58 48 83 e6 fe <48> 8b 36 0f b7 be ec 00 00 00 0f b7 b6 e6 00 00 00 01 fe 83 e6 f0 [ 105.186449] RSP: 0018:ffffbb0e0387bc50 EFLAGS: 00010246 [ 105.186455] RAX: 000000000000004e RBX: ffff94c74e036500 RCX: ffff94c74874da00 [ 105.186460] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff94c74e036500 [ 105.186463] RBP: 0000000000000001 R08: 0000000000000002 R09: 0000000000000000 [ 105.186467] R10: ffffbb0e0387bd50 R11: 0000000000000000 R12: ffffbb0e0387bc98 [ 105.186471] R13: 0000000000000014 R14: 0000000000000000 R15: 0000000000000002 [ 105.186484] FS: 00007f166aa4d680(0000) GS:ffff94c8b7780000(0000) knlGS:0000000000000000 [ 105.186490] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 105.186494] CR2: 0000000000000000 CR3: 000000015eade001 CR4: 0000000000770ee0 [ 105.186499] PKRU: 55555554 [ 105.186502] Call Trace: [ 105.186507] [ 105.186513] bpf lwt xmit push encap+0x2b/0x40 [ 105.186522] bpf prog a75eaad51e517912+0x41/0x49 [ 105.186536] ? kvm clock get cycles+0x18/0x30 [ 105.186547] ? ktime get+0x3c/0xa0 [ 105.186554] bpf test run+0x195/0x320 [ 105.186563] ? bpf test run+0x10f/0x320 [ 105.186579] bpf prog test run skb+0x2f5/0x4f0 [ 105.186590] sys bpf+0x69c/0xa40 [ 105.186603] x64 sys bpf+0x1e/0x30 [ 105.186611] do syscall 64+0x59/0x110 [ 105.186620] entry SYSCALL 64 after hwframe+0x76/0xe0 [ 105.186649] RIP: 0033:0x7f166a97455d

Temporarily add the setting of skb-> skb refdst before bpf test run to resolve the issue.