CVE-2026-53035

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix af unix iter deadlock

bpf iter unix seq show() may deadlock when lock sock fast() takes the fast path and the iter prog attempts to update a sockmap. Which ends up spinning at sock map update elem()'s bh lock sock():

WARNING: possible recursive locking detected test progs/1393 is trying to acquire lock: ffff88811ec25f58 (slock-AF UNIX){+...}-{3:3}, at: sock map update elem+0xdb/0x1f0

but task is already holding lock: ffff88811ec25f58 (slock-AF UNIX){+...}-{3:3}, at: lock sock fast+0x37/0xe0

other info that might help us debug this: Possible unsafe locking scenario:

CPU0
----

lock(slock-AF UNIX); lock(slock-AF UNIX);

*** DEADLOCK ***

May be due to missing lock nesting notation

4 locks held by test progs/1393: #0: ffff88814b59c790 (&p->lock){+.+.}-{4:4}, at: bpf seq read+0x59/0x10d0 #1: ffff88811ec25fd8 (sk lock-AF UNIX){+.+.}-{0:0}, at: bpf seq read+0x42c/0x10d0 #2: ffff88811ec25f58 (slock-AF UNIX){+...}-{3:3}, at: lock sock fast+0x37/0xe0 #3: ffffffff85a6a7c0 (rcu read lock){....}-{1:3}, at: bpf iter run prog+0x51d/0xb00

Call Trace: dump stack lvl+0x5d/0x80 print deadlock bug.cold+0xc0/0xce lock acquire+0x130f/0x2590 lock acquire+0x14e/0x2b0 raw spin lock+0x30/0x40 sock map update elem+0xdb/0x1f0 bpf prog 2d0075e5d9b721cd dump unix+0x55/0x4f4 bpf iter run prog+0x5b9/0xb00 bpf iter unix seq show+0x1f7/0x2e0 bpf seq read+0x42c/0x10d0 vfs read+0x171/0xb20 ksys read+0xff/0x200 do syscall 64+0x6b/0x3a0 entry SYSCALL 64 after hwframe+0x76/0x7e