CVE-2026-53085

In the Linux kernel, the following vulnerability has been resolved:

bpf: fix mm lifecycle in open-coded task vma iterator

The open-coded task vma iterator reads task->mm locklessly and acquires mmap read trylock() but never calls mmget(). If the task exits concurrently, the mm struct can be freed as it is not SLAB TYPESAFE BY RCU, resulting in a use-after-free.

Safely read task->mm with a trylock on alloc lock and acquire an mm reference. Drop the reference via bpf iter mmput async() in destroy() and error paths. bpf iter mmput async() is a local wrapper around mmput async() with a fallback to mmput() on !CONFIG MMU.

Reject irqs-disabled contexts (including NMI) up front. Operations used by next() and destroy() (mmap read unlock, bpf iter mmput async) take spinlocks with IRQs disabled (pool->lock, pi lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock.

A trylock on alloc lock is used instead of the blocking task lock() (get task mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc lock on the same CPU.