CVE-2026-53096

In the Linux kernel, the following vulnerability has been resolved:

bpf: Use RCU-safe iteration in dev map redirect multi() SKB path

The DEVMAP HASH branch in dev map redirect multi() uses hlist for each entry safe() to iterate hash buckets, but this function runs under RCU protection (called from xdp do generic redirect map() in softirq context). Concurrent writers ( dev map hash update elem, dev map hash delete elem) modify the list using RCU primitives (hlist add head rcu, hlist del rcu).

hlist for each entry safe() performs plain pointer dereferences without rcu dereference(), missing the acquire barrier needed to pair with writers' rcu assign pointer(). On weakly-ordered architectures (ARM64, POWER), a reader can observe a partially-constructed node. It also defeats CONFIG PROVE RCU lockdep validation and KCSAN data-race detection.

Replace with hlist for each entry rcu() using rcu read lock bh held() as the lockdep condition, consistent with the rcu dereference check() used in the DEVMAP (non-hash) branch of the same functions. Also fix the same incorrect lockdep is held(&dtab->index lock) condition in dev map enqueue multi(), where the lock is not held either.