CVE-2026-53260

In the Linux kernel, the following vulnerability has been resolved:

tcp: Add preempt {disable,enable} nested() in reqsk queue hash req().

syzbot reported a weird reqsk->rsk refcnt underflow in inet csk reqsk queue drop().

The captured reqsk put() in inet csk reqsk queue drop() is called only when it successfully removes reqsk from ehash.

Moreover, reqsk timer handler() calls another reqsk put() after that.

This indicates that the reqsk was missing both refcnts for ehash and the timer itself.

Since all the syzbot reports had PREEMPT RT enabled, the only possible scenario is that reqsk queue hash req() is preempted after mod timer() and before refcount set(), and then the timer triggered after 1s aborts the reqsk due to its listener's close().

Let's wrap mod timer() and refcount set() with preempt disable nested() and preempt enable nested().

Note that inet ehash insert() holds the normal spin lock() (mutex in PREEMPT RT), so it must be called outside of preempt disable nested(), but this is fine.

The lookup path just ignores 0 sk refcnt entries in ehash and tries to create another reqsk, but this will fail at inet ehash insert().

[0]: refcount t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount warn saturate+0xb2/0x110 lib/refcount.c:28, CPU#0: ktimers/0/16 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Tainted: G L syzkaller #0 PREEMPT {RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 RIP: 0010:refcount warn saturate+0xb2/0x110 lib/refcount.c:28 Code: e4 7d d1 0a 67 48 0f b9 3a eb 4a e8 38 3d 23 fd 48 8d 3d e1 7d d1 0a 67 48 0f b9 3a eb 37 e8 25 3d 23 fd 48 8d 3d de 7d d1 0a <67> 48 0f b9 3a eb 24 e8 12 3d 23 fd 48 8d 3d db 7d d1 0a 67 48 0f RSP: 0000:ffffc90000157948 EFLAGS: 00010246 RAX: ffffffff84a1301b RBX: 0000000000000003 RCX: ffff88801ca98000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffffff8f72ae00 RBP: ffffffff99ae3b01 R08: ffff88801ca98000 R09: 0000000000000005 R10: 0000000000000100 R11: 0000000000000004 R12: ffff8880425ef568 R13: ffff8880425ef4f8 R14: ffff8880425ef578 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff888126386000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7b46710e9c CR3: 000000000dbb6000 CR4: 00000000003526f0 Call Trace: refcount sub and test include/linux/refcount.h:400 [inline] refcount dec and test include/linux/refcount.h:432 [inline] refcount dec and test include/linux/refcount.h:450 [inline] reqsk put include/net/request sock.h:136 [inline] inet csk reqsk queue drop+0x3ce/0x440 net/ipv4/inet connection sock.c:1007 reqsk timer handler+0x651/0xdf0 net/ipv4/inet connection sock.c:1137 call timer fn+0x192/0x5e0 kernel/time/timer.c:1748 expire timers kernel/time/timer.c:1799 [inline] run timers kernel/time/timer.c:2374 [inline] run timer base+0x6a3/0x9f0 kernel/time/timer.c:2386 run timer base kernel/time/timer.c:2395 [inline] run timer softirq+0x67/0x170 kernel/time/timer.c:2403 handle softirqs+0x1de/0x6d0 kernel/softirq.c:622 do softirq kernel/softirq.c:656 [inline] run ktimerd+0x69/0x100 kernel/softirq.c:1151 smpboot thread fn+0x541/0xa50 kernel/smpboot.c:160 kthread+0x388/0x470 kernel/kthread.c:436 ret from fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret from fork asm+0x1a/0x30 arch/x86/entry/entry 64.S:245