CVE-2026-22994

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix reference count leak in bpf_prog_test_run_xdp()<br /> <br /> syzbot is reporting<br /> <br /> unregister_netdevice: waiting for sit0 to become free. Usage count = 2<br /> <br /> problem. A debug printk() patch found that a refcount is obtained at<br /> xdp_convert_md_to_buff() from bpf_prog_test_run_xdp().<br /> <br /> According to commit ec94670fcb3b ("bpf: Support specifying ingress via<br /> xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by<br /> xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().<br /> <br /> Therefore, we can consider that the error handling path introduced by<br /> commit 1c1949982524 ("bpf: introduce frags support to<br /> bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().