CVE-2026-43009

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix incorrect pruning due to atomic fetch precision tracking<br /> <br /> When backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC<br /> and BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as<br /> a destination, thus receiving the old value from the memory location.<br /> <br /> The current backtracking logic does not account for this. It treats<br /> atomic fetch operations the same as regular stores where the src<br /> register is only an input. This leads the backtrack_insn to fail to<br /> propagate precision to the stack location, which is then not marked<br /> as precise!<br /> <br /> Later, the verifier&amp;#39;s path pruning can incorrectly consider two states<br /> equivalent when they differ in terms of stack state. Meaning, two<br /> branches can be treated as equivalent and thus get pruned when they<br /> should not be seen as such.<br /> <br /> Fix it as follows: Extend the BPF_LDX handling in backtrack_insn to<br /> also cover atomic fetch operations via is_atomic_fetch_insn() helper.<br /> When the fetch dst register is being tracked for precision, clear it,<br /> and propagate precision over to the stack slot. For non-stack memory,<br /> the precision walk stops at the atomic instruction, same as regular<br /> BPF_LDX. This covers all fetch variants.<br /> <br /> Before:<br /> <br /> 0: (b7) r1 = 8 ; R1=8<br /> 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8<br /> 2: (b7) r2 = 0 ; R2=0<br /> 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm<br /> 4: (bf) r3 = r10 ; R3=fp0 R10=fp0<br /> 5: (0f) r3 += r2<br /> mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1<br /> mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10<br /> mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)<br /> mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0<br /> 6: R2=8 R3=fp8<br /> 6: (b7) r0 = 0 ; R0=0<br /> 7: (95) exit<br /> <br /> After:<br /> <br /> 0: (b7) r1 = 8 ; R1=8<br /> 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8<br /> 2: (b7) r2 = 0 ; R2=0<br /> 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm<br /> 4: (bf) r3 = r10 ; R3=fp0 R10=fp0<br /> 5: (0f) r3 += r2<br /> mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1<br /> mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10<br /> mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2)<br /> mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0<br /> mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1<br /> mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8<br /> 6: R2=8 R3=fp8<br /> 6: (b7) r0 = 0 ; R0=0<br /> 7: (95) exit