[SRU][J/N/Q][PATCH 0/1] CVE-2026-31504

[Tim Whisonant]

SRU Justification:

[Impact]

net: fix fanout UAF in packet_release() via NETDEV_UP race

`packet_release()` has a race window where `NETDEV_UP` can re-register a
socket into a fanout group's `arr[]` array. The re-registration is not
cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
array.
`packet_release()` does NOT zero `po->num` in its `bind_lock` section.
After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
that already found the socket in `sklist` can re-register the hook.
For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
which adds the socket back into `f->arr[]` and increments `f->num_members`,
but does NOT increment `f->sk_ref`.

The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
held to prevent NETDEV_UP from linking, preventing the race window.

This bug was found following an additional audit with Claude Code based
on CVE-2025-38617.

[Fix]

Resolute: not affected
Questing: applied Jammy patch
Noble:    applied Jammy patch
Jammy:    cherry picked from upstream
Focal:    sent to forgejo
Bionic:   sent to forgejo
Xenial:   sent to forgejo
Trusty:   won't fix

[Test Plan]

Compile and boot tested.

[Where problems could occur]

The change affects the AF_PACKET socket cleanup routine in order
to prevent a race condition between cleanup and NETDEV_UP. Issues
would affect only these AF_PACKET socket types.

Yochai Eisenrich (1):
  net: fix fanout UAF in packet_release() via NETDEV_UP race

 net/packet/af_packet.c | 1 +
 1 file changed, 1 insertion(+)

-- 
2.43.0