APPLIED: [SRU][J/N/Q][PATCH 0/1] CVE-2026-31504

Edoardo Canepa edoardo.canepa at canonical.com
Fri May 8 15:20:52 UTC 2026 

Applied to J/N/Q:linux/master-next. Thanks.

On 4/29/26 01:04, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> net: fix fanout UAF in packet_release() via NETDEV_UP race
>
> `packet_release()` has a race window where `NETDEV_UP` can re-register a
> socket into a fanout group's `arr[]` array. The re-registration is not
> cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
> array.
> `packet_release()` does NOT zero `po->num` in its `bind_lock` section.
> After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
> still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
> that already found the socket in `sklist` can re-register the hook.
> For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
> which adds the socket back into `f->arr[]` and increments `f->num_members`,
> but does NOT increment `f->sk_ref`.
>
> The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
> held to prevent NETDEV_UP from linking, preventing the race window.
>
> This bug was found following an additional audit with Claude Code based
> on CVE-2025-38617.
>
> [Fix]
>
> Resolute: not affected
> Questing: applied Jammy patch
> Noble:    applied Jammy patch
> Jammy:    cherry picked from upstream
> Focal:    sent to forgejo
> Bionic:   sent to forgejo
> Xenial:   sent to forgejo
> Trusty:   won't fix
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the AF_PACKET socket cleanup routine in order
> to prevent a race condition between cleanup and NETDEV_UP. Issues
> would affect only these AF_PACKET socket types.
>
> Yochai Eisenrich (1):
>    net: fix fanout UAF in packet_release() via NETDEV_UP race
>
>   net/packet/af_packet.c | 1 +
>   1 file changed, 1 insertion(+)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/634a9824/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/634a9824/attachment-0001.sig>

More information about the kernel-team mailing list