ACK: [SRU][J/N/Q][PATCH 0/1] CVE-2026-31504

Manuel Diewald manuel.diewald at canonical.com
Mon May 4 14:15:42 UTC 2026 

On Tue, Apr 28, 2026 at 04:04:56PM -0700, Tim Whisonant wrote:
> SRU Justification:
> 
> [Impact]
> 
> net: fix fanout UAF in packet_release() via NETDEV_UP race
> 
> `packet_release()` has a race window where `NETDEV_UP` can re-register a
> socket into a fanout group's `arr[]` array. The re-registration is not
> cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
> array.
> `packet_release()` does NOT zero `po->num` in its `bind_lock` section.
> After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
> still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
> that already found the socket in `sklist` can re-register the hook.
> For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
> which adds the socket back into `f->arr[]` and increments `f->num_members`,
> but does NOT increment `f->sk_ref`.
> 
> The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
> held to prevent NETDEV_UP from linking, preventing the race window.
> 
> This bug was found following an additional audit with Claude Code based
> on CVE-2025-38617.
> 
> [Fix]
> 
> Resolute: not affected
> Questing: applied Jammy patch
> Noble:    applied Jammy patch
> Jammy:    cherry picked from upstream
> Focal:    sent to forgejo
> Bionic:   sent to forgejo
> Xenial:   sent to forgejo
> Trusty:   won't fix
> 
> [Test Plan]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> The change affects the AF_PACKET socket cleanup routine in order
> to prevent a race condition between cleanup and NETDEV_UP. Issues
> would affect only these AF_PACKET socket types.
> 
> Yochai Eisenrich (1):
>   net: fix fanout UAF in packet_release() via NETDEV_UP race
> 
>  net/packet/af_packet.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> -- 
> 2.43.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald at canonical.com>

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260504/42fc6324/attachment.sig>

More information about the kernel-team mailing list