From: Yochai Eisenrich <echelonh@gmail.com> mainline inclusion from mainline-v7.0-rc6 commit 42156f93d123436f2a27c468f18c966b7e5db796 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14240--cate CVE: CVE-2026-31504 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617. Fixes: ce06b03e60fc ("packet: Add helpers to register/unregister ->prot_hook") Link: https://blog.calif.io/p/a-race-within-a-race-exploiting-cve Signed-off-by: Yochai Eisenrich <echelonh@gmail.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20260319200610.25101-1-echelonh@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Conflicts: net/packet/af_packet.c [conflicts due to not merge f1d9268e0618 ("net: add net device refcount tracker to struct packet_type") and d62607c3fe45 ("net: rename reference+tracking helpers") and b3cb764aa1d7 ("net: drop nopreempt requirement on sock_prot_inuse_add()").] Signed-off-by: Li Xiasong <lixiasong1@huawei.com> --- net/packet/af_packet.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 3938c9df92da..f8f8728cff53 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3052,6 +3052,7 @@ static int packet_release(struct socket *sock) spin_lock(&po->bind_lock); unregister_prot_hook(sk, false); + WRITE_ONCE(po->num, 0); packet_cached_dev_reset(po); if (po->prot_hook.dev) { -- 2.34.1