CVE-2026-23255

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: add proper RCU protection to /proc/net/ptype<br /> <br /> Yin Fengwei reported an RCU stall in ptype_seq_show() and provided<br /> a patch.<br /> <br /> Real issue is that ptype_seq_next() and ptype_seq_show() violate<br /> RCU rules.<br /> <br /> ptype_seq_show() runs under rcu_read_lock(), and reads pt-&gt;dev<br /> to get device name without any barrier.<br /> <br /> At the same time, concurrent writers can remove a packet_type structure<br /> (which is correctly freed after an RCU grace period) and clear pt-&gt;dev<br /> without an RCU grace period.<br /> <br /> Define ptype_iter_state to carry a dev pointer along seq_net_private:<br /> <br /> struct ptype_iter_state {<br /> struct seq_net_private p;<br /> struct net_device *dev; // added in this patch<br /> };<br /> <br /> We need to record the device pointer in ptype_get_idx() and<br /> ptype_seq_next() so that ptype_seq_show() is safe against<br /> concurrent pt-&gt;dev changes.<br /> <br /> We also need to add full RCU protection in ptype_seq_next().<br /> (Missing READ_ONCE() when reading list.next values)<br /> <br /> Many thanks to Dong Chenchen for providing a repro.