CVE-2026-31396

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: macb: fix use-after-free access to PTP clock<br /> <br /> PTP clock is registered on every opening of the interface and destroyed on<br /> every closing. However it may be accessed via get_ts_info ethtool call<br /> which is possible while the interface is just present in the kernel.<br /> <br /> BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426<br /> Read of size 4 at addr ffff8880194345cc by task syz.0.6/948<br /> <br /> CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:316 [inline]<br /> print_report+0x17f/0x496 mm/kasan/report.c:420<br /> kasan_report+0xd9/0x180 mm/kasan/report.c:524<br /> ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426<br /> gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349<br /> macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371<br /> __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558<br /> ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline]<br /> __dev_ethtool net/ethtool/ioctl.c:3017 [inline]<br /> dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095<br /> dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510<br /> sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215<br /> sock_ioctl+0x577/0x6d0 net/socket.c:1320<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:870 [inline]<br /> __se_sys_ioctl fs/ioctl.c:856 [inline]<br /> __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856<br /> do_syscall_x64 arch/x86/entry/common.c:46 [inline]<br /> do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /> <br /> <br /> Allocated by task 457:<br /> kmalloc include/linux/slab.h:563 [inline]<br /> kzalloc include/linux/slab.h:699 [inline]<br /> ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235<br /> gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375<br /> macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920<br /> __dev_open+0x2ce/0x500 net/core/dev.c:1501<br /> __dev_change_flags+0x56a/0x740 net/core/dev.c:8651<br /> dev_change_flags+0x92/0x170 net/core/dev.c:8722<br /> do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833<br /> __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608<br /> rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655<br /> rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150<br /> netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]<br /> netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344<br /> netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872<br /> sock_sendmsg_nosec net/socket.c:718 [inline]<br /> __sock_sendmsg+0x14b/0x180 net/socket.c:730<br /> __sys_sendto+0x320/0x3b0 net/socket.c:2152<br /> __do_sys_sendto net/socket.c:2164 [inline]<br /> __se_sys_sendto net/socket.c:2160 [inline]<br /> __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160<br /> do_syscall_x64 arch/x86/entry/common.c:46 [inline]<br /> do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /> <br /> Freed by task 938:<br /> kasan_slab_free include/linux/kasan.h:177 [inline]<br /> slab_free_hook mm/slub.c:1729 [inline]<br /> slab_free_freelist_hook mm/slub.c:1755 [inline]<br /> slab_free mm/slub.c:3687 [inline]<br /> __kmem_cache_free+0xbc/0x320 mm/slub.c:3700<br /> device_release+0xa0/0x240 drivers/base/core.c:2507<br /> kobject_cleanup lib/kobject.c:681 [inline]<br /> kobject_release lib/kobject.c:712 [inline]<br /> kref_put include/linux/kref.h:65 [inline]<br /> kobject_put+0x1cd/0x350 lib/kobject.c:729<br /> put_device+0x1b/0x30 drivers/base/core.c:3805<br /> ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391<br /> gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404<br /> macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966<br /> __dev_close_many+0x1b9/0x310 net/core/dev.c:1585<br /> __dev_close net/core/dev.c:1597 [inline]<br /> __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649<br /> dev_change_fl<br /> ---truncated---