CVE-2026-31526

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix exception exit lock checking for subprogs<br /> <br /> process_bpf_exit_full() passes check_lock = !curframe to<br /> check_resource_leak(), which is false in cases when bpf_throw() is<br /> called from a static subprog. This makes check_resource_leak() to skip<br /> validation of active_rcu_locks, active_preempt_locks, and<br /> active_irq_id on exception exits from subprogs.<br /> <br /> At runtime bpf_throw() unwinds the stack via ORC without releasing any<br /> user-acquired locks, which may cause various issues as the result.<br /> <br /> Fix by setting check_lock = true for exception exits regardless of<br /> curframe, since exceptions bypass all intermediate frame<br /> cleanup. Update the error message prefix to "bpf_throw" for exception<br /> exits to distinguish them from normal BPF_EXIT.<br /> <br /> Fix reject_subprog_with_rcu_read_lock test which was previously<br /> passing for the wrong reason. Test program returned directly from the<br /> subprog call without closing the RCU section, so the error was<br /> triggered by the unclosed RCU lock on normal exit, not by<br /> bpf_throw. Update __msg annotations for affected tests to match the<br /> new "bpf_throw" error prefix.<br /> <br /> The spin_lock case is not affected because they are already checked [1]<br /> at the call site in do_check_insn() before bpf_throw can run.<br /> <br /> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098