CVE-2026-31644

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: lan966x: fix use-after-free and leak in lan966x_fdma_reload()<br /> <br /> When lan966x_fdma_reload() fails to allocate new RX buffers, the restore<br /> path restarts DMA using old descriptors whose pages were already freed<br /> via lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can<br /> release pages back to the buddy allocator, the hardware may DMA into<br /> memory now owned by other kernel subsystems.<br /> <br /> Additionally, on the restore path, the newly created page pool (if<br /> allocation partially succeeded) is overwritten without being destroyed,<br /> leaking it.<br /> <br /> Fix both issues by deferring the release of old pages until after the<br /> new allocation succeeds. Save the old page array before the allocation<br /> so old pages can be freed on the success path. On the failure path, the<br /> old descriptors, pages and page pool are all still valid, making the<br /> restore safe. Also ensure the restore path re-enables NAPI and wakes<br /> the netdev, matching the success path.