CVE-2026-31508

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: openvswitch: Avoid releasing netdev before teardown completes<br /> <br /> The patch cited in the Fixes tag below changed the teardown code for<br /> OVS ports to no longer unconditionally take the RTNL. After this change,<br /> the netdev_destroy() callback can proceed immediately to the call_rcu()<br /> invocation if the IFF_OVS_DATAPATH flag is already cleared on the<br /> netdev.<br /> <br /> The ovs_netdev_detach_dev() function clears the flag before completing<br /> the unregistration, and if it gets preempted after clearing the flag (as<br /> can happen on an -rt kernel), netdev_destroy() can complete and the<br /> device can be freed before the unregistration completes. This leads to a<br /> splat like:<br /> <br /> [ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI<br /> [ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT<br /> [ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025<br /> [ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0<br /> [ 998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90<br /> [ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246<br /> [ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000<br /> [ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05<br /> [ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000<br /> [ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006<br /> [ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000<br /> [ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000<br /> [ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0<br /> [ 998.393944] PKRU: 55555554<br /> [ 998.393946] Call Trace:<br /> [ 998.393949] <br /> [ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0<br /> [ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0<br /> [ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch]<br /> [ 998.394009] ? __die_body.cold+0x8/0x12<br /> [ 998.394016] ? die_addr+0x3c/0x60<br /> [ 998.394027] ? exc_general_protection+0x16d/0x390<br /> [ 998.394042] ? asm_exc_general_protection+0x26/0x30<br /> [ 998.394058] ? dev_set_promiscuity+0x8d/0xa0<br /> [ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch]<br /> [ 998.394092] dp_device_event+0x41/0x80 [openvswitch]<br /> [ 998.394102] notifier_call_chain+0x5a/0xd0<br /> [ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60<br /> [ 998.394110] rtnl_dellink+0x169/0x3e0<br /> [ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0<br /> [ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0<br /> [ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0<br /> [ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10<br /> [ 998.394132] netlink_rcv_skb+0x50/0x100<br /> [ 998.394138] netlink_unicast+0x292/0x3f0<br /> [ 998.394141] netlink_sendmsg+0x21b/0x470<br /> [ 998.394145] ____sys_sendmsg+0x39d/0x3d0<br /> [ 998.394149] ___sys_sendmsg+0x9a/0xe0<br /> [ 998.394156] __sys_sendmsg+0x7a/0xd0<br /> [ 998.394160] do_syscall_64+0x7f/0x170<br /> [ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 998.394165] RIP: 0033:0x7fad61bf4724<br /> [ 998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89<br /> [ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e<br /> [ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724<br /> [ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003<br /> [ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f<br /> [ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2<br /> ---truncated---