CVE-2026-31703

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> writeback: Fix use after free in inode_switch_wbs_work_fn()<br /> <br /> inode_switch_wbs_work_fn() has a loop like:<br /> <br /> wb_get(new_wb);<br /> while (1) {<br /> list = llist_del_all(&amp;new_wb-&gt;switch_wbs_ctxs);<br /> /* Nothing to do? */<br /> if (!list)<br /> break;<br /> ... process the items ...<br /> }<br /> <br /> Now adding of items to the list looks like:<br /> <br /> wb_queue_isw()<br /> if (llist_add(&amp;isw-&gt;list, &amp;wb-&gt;switch_wbs_ctxs))<br /> queue_work(isw_wq, &amp;wb-&gt;switch_work);<br /> <br /> Because inode_switch_wbs_work_fn() loops when processing isw items, it<br /> can happen that wb-&gt;switch_work is pending while wb-&gt;switch_wbs_ctxs is<br /> empty. This is a problem because in that case wb can get freed (no isw<br /> items -&gt; no wb reference) while the work is still pending causing<br /> use-after-free issues.<br /> <br /> We cannot just fix this by cancelling work when freeing wb because that<br /> could still trigger problematic 0 -&gt; 1 transitions on wb refcount due to<br /> wb_get() in inode_switch_wbs_work_fn(). It could be all handled with<br /> more careful code but that seems unnecessarily complex so let&amp;#39;s avoid<br /> that until it is proven that the looping actually brings practical<br /> benefit. Just remove the loop from inode_switch_wbs_work_fn() instead.<br /> That way when wb_queue_isw() queues work, we are guaranteed we have<br /> added the first item to wb-&gt;switch_wbs_ctxs and nobody is going to<br /> remove it (and drop the wb reference it holds) until the queued work<br /> runs.