CVE-2026-31469

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false<br /> <br /> A UAF issue occurs when the virtio_net driver is configured with napi_tx=N<br /> and the device&amp;#39;s IFF_XMIT_DST_RELEASE flag is cleared<br /> (e.g., during the configuration of tc route filter rules).<br /> <br /> When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack<br /> expects the driver to hold the reference to skb-&gt;dst until the packet<br /> is fully transmitted and freed. In virtio_net with napi_tx=N,<br /> skbs may remain in the virtio transmit ring for an extended period.<br /> <br /> If the network namespace is destroyed while these skbs are still pending,<br /> the corresponding dst_ops structure has freed. When a subsequent packet<br /> is transmitted, free_old_xmit() is triggered to clean up old skbs.<br /> It then calls dst_release() on the skb associated with the stale dst_entry.<br /> Since the dst_ops (referenced by the dst_entry) has already been freed,<br /> a UAF kernel paging request occurs.<br /> <br /> fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release<br /> the dst reference before the skb is queued in virtio_net.<br /> <br /> Call Trace:<br /> Unable to handle kernel paging request at virtual address ffff80007e150000<br /> CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT<br /> ...<br /> percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)<br /> dst_release+0xe0/0x110 net/core/dst.c:177<br /> skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177<br /> sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255<br /> dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469<br /> napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527<br /> __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net]<br /> free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]<br /> start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]<br /> ...<br /> <br /> Reproduction Steps:<br /> NETDEV="enp3s0"<br /> <br /> config_qdisc_route_filter() {<br /> tc qdisc del dev $NETDEV root<br /> tc qdisc add dev $NETDEV root handle 1: prio<br /> tc filter add dev $NETDEV parent 1:0 \<br /> protocol ip prio 100 route to 100 flowid 1:1<br /> ip route add 192.168.1.100/32 dev $NETDEV realm 100<br /> }<br /> <br /> test_ns() {<br /> ip netns add testns<br /> ip link set $NETDEV netns testns<br /> ip netns exec testns ifconfig $NETDEV 10.0.32.46/24<br /> ip netns exec testns ping -c 1 10.0.32.1<br /> ip netns del testns<br /> }<br /> <br /> config_qdisc_route_filter<br /> <br /> test_ns<br /> sleep 2<br /> test_ns