CVE-2026-31551

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.<br /> <br /> syzbot reported static_branch_dec() underflow in aql_enable_write(). [0]<br /> <br /> The problem is that aql_enable_write() does not serialise concurrent<br /> write()s to the debugfs.<br /> <br /> aql_enable_write() checks static_key_false(&amp;aql_disable.key) and<br /> later calls static_branch_inc() or static_branch_dec(), but the<br /> state may change between the two calls.<br /> <br /> aql_disable does not need to track inc/dec.<br /> <br /> Let&amp;#39;s use static_branch_enable() and static_branch_disable().<br /> <br /> [0]:<br /> val == 0<br /> WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full)<br /> Tainted: [U]=USER, [L]=SOFTLOCKUP<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026<br /> RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311<br /> Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00<br /> RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4<br /> RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000<br /> RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a<br /> R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98<br /> FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0<br /> Call Trace:<br /> <br /> __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]<br /> __static_key_slow_dec kernel/jump_label.c:321 [inline]<br /> static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336<br /> aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343<br /> short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383<br /> vfs_write+0x2aa/0x1070 fs/read_write.c:684<br /> ksys_pwrite64 fs/read_write.c:793 [inline]<br /> __do_sys_pwrite64 fs/read_write.c:801 [inline]<br /> __se_sys_pwrite64 fs/read_write.c:798 [inline]<br /> __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f530cf9aeb9<br /> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012<br /> RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9<br /> RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010<br /> RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000<br /> R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978<br />