CVE-2026-31396

In the Linux kernel, the following vulnerability has been resolved:

net: macb: fix use-after-free access to PTP clock

PTP clock is registered on every opening of the interface and destroyed on every closing. However it may be accessed via get ts info ethtool call which is possible while the interface is just present in the kernel.

BUG: KASAN: use-after-free in ptp clock index+0x47/0x50 drivers/ptp/ptp clock.c:426 Read of size 4 at addr ffff8880194345cc by task syz.0.6/948

CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 Call Trace: dump stack lib/dump stack.c:88 [inline] dump stack lvl+0x8d/0xba lib/dump stack.c:106 print address description mm/kasan/report.c:316 [inline] print report+0x17f/0x496 mm/kasan/report.c:420 kasan report+0xd9/0x180 mm/kasan/report.c:524 ptp clock index+0x47/0x50 drivers/ptp/ptp clock.c:426 gem get ts info+0x138/0x1e0 drivers/net/ethernet/cadence/macb main.c:3349 macb get ts info+0x68/0xb0 drivers/net/ethernet/cadence/macb main.c:3371 ethtool get ts info+0x17c/0x260 net/ethtool/common.c:558 ethtool get ts info net/ethtool/ioctl.c:2367 [inline] dev ethtool net/ethtool/ioctl.c:3017 [inline] dev ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095 dev ioctl+0x637/0x1070 net/core/dev ioctl.c:510 sock do ioctl+0x20d/0x2c0 net/socket.c:1215 sock ioctl+0x577/0x6d0 net/socket.c:1320 vfs ioctl fs/ioctl.c:51 [inline] do sys ioctl fs/ioctl.c:870 [inline] se sys ioctl fs/ioctl.c:856 [inline] x64 sys ioctl+0x18c/0x210 fs/ioctl.c:856 do syscall x64 arch/x86/entry/common.c:46 [inline] do syscall 64+0x35/0x80 arch/x86/entry/common.c:76 entry SYSCALL 64 after hwframe+0x6e/0xd8

Allocated by task 457: kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:699 [inline] ptp clock register+0x144/0x10e0 drivers/ptp/ptp clock.c:235 gem ptp init+0x46f/0x930 drivers/net/ethernet/cadence/macb ptp.c:375 macb open+0x901/0xd10 drivers/net/ethernet/cadence/macb main.c:2920 dev open+0x2ce/0x500 net/core/dev.c:1501 dev change flags+0x56a/0x740 net/core/dev.c:8651 dev change flags+0x92/0x170 net/core/dev.c:8722 do setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833 rtnl newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608 rtnl newlink+0x63/0xa0 net/core/rtnetlink.c:3655 rtnetlink rcv msg+0x3c6/0xed0 net/core/rtnetlink.c:6150 netlink rcv skb+0x15d/0x430 net/netlink/af netlink.c:2511 netlink unicast kernel net/netlink/af netlink.c:1318 [inline] netlink unicast+0x6d7/0xa30 net/netlink/af netlink.c:1344 netlink sendmsg+0x97e/0xeb0 net/netlink/af netlink.c:1872 sock sendmsg nosec net/socket.c:718 [inline] sock sendmsg+0x14b/0x180 net/socket.c:730 sys sendto+0x320/0x3b0 net/socket.c:2152 do sys sendto net/socket.c:2164 [inline] se sys sendto net/socket.c:2160 [inline] x64 sys sendto+0xdc/0x1b0 net/socket.c:2160 do syscall x64 arch/x86/entry/common.c:46 [inline] do syscall 64+0x35/0x80 arch/x86/entry/common.c:76 entry SYSCALL 64 after hwframe+0x6e/0xd8

Freed by task 938: kasan slab free include/linux/kasan.h:177 [inline] slab free hook mm/slub.c:1729 [inline] slab free freelist hook mm/slub.c:1755 [inline] slab free mm/slub.c:3687 [inline] kmem cache free+0xbc/0x320 mm/slub.c:3700 device release+0xa0/0x240 drivers/base/core.c:2507 kobject cleanup lib/kobject.c:681 [inline] kobject release lib/kobject.c:712 [inline] kref put include/linux/kref.h:65 [inline] kobject put+0x1cd/0x350 lib/kobject.c:729 put device+0x1b/0x30 drivers/base/core.c:3805 ptp clock unregister+0x171/0x270 drivers/ptp/ptp clock.c:391 gem ptp remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb ptp.c:404 macb close+0x1c8/0x270 drivers/net/ethernet/cadence/macb main.c:2966 dev close many+0x1b9/0x310 net/core/dev.c:1585 dev close net/core/dev.c:1597 [inline] dev change flags+0x2bb/0x740 net/core/dev.c:8649 dev change fl ---truncated---