CVE-2026-31429

In the Linux kernel, the following vulnerability has been resolved:

net: skb: fix cross-cache free of KFENCE-allocated skb head

SKB SMALL HEAD CACHE SIZE is intentionally set to a non-power-of-2 value (e.g. 704 on x86 64) to avoid collisions with generic kmalloc bucket sizes. This ensures that skb kfree head() can reliably use skb end offset to distinguish skb heads allocated from skb small head cache vs. generic kmalloc caches.

However, when KFENCE is enabled, kfence ksize() returns the exact requested allocation size instead of the slab bucket size. If a caller (e.g. bpf test init) allocates skb head data via kzalloc() and the requested size happens to equal SKB SMALL HEAD CACHE SIZE, then slab build skb() -> ksize() returns that exact value. After subtracting skb shared info overhead, skb end offset ends up matching SKB SMALL HEAD HEADROOM, causing skb kfree head() to incorrectly free the object to skb small head cache instead of back to the original kmalloc cache, resulting in a slab cross-cache free:

kmem cache free(skbuff small head): Wrong slab cache. Expected skbuff small head but got kmalloc-1k

Fix this by always calling kfree(head) in skb kfree head(). This keeps the free path generic and avoids allocator-specific misclassification for KFENCE objects.