CVE-2026-31680

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: flowlabel: defer exclusive option free until RCU teardown

ip6fl seq show() walks the global flowlabel hash under the seq-file RCU read-side lock and prints fl->opt->opt nflen when an option block is present.

Exclusive flowlabels currently free fl->opt as soon as fl->users drops to zero in fl release(). However, the surrounding struct ip6 flowlabel remains visible in the global hash table until later garbage collection removes it and fl free rcu() finally tears it down.

A concurrent /proc/net/ip6 flowlabel reader can therefore race that early kfree() and dereference freed option state, triggering a crash in ip6fl seq show().

Fix this by keeping fl->opt alive until fl free rcu(). That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.