net: macb: Use dev_consume_skb_any() to free TX SKBs_CVE-2026-31563

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net: macb: Use dev_consume_skb_any() to free TX SKBs

The napi_consume_skb() function is not intended to be called in an IRQ
disabled context. However, after commit 6bc8a5098bf4 ("net: macb: Fix
tx_ptr_lock locking"), the freeing of TX SKBs is performed with IRQs
disabled. To resolve the following call trace, use dev_consume_skb_any()
for freeing TX SKBs:
WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188, CPU#0: ksoftirqd/0/15
Modules linked in:
CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 7.0.0-rc4-next-20260319-yocto-standard-dirty #37 PREEMPT
Hardware name: ZynqMP ZCU102 Rev1.1 (DT)
pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __local_bh_enable_ip+0x174/0x188
lr : local_bh_enable+0x24/0x38
sp : ffff800082b3bb10
x29: ffff800082b3bb10 x28: ffff0008031f3c00 x27: 000000000011ede0
x26: ffff000800a7ff00 x25: ffff800083937ce8 x24: 0000000000017a80
x23: ffff000803243a78 x22: 0000000000000040 x21: 0000000000000000
x20: ffff000800394c80 x19: 0000000000000200 x18: 0000000000000001
x17: 0000000000000001 x16: ffff000803240000 x15: 0000000000000000
x14: ffffffffffffffff x13: 0000000000000028 x12: ffff000800395650
x11: ffff8000821d1528 x10: ffff800081c2bc08 x9 : ffff800081c1e258
x8 : 0000000100000301 x7 : ffff8000810426ec x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000008 x1 : 0000000000000200 x0 : ffff8000810428dc
Call trace:
__local_bh_enable_ip+0x174/0x188 (P)
local_bh_enable+0x24/0x38
skb_attempt_defer_free+0x190/0x1d8
napi_consume_skb+0x58/0x108
macb_tx_poll+0x1a4/0x558
__napi_poll+0x50/0x198
net_rx_action+0x1f4/0x3d8
handle_softirqs+0x16c/0x560
run_ksoftirqd+0x44/0x80
smpboot_thread_fn+0x1d8/0x338
kthread+0x120/0x150
ret_from_fork+0x10/0x20
irq event stamp: 29751
hardirqs last enabled at (29750): [<ffff8000813be184>] _raw_spin_unlock_irqrestore+0x44/0x88
hardirqs last disabled at (29751): [<ffff8000813bdf60>] _raw_spin_lock_irqsave+0x38/0x98
softirqs last enabled at (29150): [<ffff8000800f1aec>] handle_softirqs+0x504/0x560
softirqs last disabled at (29153): [<ffff8000800f2fec>] run_ksoftirqd+0x44/0x80

Basic Information

ID CVE-2026-31563

Source Linux

Published Apr 24, 2026 at 14:35

Modified Apr 27, 2026 at 14:04

Affected Product

Vendor Linux

Product Linux

Version aeeafeb29b1b270302a9a85a13f7d70a68a3b9e6

Affected Versions Linux Linux aeeafeb29b1b270302a9a85a13f7d70a68a3b9e6
Linux Linux 5430388a81113e62a2d48b5d7dc1e76231908ebf
Linux Linux 7db8aa3fc4ed0a2928246747b2514b0741a8187e
Linux Linux 6bc8a5098bf4a365c4086a4a4130bfab10a58260
Linux Linux 6bc8a5098bf4a365c4086a4a4130bfab10a58260
Linux Linux 6bc8a5098bf4a365c4086a4a4130bfab10a58260
Linux Linux a4cb0a15ab8e6d06c08229a2c7bdbe1f2454473f
Linux Linux 6.17

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Use dev_consume_skb_any() to free TX SKBs\n\nThe napi_consume_skb() function is not intended to be called in an IRQ\ndisabled context. However, after commit 6bc8a5098bf4 (\"net: macb: Fix\ntx_ptr_lock locking\"), the freeing of TX SKBs is performed with IRQs\ndisabled. To resolve the following call trace, use dev_consume_skb_any()\nfor freeing TX SKBs:\n   WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188, CPU#0: ksoftirqd/0/15\n   Modules linked in:\n   CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 7.0.0-rc4-next-20260319-yocto-standard-dirty #37 PREEMPT\n   Hardware name: ZynqMP ZCU102 Rev1.1 (DT)\n   pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n   pc : __local_bh_enable_ip+0x174/0x188\n   lr : local_bh_enable+0x24/0x38\n   sp : ffff800082b3bb10\n   x29: ffff800082b3bb10 x28: ffff0008031f3c00 x27: 000000000011ede0\n   x26: ffff000800a7ff00 x25: ffff800083937ce8 x24: 0000000000017a80\n   x23: ffff000803243a78 x22: 0000000000000040 x21: 0000000000000000\n   x20: ffff000800394c80 x19: 0000000000000200 x18: 0000000000000001\n   x17: 0000000000000001 x16: ffff000803240000 x15: 0000000000000000\n   x14: ffffffffffffffff x13: 0000000000000028 x12: ffff000800395650\n   x11: ffff8000821d1528 x10: ffff800081c2bc08 x9 : ffff800081c1e258\n   x8 : 0000000100000301 x7 : ffff8000810426ec x6 : 0000000000000000\n   x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\n   x2 : 0000000000000008 x1 : 0000000000000200 x0 : ffff8000810428dc\n   Call trace:\n    __local_bh_enable_ip+0x174/0x188 (P)\n    local_bh_enable+0x24/0x38\n    skb_attempt_defer_free+0x190/0x1d8\n    napi_consume_skb+0x58/0x108\n    macb_tx_poll+0x1a4/0x558\n    __napi_poll+0x50/0x198\n    net_rx_action+0x1f4/0x3d8\n    handle_softirqs+0x16c/0x560\n    run_ksoftirqd+0x44/0x80\n    smpboot_thread_fn+0x1d8/0x338\n    kthread+0x120/0x150\n    ret_from_fork+0x10/0x20\n   irq event stamp: 29751\n   hardirqs last  enabled at (29750): [<ffff8000813be184>] _raw_spin_unlock_irqrestore+0x44/0x88\n   hardirqs last disabled at (29751): [<ffff8000813bdf60>] _raw_spin_lock_irqsave+0x38/0x98\n   softirqs last  enabled at (29150): [<ffff8000800f1aec>] handle_softirqs+0x504/0x560\n   softirqs last disabled at (29153): [<ffff8000800f2fec>] run_ksoftirqd+0x44/0x80",
    "published": "2026-04-24T14:35:44.610Z",
    "modified": "2026-04-27T14:04:05.798Z",
    "type": "cve",
    "title": "net: macb: Use dev_consume_skb_any() to free TX SKBs",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/92e7081f0c79d9073087e54bab745bb184192c2e\nhttps://git.kernel.org/stable/c/78c8b090a3d5c1689dc989861b0163180db2b3f8\nhttps://git.kernel.org/stable/c/984350b37372f79f71d4f0a5264c640e40daf9ce\nhttps://git.kernel.org/stable/c/f4bc91398b579730284328322365afa77a9d568f\nhttps://git.kernel.org/stable/c/ca4d05afb4683d685bb2c6fccae4386c478f524a\nhttps://git.kernel.org/stable/c/647b8a2fe474474704110db6bd07f7a139e621eb",
    "id": "CVE-2026-31563",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux aeeafeb29b1b270302a9a85a13f7d70a68a3b9e6\nLinux Linux 5430388a81113e62a2d48b5d7dc1e76231908ebf\nLinux Linux 7db8aa3fc4ed0a2928246747b2514b0741a8187e\nLinux Linux 6bc8a5098bf4a365c4086a4a4130bfab10a58260\nLinux Linux 6bc8a5098bf4a365c4086a4a4130bfab10a58260\nLinux Linux 6bc8a5098bf4a365c4086a4a4130bfab10a58260\nLinux Linux a4cb0a15ab8e6d06c08229a2c7bdbe1f2454473f\nLinux Linux 6.17",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "aeeafeb29b1b270302a9a85a13f7d70a68a3b9e6",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply