CVE-2026-31429

In the Linux kernel, the following vulnerability has been resolved:

net: skb: fix cross-cache free of KFENCE-allocated skb head

SKBSMALLHEADCACHESIZE is intentionally set to a non-power-of-2 value (e.g. 704 on x8664) to avoid collisions with generic kmalloc bucket sizes. This ensures that skbkfreehead() can reliably use skbendoffset to distinguish skb heads allocated from skbsmallheadcache vs. generic kmalloc caches.

However, when KFENCE is enabled, kfenceksize() returns the exact requested allocation size instead of the slab bucket size. If a caller (e.g. bpftestinit) allocates skb head data via kzalloc() and the requested size happens to equal SKBSMALLHEADCACHESIZE, then slabbuildskb() -> ksize() returns that exact value. After subtracting skbsharedinfo overhead, skbendoffset ends up matching SKBSMALLHEADHEADROOM, causing skbkfreehead() to incorrectly free the object to skbsmallhead_cache instead of back to the original kmalloc cache, resulting in a slab cross-cache free:

kmemcachefree(skbuffsmallhead): Wrong slab cache. Expected skbuffsmallhead but got kmalloc-1k

Fix this by always calling kfree(head) in skbkfreehead(). This keeps the free path generic and avoids allocator-specific misclassification for KFENCE objects.