CVE-2026-31642

Fix rxrpc call removal from the rxnet->calls list to use listdelrcu() rather than listdelinit() to prevent stuffing up reading /proc/net/rxrpc/calls from potentially getting into an infinite loop.

This, however, means that list_empty() no longer works on an entry that's been deleted from the list, making it harder to detect prior deletion. Fix this by:

Firstly, make rxrpcdestroyallcalls() only dump the first ten calls that are unexpectedly still on the list. Limiting the number of steps means there's no need to call condresched() or to remove calls from the list here, thereby eliminating the need for rxrpcputcall() to check for that.

rxrpcputcall() can then be fixed to unconditionally delete the call from the list as it is the only place that the deletion occurs.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31642.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2baec2c3f854d1f79c7bb28386484e144e864a14

Fixed

93fc15be44a35b8e3c58d0238ac0d9b7c53465ff

Fixed

c63abf25203b50243fe228090526f9dbf37727bd

Fixed

3be718f659683ad89fad6f1eb66bee99727cae64

Fixed

ac5f54691be06a32246179d41be2d73598036deb

Fixed

146d4ab94cf129ee06cd467cb5c71368a6b5bad6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31642.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.13.0

Fixed

6.6.135

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.82

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.23

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.13

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31642.json"