CVE-2026-31695

In the Linux kernel, the following vulnerability has been resolved:

wifi: virtwifi: remove SETNETDEV_DEV to avoid use-after-free

Currently we execute SET_NETDEV_DEV(dev, &priv->lowerdev->dev) for the virtwifi net devices. However, unregistering a virtwifi device in netdevruntodo() can happen together with the device referenced by SETNETDEVDEV().

It can result in use-after-free during the ethtool operations performed on a virtwifi device that is currently being unregistered. Such a net device can have the dev.parent field pointing to the freed memory, but ethnlops_begin() calls pm_runtime_get_sync(dev->dev.parent).

Let's remove SETNETDEVDEV for virt_wifi to avoid bugs like this:

================================================================== BUG: KASAN: slab-use-after-free in __pmruntimeresume+0xe2/0xf0 Read of size 2 at addr ffff88810cfc46f8 by task pm/606

Call Trace: <TASK> dumpstacklvl+0x4d/0x70 printreport+0x170/0x4f3 ? pfxrawspinlockirqsave+0x10/0x10 kasan_report+0xda/0x110 ? __pmruntimeresume+0xe2/0xf0 ? __pmruntimeresume+0xe2/0xf0 __pmruntimeresume+0xe2/0xf0 ethnlopsbegin+0x49/0x270 ethnlsetfeatures+0x23c/0xab0 ? __pfxethnlset_features+0x10/0x10 ? kvmschedclockread+0x11/0x20 ? localclocknoinstr+0xf/0xf0 ? localclock+0x10/0x30 ? kasansavetrack+0x25/0x60 ? __kasankmalloc+0x7f/0x90 ? genlfamilyrcvmsgattrsparse.isra.0+0x150/0x2c0 genlfamilyrcvmsgdoit+0x1e7/0x2c0 ? __pfxgenlfamilyrcvmsg_doit+0x10/0x10 ? __pfxcredhascapability.isra.0+0x10/0x10 ? stacktracesave+0x8e/0xc0 genlrcv_msg+0x411/0x660 ? __pfxgenlrcv_msg+0x10/0x10 ? __pfxethnlsetfeatures+0x10/0x10 netlinkrcv_skb+0x121/0x380 ? __pfxgenlrcv_msg+0x10/0x10 ? __pfxnetlinkrcv_skb+0x10/0x10 ? __pfxdownread+0x10/0x10 genlrcv+0x23/0x30 netlinkunicast+0x60f/0x830 ? __pfxnetlinkpfxnetlinkunicast+0x10/0x10 ? pfxllocskb+0x10/0x10 netlinksendmsg+0x6ea/0xbc0 ? __pfxnetlinksendmsg+0x10/0x10 ? __futex_queue+0x10b/0x1f0 ____syssendmsg+0x7a2/0x950 ? copyfutex_queue+0x10b/0x1f0 ____syssendmsg+0x7a2/0x950 ? copymsghdrfromuser+0x26b/0x430 ? pfxsyssendmsg+0x10/0x10 ? __pfxcopymsghdrfromuser+0x10/0x10 ___syssendmsg+0xf8/0x180 ? pfxsyssendmsg+0x10/0x10 ? __pfxfutexwait+0x10/0x10 ? fdget+0x2e4/0x4a0 _syssendmsg+0x11f/0x1c0 ? pfxsyssendmsg+0x10/0x10 dosyscall64+0xe2/0x570 ? excpagefault+0x66/0xb0 entrySYSCALL64afterhwframe+0x77/0x7f </TASK>

This fix may be combined with another one in the ethtool subsystem: https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u