GET

Cover Letter Detail

Show a cover letter.

GET /api/1.1/covers/2227509/?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2227509,
    "url": "http://patchwork.ozlabs.org/api/1.1/covers/2227509/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260423204841.3528502-1-tim.whisonant@canonical.com/",
    "project": {
        "id": 15,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/15/?format=api",
        "name": "Ubuntu Kernel",
        "link_name": "ubuntu-kernel",
        "list_id": "kernel-team.lists.ubuntu.com",
        "list_email": "kernel-team@lists.ubuntu.com",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null
    },
    "msgid": "<20260423204841.3528502-1-tim.whisonant@canonical.com>",
    "date": "2026-04-23T20:48:36",
    "name": "[SRU,J/N/Q,0/1] CVE-2026-31419",
    "submitter": {
        "id": 89903,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/89903/?format=api",
        "name": "Tim Whisonant",
        "email": "tim.whisonant@canonical.com"
    },
    "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260423204841.3528502-1-tim.whisonant@canonical.com/mbox/",
    "series": [
        {
            "id": 501241,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/501241/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=501241",
            "date": "2026-04-23T20:48:36",
            "name": "CVE-2026-31419",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/501241/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/covers/2227509/comments/",
    "headers": {
        "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=ffSvN4v4;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g1p9Q72P3z1yDD\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 24 Apr 2026 06:49:14 +1000 (AEST)",
            "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wG0yg-0005YP-0K; Thu, 23 Apr 2026 20:48:50 +0000",
            "from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <tim.whisonant@canonical.com>)\n id 1wG0yf-0005YI-3j\n for kernel-team@lists.ubuntu.com; Thu, 23 Apr 2026 20:48:49 +0000",
            "from mail-ot1-f72.google.com (mail-ot1-f72.google.com\n [209.85.210.72])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id DAEDF3FEB7\n for <kernel-team@lists.ubuntu.com>; Thu, 23 Apr 2026 20:48:48 +0000 (UTC)",
            "by mail-ot1-f72.google.com with SMTP id\n 46e09a7af769-7dbc56f5290so16983348a34.0\n for <kernel-team@lists.ubuntu.com>; Thu, 23 Apr 2026 13:48:48 -0700 (PDT)",
            "from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 46e09a7af769-7dc975034e7sm17436294a34.6.2026.04.23.13.48.46\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 23 Apr 2026 13:48:46 -0700 (PDT)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1776977328;\n bh=5bVB74TIcCJGqVNTTqLQGdV5YJUjFOKXPq6B7FMKJ7o=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=ffSvN4v42qapaOiwM2YCADibLU0zBpXqo8gw4CZMG4rZW+uYpfrsNxKHp4STQ1hXR\n ED1K+0DlsHYbGeKV/vquYSbgTUBozikQt4fnr/PfyGV3Z9UHGW66B7bws4ZCp/9REk\n VLWzl/C+wrpr2kIWvOLrumeNHssv1PPg/o6Ng/IGlmfAOWvVzzhfm7CpAZKv86XwMd\n voPy8V/92dgcq9kEm8Zcr4PPSyLMCt54RGYRCEQCn14yMOpiqdSyuZhVM2l26VPuUj\n vQaTFsqA6QcBmpYFWs0wbHhGmy2BW/nO3nsjlCcTCZ4eYf2GnTo0ywFns5vmiHnDXF\n +9lLcUoeuWtxPcOeq8EMpPUTVWd2sd2DYDoOPeB/AIop9SQEFrT3RyS+uwLd+S06lS\n N39f4U3GBfdBFFcgWgqihC5jnrqTBSlcPsD6W9m0H3ffK4vVXRtuGzErzeN0o44tU2\n AN09IVVgqqRgO6tdrAVnvQ8ipZOmBETC2X7GAswiLoPS3mYRuBX/y+s4qfmASwjqrV\n Y9B7PPWxvM4d40kIFLXjbSQ0qlyNn2ZWS94t6Q4TGZH2K1WL2SY6g8AsoOn/o1OJIE\n bDtHhgaGRun0/AXez81r+aEcI31oW2Ji9+iyMtMRmC88KErigJ6fMiVkXRPZnW39b4\n //w9I+eQHPRBRbwfZaUH5nYM=",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776977327; x=1777582127;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=5bVB74TIcCJGqVNTTqLQGdV5YJUjFOKXPq6B7FMKJ7o=;\n b=TKjfIMCF1vEmBAkEJYFOSVfM/l9aDfp+Jdu9N9h2iMyRuL5du93qnPLfSXjvXxwPTO\n sUGvvxSvDr4Y0uTY6G+K0bHyslc9z2CJK50W9euRnfZkr1kUxJS96/ar2NTioadPcqCu\n QAX2olFKMR9Uqd8MxRKqj4nZcJaizBbycvmx7RV5Sw0nBm1Gzj6tz7oyloNWAAfCbsXp\n 02RXImZL6YL8Yi9GYOL6VWA0S5ytfmm7789PSEmNJdkJzTPLBoUZ4uoRICpgZKm3Ilf1\n a5gfzj4UHer7bpm2gQh9vxihgIgNFYdpdxMyI3COANh0F7oJVXSCjXHDzcQzyOxJKKB/\n 3XRw==",
        "X-Gm-Message-State": "AOJu0Yz7TDN2tVTbxzydMnKHYthkFqH/9aZJrdBRjXCcO9bcjjVdZ3K7\n U3608aSe+N2iSXKv7gAhG3GBbE/gI+eWs9+q3URtJYNS2bXY2GE0Q7DL/C3C/pLDiYl9k0YakEU\n lOhvnBRbg4IZ6Q7kOnAWFdZFQ3nhYrgYFxEbXdjATKU21o6v7RSG+14fBEduPoPVUolGjiOP+MB\n jtiX91egQhqx89YA==",
        "X-Gm-Gg": "AeBDietnKMhRxOWSB/8vpXXEHNZerWXmdBalRzx3HB8sNiXJmp+5ApDuuBqdedjfYz/\n 80vwrdu0d8USXdRctQECFgWsV+TEw7gB1SLFlXNxpOIlwAcsR9caAZu3u4z0igjXBqKoHt7OjrV\n WWCpfZ/LQgJat+l4yq8lCK0t4jdoxF2QkHV69JPZraJHe3NQ6ZvIpiEKFvWGpv3qkxyYZlJR50I\n lRckD0/pDjkTSbQijL28vM2CayCqNl55aVD5L+6F3WwhpLMhQNvd0oHHXqMAybWpgR20dUtwCKC\n UzUQjhe056zzOJ8SR6gZvrfhwW8ovtJZ91pcvy1c0DiPtY8sJMsZhc6hY40xd5+a8vJezaspxfR\n d8ESnwBQJcauXS03z52QybrFue3YJUTd00wvdTttWKOKbSTdYLDoD4gsWi68OLUUQYFxt5j0hHo\n C7Fjk7w2OkKkv/",
        "X-Received": [
            "by 2002:a05:6830:927:b0:7d7:4aa5:5210 with SMTP id\n 46e09a7af769-7dc951acc22mr17882921a34.19.1776977327325;\n Thu, 23 Apr 2026 13:48:47 -0700 (PDT)",
            "by 2002:a05:6830:927:b0:7d7:4aa5:5210 with SMTP id\n 46e09a7af769-7dc951acc22mr17882905a34.19.1776977326842;\n Thu, 23 Apr 2026 13:48:46 -0700 (PDT)"
        ],
        "From": "Tim Whisonant <tim.whisonant@canonical.com>",
        "To": "kernel-team@lists.ubuntu.com",
        "Subject": "[SRU][J/N/Q][PATCH 0/1] CVE-2026-31419",
        "Date": "Thu, 23 Apr 2026 13:48:36 -0700",
        "Message-ID": "<20260423204841.3528502-1-tim.whisonant@canonical.com>",
        "X-Mailer": "git-send-email 2.43.0",
        "MIME-Version": "1.0",
        "X-BeenThere": "kernel-team@lists.ubuntu.com",
        "X-Mailman-Version": "2.1.20",
        "Precedence": "list",
        "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>",
        "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>",
        "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>",
        "List-Post": "<mailto:kernel-team@lists.ubuntu.com>",
        "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>",
        "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "base64",
        "Errors-To": "kernel-team-bounces@lists.ubuntu.com",
        "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"
    },
    "content": "SRU Justification:\n\n[Impact]\n\nnet: bonding: fix use-after-free in bond_xmit_broadcast()\n\nbond_xmit_broadcast() reuses the original skb for the last slave\n(determined by bond_is_last_slave()) and clones it for others.\nConcurrent slave enslave/release can mutate the slave list during\nRCU-protected iteration, changing which slave is \"last\" mid-loop.\nThis causes the original skb to be double-consumed (double-freed).\n\nReplace the racy bond_is_last_slave() check with a simple index\ncomparison (i + 1 == slaves_count) against the pre-snapshot slave\ncount taken via READ_ONCE() before the loop.  This preserves the\nzero-copy optimization for the last slave while making the \"last\"\ndetermination stable against concurrent list mutations.\n\nThe UAF can trigger the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in skb_clone\nRead of size 8 at addr ffff888100ef8d40 by task exploit/147\n\nCPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:123)\n print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n kasan_report (mm/kasan/report.c:597)\n skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)\n dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)\n __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)\n ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)\n ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)\n ip6_output (net/ipv6/ip6_output.c:250)\n ip6_send_skb (net/ipv6/ip6_output.c:1985)\n udp_v6_send_skb (net/ipv6/udp.c:1442)\n udpv6_sendmsg (net/ipv6/udp.c:1733)\n __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n </TASK>\n\nAllocated by task 147:\n\nFreed by task 147:\n\nThe buggy address belongs to the object at ffff888100ef8c80\n which belongs to the cache skbuff_head_cache of size 224\nThe buggy address is located 192 bytes inside of\n freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)\n\nMemory state around the buggy address:\n ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n                                                    ^\n ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\n\n[Fix]\n\nQuesting: cherry picked from upstream\nNoble:    applied Jammy patch\nJammy:    backported from upstream\nFocal:    not affected\nBionic:   not affected\nXenial:   not affected\nTrusty:   not affected\n\n[Test Plan]\n\nCompile and boot tested.\n\n[Where problems could occur]\n\nThe change affects the network bonding driver's broadcast\nmechanism. Issues might appear as missed messages or\nduplicated messages to network interfaces.\n\nXiang Mei (1):\n  net: bonding: fix use-after-free in bond_xmit_broadcast()\n\n drivers/net/bonding/bond_main.c | 12 ++++++++----\n 1 file changed, 8 insertions(+), 4 deletions(-)"
}