Cover Letter Detail
Show a cover letter.
GET /api/1.1/covers/2229938/?format=api
{ "id": 2229938, "url": "http://patchwork.ozlabs.org/api/1.1/covers/2229938/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260428230500.4105927-1-tim.whisonant@canonical.com/", "project": { "id": 15, "url": "http://patchwork.ozlabs.org/api/1.1/projects/15/?format=api", "name": "Ubuntu Kernel", "link_name": "ubuntu-kernel", "list_id": "kernel-team.lists.ubuntu.com", "list_email": "kernel-team@lists.ubuntu.com", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260428230500.4105927-1-tim.whisonant@canonical.com>", "date": "2026-04-28T23:04:56", "name": "[SRU,J/N/Q,0/1] CVE-2026-31504", "submitter": { "id": 89903, "url": "http://patchwork.ozlabs.org/api/1.1/people/89903/?format=api", "name": "Tim Whisonant", "email": "tim.whisonant@canonical.com" }, "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260428230500.4105927-1-tim.whisonant@canonical.com/mbox/", "series": [ { "id": 501948, "url": "http://patchwork.ozlabs.org/api/1.1/series/501948/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=501948", "date": "2026-04-28T23:04:56", "name": "CVE-2026-31504", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501948/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/covers/2229938/comments/", "headers": { "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=BEjpmfxV;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4wy275JWz1xvV\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 09:05:14 +1000 (AEST)", "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wHrUM-00047C-6h; Tue, 28 Apr 2026 23:05:10 +0000", "from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <tim.whisonant@canonical.com>)\n id 1wHrUK-00045k-HE\n for kernel-team@lists.ubuntu.com; Tue, 28 Apr 2026 23:05:08 +0000", "from mail-yw1-f198.google.com (mail-yw1-f198.google.com\n [209.85.128.198])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 5F8A13F85A\n for <kernel-team@lists.ubuntu.com>; Tue, 28 Apr 2026 23:05:08 +0000 (UTC)", "by mail-yw1-f198.google.com with SMTP id\n 00721157ae682-79064868702so66076497b3.3\n for <kernel-team@lists.ubuntu.com>; Tue, 28 Apr 2026 16:05:08 -0700 (PDT)", "from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 00721157ae682-7bd259e31aasm4697957b3.44.2026.04.28.16.05.05\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 28 Apr 2026 16:05:05 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777417508;\n bh=Fq2Nudjlhm7Ri6MVSblSO8D20PoeDrLhB2d0pIIfefk=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=BEjpmfxViWhUSALQwCymTTGmWTjuKPx6gJSNvgpFcGYdKyvGAAHi45U7GU3qmPrMR\n /Y0qXDtA9TBCiwbQ/UUcBjoam8BXXbvOsbFakuMdt3crJARMqrZMRoALGZP2DMqrJa\n qwC2Vzr7iNWwQWBUZlFenKrNWYdBWNsu0nvjXn+b2G3Lj5HExC1pHjaECbWx6FGCL3\n znv9zVuVWhiucPO6yedSLJ9hHQoaqVttSbPqoFEWgQjKbTrkfva74X8PCYGGzypdw1\n KHXDEuvO6xQWblEdSkg6W2PLYqLnPoEjF5IkOkatpV1IEMcA0x3zERYB0hjENCCg7C\n C8n45tHeOfGTiKCRq2hO8a0l9tmknHn1Q/Lck8/ykRzdFrQjXZ/JwMVJCV/RjfD8DK\n Ob8GiYNKegkbiDbJbKWQi/Il0hvntQIceU6aoWRFmbeTodpDOAbNIdLW8a3lHJ1hYX\n W6NUDHXTeeja87ICIOxLWE4/+wTyzPZnbvEcscQ6a5np6dcnDEhRrIRXhIpZXJkS99\n PXrX90Zdb536IkPh80o9bzvSyhB9LlMC1Qu4xLCCBdUDLjStGGrzRLNatLl6ToNkOg\n dbRfylLYPpVoVds6bj9/2Z+FRrnNRHdNDgXM3ewerdRktDwGmOWDLkRIV2CTq48e22\n u/KVB/sFm+9m2K8jRmU7lLiw=", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777417507; x=1778022307;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=Fq2Nudjlhm7Ri6MVSblSO8D20PoeDrLhB2d0pIIfefk=;\n b=CBaKFJD/OtweSQP2ll8wp/8CGKeB0kD2V2jEiuHorDgA+lhuPizG28z05aam/Ux6ih\n jnOheeQ5XoL45QzQrd3jX2GAumKLArgSpB3iAupOJEtTbwW/lqbRbLermY/tL3xfp5sE\n OmovykRJp3DT4h15v8NvAt3HweiXw3tLAl/lcmruV1SFBYThfcFvzue2BzMxpJhyOnYj\n 4gJWv+/hTcadcOrwyI+wX33/OiZi9GtyliDZMHv/GcMEeK0+CPUsq13M0iCPUsvEnl/y\n jeflvR+yxrRvDk+mSKICBELl/QTCeLaH+SCMp2Vb9euVsjb+r1UxcejbOANGmrEWOGQn\n PehQ==", "X-Gm-Message-State": "AOJu0Yw0EcqmmQ7tOYf3zYNXNcT9VT6tAveSk0PLVsUp8NqSjvl0wrwE\n 3J37Ww7EZ5s1AJbl4hGUOIWiqTyVXZvzKsVaNZcpMSYtyoeAI6/F8AtwS4h5hxhxcj+so8pMYF3\n 8eKRciuO/ERkhazThgMF4Yg5vKywX80pOXYEyEbOm4yTkLyz7dX6HWwW5fH5xokhP3bZZ5Tb9va\n kLlt16dnn3DTqVtg==", "X-Gm-Gg": "AeBDietHbRYSQB9Eq5R9T3q1W0B6tHe3QVS7ZP/mrBVLinnIixnk2+2njp6voAyEfjY\n eSWWim/w+0ImYd2GyvOvJco+7HFGKU5FDfj/F7UrfN5WSsagMP87AUTu8gslUSqomr/dFZE3GK8\n 1uNe9/hNQtOMxN4NTw1um5Yusdy1nYhqA5a7I4MUkjRsEO+HKvNM0YMXyZIuLZAJ9/lZRRXolzB\n 2at2qCkVyvJcyb+HXPSWD71tJcLWuW38df8EnU3RGXo99GD6HzTry6Nwtcl4LqriRAQh145/YsJ\n x0jJeNNDssczTy8nt+YHGZ3Boo3oh3em3ifQQbumTA1mQG5j72RO4cVceziejBOpiD+gV3VwIBg\n ip2yHmaLFYzJ12HZU4JEJIbM21f5oJLnLDYb83eSrZSFqawk4nFMH4O0ozaYYzaKWODKMuzW8aZ\n tgqpUVIQpA8npk", "X-Received": [ "by 2002:a05:690c:112:b0:7ba:fd82:9131 with SMTP id\n 00721157ae682-7bcf58c13demr51718707b3.47.1777417506869;\n Tue, 28 Apr 2026 16:05:06 -0700 (PDT)", "by 2002:a05:690c:112:b0:7ba:fd82:9131 with SMTP id\n 00721157ae682-7bcf58c13demr51718347b3.47.1777417506403;\n Tue, 28 Apr 2026 16:05:06 -0700 (PDT)" ], "From": "Tim Whisonant <tim.whisonant@canonical.com>", "To": "kernel-team@lists.ubuntu.com", "Subject": "[SRU][J/N/Q][PATCH 0/1] CVE-2026-31504", "Date": "Tue, 28 Apr 2026 16:04:56 -0700", "Message-ID": "<20260428230500.4105927-1-tim.whisonant@canonical.com>", "X-Mailer": "git-send-email 2.43.0", "MIME-Version": "1.0", "X-BeenThere": "kernel-team@lists.ubuntu.com", "X-Mailman-Version": "2.1.20", "Precedence": "list", "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>", "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>", "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>", "List-Post": "<mailto:kernel-team@lists.ubuntu.com>", "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>", "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "kernel-team-bounces@lists.ubuntu.com", "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>" }, "content": "SRU Justification:\n\n[Impact]\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.\n\n[Fix]\n\nResolute: not affected\nQuesting: applied Jammy patch\nNoble: applied Jammy patch\nJammy: cherry picked from upstream\nFocal: sent to forgejo\nBionic: sent to forgejo\nXenial: sent to forgejo\nTrusty: won't fix\n\n[Test Plan]\n\nCompile and boot tested.\n\n[Where problems could occur]\n\nThe change affects the AF_PACKET socket cleanup routine in order\nto prevent a race condition between cleanup and NETDEV_UP. Issues\nwould affect only these AF_PACKET socket types.\n\nYochai Eisenrich (1):\n net: fix fanout UAF in packet_release() via NETDEV_UP race\n\n net/packet/af_packet.c | 1 +\n 1 file changed, 1 insertion(+)" }