Cover Letter Detail
Show a cover letter.
GET /api/1.1/covers/2230586/?format=api
{ "id": 2230586, "url": "http://patchwork.ozlabs.org/api/1.1/covers/2230586/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260429214512.15496-1-tim.whisonant@canonical.com/", "project": { "id": 15, "url": "http://patchwork.ozlabs.org/api/1.1/projects/15/?format=api", "name": "Ubuntu Kernel", "link_name": "ubuntu-kernel", "list_id": "kernel-team.lists.ubuntu.com", "list_email": "kernel-team@lists.ubuntu.com", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260429214512.15496-1-tim.whisonant@canonical.com>", "date": "2026-04-29T21:45:08", "name": "[SRU,J/N/Q,0/1] CVE-2026-31533", "submitter": { "id": 89903, "url": "http://patchwork.ozlabs.org/api/1.1/people/89903/?format=api", "name": "Tim Whisonant", "email": "tim.whisonant@canonical.com" }, "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260429214512.15496-1-tim.whisonant@canonical.com/mbox/", "series": [ { "id": 502156, "url": "http://patchwork.ozlabs.org/api/1.1/series/502156/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=502156", "date": "2026-04-29T21:45:08", "name": "CVE-2026-31533", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/502156/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/covers/2230586/comments/", "headers": { "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=nDGA6OEM;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5W7f1xvfz1yJr\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 07:45:33 +1000 (AEST)", "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wICig-00078N-SC; Wed, 29 Apr 2026 21:45:22 +0000", "from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <tim.whisonant@canonical.com>)\n id 1wICif-00077z-40\n for kernel-team@lists.ubuntu.com; Wed, 29 Apr 2026 21:45:21 +0000", "from mail-yw1-f199.google.com (mail-yw1-f199.google.com\n [209.85.128.199])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 01AAC3FA63\n for <kernel-team@lists.ubuntu.com>; Wed, 29 Apr 2026 21:45:21 +0000 (UTC)", "by mail-yw1-f199.google.com with SMTP id\n 00721157ae682-7985951fa83so5806747b3.3\n for <kernel-team@lists.ubuntu.com>; Wed, 29 Apr 2026 14:45:20 -0700 (PDT)", "from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 00721157ae682-7bd5500d83fsm33117b3.30.2026.04.29.14.45.17\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 29 Apr 2026 14:45:17 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777499121;\n bh=iB2sSiAwWnLJwXhjTVXT1Q//W6EC67E8UmXAjtVDk/I=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=nDGA6OEM7KFQMrVG5CbCCjKA6uH+YIW7l1mUy/rX03Y3sySc8SIzM/AUohR1/CfQQ\n kuTkj0gnwsyj80J7mcpIvJfUZ4A1fUUy2vJmQFzEXrfR5MCbeYmTuBvrb6q1VTVWMx\n 7XE2idf7t95x9jswO1Mvxad0pQOJanXJUEJaqeeF54zshefBrt0FHrajY5f5mby5mE\n 82PonW4thvxS2tnWHosH+FX5Zdrf17wU+l0hLMuUhnxwsiRrQRob48SJ0a2EbYjRR5\n VysiUU473De0qRVYjzhJgQVpGnPR0Lbl24u94OpKBnBL0EVKuS5vZ2ALAInhSXm7fk\n 7w2qwIr29J//JtX6XVvFGUQd/P64xbX6uhvlLO2lz0G4YdcbA6T1ja7wIbfdUrFLyH\n Eria4TWoSyy/Ovns2xWOv5aZU85SvleKbfs1ShYXjQW4D4EsH2OSYvZqsOEHj5aPmg\n 1jDI4AoZw+OdTqbkFgq0CY6dShksIW8GHvXkWj5vqRZL3n5xgOPa8RPUdSDLJX3hGg\n mBjuf11S89O/Cxx0wYQJflhOv3L1RclRxyGbk6K/RHZtpjKUer78Osxa5NNzBCBf7o\n hm2Th7tJZ7B763YOzTLwsDGvAcGxL0uKPkobH1BciBNkxw29Rk7HAY9gBiH5AMdK8I\n aYx2veFN1NG2RkXaj/aZsLRs=", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777499119; x=1778103919;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=iB2sSiAwWnLJwXhjTVXT1Q//W6EC67E8UmXAjtVDk/I=;\n b=Fal9CQfH/vLRjz+Ln/Om65fWz0eUPAyX+6/xdcg3oJarQ9CkStbc8VxJKCZPnSSW7Q\n 52S5imX5XBmG25mFyxTJvslUo+TX7VvkjzrGwlYRj7ceZLvEL64n9gQiqLd4izL1WmaE\n 18H6vj4f6RwKzVdb3gRkDTqPrr75AwX+ALIsxsDG64HEfW6Xf2w+eVEgQnRMTCn6UMdv\n Q4JErasWmPt9FqNFjChoJZu9VZJ+NOaNA4cHYak15ke12N6poN0Mk7qeg9Sw72Oid2we\n uhOBmLVkZ1fHX3Wbbynw9UCctwYbsK/LyoUQWC0TnTUjMXzt8iSdNr7h1le46kqT/WRA\n Y9dg==", "X-Gm-Message-State": "AOJu0YxxjRm3Mi8CrOlvP/RsDv8DRVWPr3DY5jQROPFhstUtv43G3ZRq\n KSDXuiEog9/IOrCPlhdhE/LVoJ/grvTGJcDfC6d9ezDqRRPaGmVdJQFbZsYSN2alaZx0VQi3S3X\n f1RrkM9k75nT4bipfvPw86ZseIVE9QHkZV7E3w4Guv+bjYLwYnOMB0/Fc0G5cnJBR4r7IBOSgFe\n LfvIXEhTuHPVlGWA==", "X-Gm-Gg": "AeBDietQYfyCJCAMtr7ZkWOGjUXrsODy9wi98Za/vlK+0Alm5jp4ctkDayHl+ppL+XV\n LWfzPzu7n0TK1l3Ze9zDarTz8qrnU2Q90sOQ59ZXTjqY9MtDiZwEzw+t+urp29q6kTkBJbGHZak\n mCccpGFjQ2Vxub/ehiJ3zl7NcAXgxdlWTc64A1DKodk0Yi5GUfGymPCBPQHwH/iQSwq97iqTn0A\n tXM+ftZmacx5pX/NatvLZlnZ1Qrq70KZhqFKLc/bA5pMwD7X0LCPIv0NkEWVsEo3WmB9tBujStu\n aJXj6FWeDX8mFzChvgEX9tB9tCDLSNF4x3HPV/52R+0oUFeQ5Asr7cmun7MR0mI++12923UGkf4\n ESGwXHhXA+/1DB0VWVnnsqL9Q6IhxSXTPdM7DJ9iHCqK2qxk6jtSyMTykDgTU9qiRMWx4Uf4gm7\n B5AL91L5DBxJlP", "X-Received": [ "by 2002:a05:690c:8:b0:79a:d393:f8b1 with SMTP id\n 00721157ae682-7bd5292ea7amr5575787b3.26.1777499119376;\n Wed, 29 Apr 2026 14:45:19 -0700 (PDT)", "by 2002:a05:690c:8:b0:79a:d393:f8b1 with SMTP id\n 00721157ae682-7bd5292ea7amr5575547b3.26.1777499118817;\n Wed, 29 Apr 2026 14:45:18 -0700 (PDT)" ], "From": "Tim Whisonant <tim.whisonant@canonical.com>", "To": "kernel-team@lists.ubuntu.com", "Subject": "[SRU][J/N/Q][PATCH 0/1] CVE-2026-31533", "Date": "Wed, 29 Apr 2026 14:45:08 -0700", "Message-ID": "<20260429214512.15496-1-tim.whisonant@canonical.com>", "X-Mailer": "git-send-email 2.43.0", "MIME-Version": "1.0", "X-BeenThere": "kernel-team@lists.ubuntu.com", "X-Mailman-Version": "2.1.20", "Precedence": "list", "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>", "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>", "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>", "List-Post": "<mailto:kernel-team@lists.ubuntu.com>", "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>", "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "kernel-team-bounces@lists.ubuntu.com", "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>" }, "content": "SRU Justification:\n\n[Impact]\n\nnet/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n\nThe -EBUSY handling in tls_do_encryption(), introduced by commit\n859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\na use-after-free due to double cleanup of encrypt_pending and the\nscatterlist entry.\n\nWhen crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\nthe cryptd backlog and the async callback tls_encrypt_done() will be\ninvoked upon completion. That callback unconditionally restores the\nscatterlist entry (sge->offset, sge->length) and decrements\nctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an\nerror, the synchronous error path in tls_do_encryption() performs the\nsame cleanup again, double-decrementing encrypt_pending and\ndouble-restoring the scatterlist.\n\nThe double-decrement corrupts the encrypt_pending sentinel (initialized\nto 1), making tls_encrypt_async_wait() permanently skip the wait for\npending async callbacks. A subsequent sendmsg can then free the\ntls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\npending, resulting in a use-after-free when the callback fires on the\nfreed record.\n\nFix this by skipping the synchronous cleanup when the -EBUSY async\nwait returns an error, since the callback has already handled\nencrypt_pending and sge restoration.\n\n[Fix]\n\nResolute: not affected\nQuesting: applied Jammy patch\nNoble: applied Jammy patch\nJammy: cherry picked from upstream\nFocal: sent to forgejo\nBionic: not affected\nXenial: not affected\nTrusty: not affected\n\n[Test Plan]\n\nCompile and boot tested.\n\n[Where problems could occur]\n\nThe change affects the main encryption function for software-\nbased kernel TLS in order to correct a use-after-free. Issues\nmight manifest as failed or aborted encryption requests.\n\nMuhammad Alifa Ramdhan (1):\n net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n\n net/tls/tls_sw.c | 10 ++++++++++\n 1 file changed, 10 insertions(+)" }