Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2227594/?format=api
{ "id": 2227594, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2227594/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260423204841.3528502-3-tim.whisonant@canonical.com/", "project": { "id": 15, "url": "http://patchwork.ozlabs.org/api/1.1/projects/15/?format=api", "name": "Ubuntu Kernel", "link_name": "ubuntu-kernel", "list_id": "kernel-team.lists.ubuntu.com", "list_email": "kernel-team@lists.ubuntu.com", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260423204841.3528502-3-tim.whisonant@canonical.com>", "date": "2026-04-23T20:48:38", "name": "[SRU,Q,1/1] net: bonding: fix use-after-free in bond_xmit_broadcast()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "f3fa4c4cbbf154fd5a4a9e8ea2cccec4a9e04bb0", "submitter": { "id": 89903, "url": "http://patchwork.ozlabs.org/api/1.1/people/89903/?format=api", "name": "Tim Whisonant", "email": "tim.whisonant@canonical.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260423204841.3528502-3-tim.whisonant@canonical.com/mbox/", "series": [ { "id": 501241, "url": "http://patchwork.ozlabs.org/api/1.1/series/501241/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=501241", "date": "2026-04-23T20:48:36", "name": "CVE-2026-31419", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501241/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2227594/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2227594/checks/", "tags": {}, "headers": { "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=lBx22Oc+;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g1wqc5r37z1yJF\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 24 Apr 2026 11:49:16 +1000 (AEST)", "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wG5fK-0007G1-36; Fri, 24 Apr 2026 01:49:10 +0000", "from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <tim.whisonant@canonical.com>)\n id 1wG0yj-0005Yo-V8\n for kernel-team@lists.ubuntu.com; Thu, 23 Apr 2026 20:48:54 +0000", "from mail-ot1-f70.google.com (mail-ot1-f70.google.com\n [209.85.210.70])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 142A83FEB7\n for <kernel-team@lists.ubuntu.com>; Thu, 23 Apr 2026 20:48:53 +0000 (UTC)", "by mail-ot1-f70.google.com with SMTP id\n 46e09a7af769-7dcc5fa38faso8122269a34.1\n for <kernel-team@lists.ubuntu.com>; Thu, 23 Apr 2026 13:48:53 -0700 (PDT)", "from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 46e09a7af769-7dce6a9405asm5540360a34.5.2026.04.23.13.48.50\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 23 Apr 2026 13:48:50 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1776977333;\n bh=IL/M50hXrW5nl3VeSER38LSoaNyeOD93j0d0jN7E8o0=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=lBx22Oc+5Pv0dAGw4e/0GrHthCQkqIwEK913xZKj1BzzyQ44tzgYMU5BdmlWGfVlV\n tGO9nmWsEWHYurBAVsO2+iVr5WG9osX90D+pJ8toXciuxTNvsfk7a4keToXoP9WlO7\n 4Ni2rJbbWC1O0IyRZAZn1fEXxEfw2H2ypprsChwS64o5p6XZSNu+tk/da0h2DBS2uy\n p83TaFynMnEkm0YGmJRFEV2iUrQtzSvmuMkJh7ZIH93AakoGe4IY9Uhh/6IK1vd5IN\n fETkjjlOYVXibhwyyBt1INxFfLt0R5tXq5tAh2yceRepyWIMSzaC5ouRZF5L11FhuD\n wWi2eBUIuhq/BNou7OTtzpYiGSyQV1RcVV1diYik8XGBKcX9Ru4FMgoYckRMU+qYJ2\n bobfi1m513JxKRXteuqJeKDFd2GHtWuQTSZJuZDlWypofUllQA7XLnzro958wgvXiL\n n4X9Kd+s9eChQ856EfTDGma0nHY8MKyKgfoaDia90iuXZHC+XQsBDJ5cMzcfmKMDIm\n EBXjW472rcjSYE0MOdgNC0PehdGj4SflWrh5vKdUitTdj0HHIAcZmHyHckuAMV3O+0\n JR6DtA3GOmCdZpnSA1pbzyikRLZUh9MbbmRo2G1dXMUY9iOmH1a5unozETUjAQNftz\n dZmaFd36dUPvGBdmwAHN2MJw=", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776977331; x=1777582131;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=IL/M50hXrW5nl3VeSER38LSoaNyeOD93j0d0jN7E8o0=;\n b=Alc/P5Vc0GeJDbAftCH2yT0fVVZs4XT2MiFNW8YMn5BsO9HAH5IqkhzO+Hdhm/dzCe\n 9uMtksL0H/YcvGYCAGwVVgvHqMs5m7rgj+tHtgu0WfXM2tqpaL4T61bFFrq9BFpz+SaF\n p9RDxOLtoJAfza7HSCvABEcdaKXWt5FBuNlrChgcvdV33H9Fvujqk/v+tcxImAQ0c7Xj\n LDcwgUJTxr0bzUE67Fs02/olEE4X+ooH4cCjNlQq/6zH3e8wJ28gkAllaEpgEhgh/XrT\n a2qcNZ6BhyzxfpahbWF5EbkOGl0DW1K2sX5IBytJir4Cy1DJnQqWCmljTjVFUUV1aIl2\n OdsA==", "X-Gm-Message-State": "AOJu0YwWEt7PgE79zxJFimXVuVAOBI6iHeHxy0LHBLJe0OQHEi7qR00a\n ZQWTVMEv77i8hdE1xPL/6xuHlYIIfmKxnEClR+nOFofnujw5GqWMtYPRD5w3YmUUyv5qtmMMINz\n upaCRcddUahZ5FIRTTX6luaN48E+hbGUxLbF7+68Gcm4jqUOK6NMpYhUGZcQJbYQ8xw/GWtGIRy\n tZTIZqE1BLdU2rpw==", "X-Gm-Gg": "AeBDiesMrXcFw3G49P5PQPSScXPdO95um2tYOjgDhylS1Tus0oPKecYZflXWw1jRBxP\n 1aX/kkflQgmaDiq4awzc6escqhCDXdH/XAahYxvm+qH1QCMWgwZIx7BRnaJPMjkUTNK067lHK3+\n n3hYLzLFGQvyO9QW1qwDtHlIcKtpVWd5fbkwYGmU7fy/nYohV2nrBScpm5yrwFtiK2BBnTxCTPw\n o0HyO1DgJupnrVkjAGnIZNuJgM4T06VJt2FFJyCJuX8RrjEP4ebUWQF57S1gck+VRQv1qNuAcku\n ejVf7N5rvBi/ETgYBQpyRECxuQIPNbMN7+rEziPUsBgTe20ZLoc2RklQIr2puWE4qtGWjfo8TYt\n YflpDem340YNG1QVdBp2KFBS4WZvDgJ4+RqPFKoPA6tAVWxRXRkJs17E/4UWGG40fAFSC3Q4567\n AOpN3TO7ep2Xq7", "X-Received": [ "by 2002:a05:6830:8496:b0:7dc:c301:d0b7 with SMTP id\n 46e09a7af769-7dcc301e1a6mr10547924a34.28.1776977331392;\n Thu, 23 Apr 2026 13:48:51 -0700 (PDT)", "by 2002:a05:6830:8496:b0:7dc:c301:d0b7 with SMTP id\n 46e09a7af769-7dcc301e1a6mr10547913a34.28.1776977330957;\n Thu, 23 Apr 2026 13:48:50 -0700 (PDT)" ], "From": "Tim Whisonant <tim.whisonant@canonical.com>", "To": "kernel-team@lists.ubuntu.com", "Subject": "[SRU][Q][PATCH 1/1] net: bonding: fix use-after-free in\n bond_xmit_broadcast()", "Date": "Thu, 23 Apr 2026 13:48:38 -0700", "Message-ID": "<20260423204841.3528502-3-tim.whisonant@canonical.com>", "X-Mailer": "git-send-email 2.43.0", "In-Reply-To": "<20260423204841.3528502-1-tim.whisonant@canonical.com>", "References": "<20260423204841.3528502-1-tim.whisonant@canonical.com>", "MIME-Version": "1.0", "X-BeenThere": "kernel-team@lists.ubuntu.com", "X-Mailman-Version": "2.1.20", "Precedence": "list", "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>", "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>", "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>", "List-Post": "<mailto:kernel-team@lists.ubuntu.com>", "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>", "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "kernel-team-bounces@lists.ubuntu.com", "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>" }, "content": "From: Xiang Mei <xmei5@asu.edu>\n\nbond_xmit_broadcast() reuses the original skb for the last slave\n(determined by bond_is_last_slave()) and clones it for others.\nConcurrent slave enslave/release can mutate the slave list during\nRCU-protected iteration, changing which slave is \"last\" mid-loop.\nThis causes the original skb to be double-consumed (double-freed).\n\nReplace the racy bond_is_last_slave() check with a simple index\ncomparison (i + 1 == slaves_count) against the pre-snapshot slave\ncount taken via READ_ONCE() before the loop. This preserves the\nzero-copy optimization for the last slave while making the \"last\"\ndetermination stable against concurrent list mutations.\n\nThe UAF can trigger the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in skb_clone\nRead of size 8 at addr ffff888100ef8d40 by task exploit/147\n\nCPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:123)\n print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n kasan_report (mm/kasan/report.c:597)\n skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)\n dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)\n __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)\n ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)\n ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)\n ip6_output (net/ipv6/ip6_output.c:250)\n ip6_send_skb (net/ipv6/ip6_output.c:1985)\n udp_v6_send_skb (net/ipv6/udp.c:1442)\n udpv6_sendmsg (net/ipv6/udp.c:1733)\n __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n </TASK>\n\nAllocated by task 147:\n\nFreed by task 147:\n\nThe buggy address belongs to the object at ffff888100ef8c80\n which belongs to the cache skbuff_head_cache of size 224\nThe buggy address is located 192 bytes inside of\n freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)\n\nMemory state around the buggy address:\n ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ^\n ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\n\nFixes: 4e5bd03ae346 (\"net: bonding: fix bond_xmit_broadcast return value error bug\")\nReported-by: Weiming Shi <bestswngs@gmail.com>\nSigned-off-by: Xiang Mei <xmei5@asu.edu>\nLink: https://patch.msgid.link/20260326075553.3960562-1-xmei5@asu.edu\nSigned-off-by: Paolo Abeni <pabeni@redhat.com>\n(cherry picked from commit 2884bf72fb8f03409e423397319205de48adca16)\nCVE-2026-31419\nSigned-off-by: Tim Whisonant <tim.whisonant@canonical.com>\n---\n drivers/net/bonding/bond_main.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)", "diff": "diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c\nindex e74a1fd34724a..90ea088db6c8e 100644\n--- a/drivers/net/bonding/bond_main.c\n+++ b/drivers/net/bonding/bond_main.c\n@@ -5409,7 +5409,7 @@ static netdev_tx_t bond_xmit_broadcast(struct sk_buff *skb,\n \t\tif (!(bond_slave_is_up(slave) && slave->link == BOND_LINK_UP))\n \t\t\tcontinue;\n \n-\t\tif (bond_is_last_slave(bond, slave)) {\n+\t\tif (i + 1 == slaves_count) {\n \t\t\tskb2 = skb;\n \t\t\tskb_used = true;\n \t\t} else {\n", "prefixes": [ "SRU", "Q", "1/1" ] }