GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.1/patches/2229939/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2229939,
    "url": "http://patchwork.ozlabs.org/api/1.1/patches/2229939/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260428230500.4105927-2-tim.whisonant@canonical.com/",
    "project": {
        "id": 15,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/15/?format=api",
        "name": "Ubuntu Kernel",
        "link_name": "ubuntu-kernel",
        "list_id": "kernel-team.lists.ubuntu.com",
        "list_email": "kernel-team@lists.ubuntu.com",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null
    },
    "msgid": "<20260428230500.4105927-2-tim.whisonant@canonical.com>",
    "date": "2026-04-28T23:04:57",
    "name": "[SRU,J/N/Q,1/1] net: fix fanout UAF in packet_release() via NETDEV_UP race",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "4c326116b761ce79d45d9af2bd4e7fe7fd4548f7",
    "submitter": {
        "id": 89903,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/89903/?format=api",
        "name": "Tim Whisonant",
        "email": "tim.whisonant@canonical.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260428230500.4105927-2-tim.whisonant@canonical.com/mbox/",
    "series": [
        {
            "id": 501948,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/501948/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=501948",
            "date": "2026-04-28T23:04:56",
            "name": "CVE-2026-31504",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/501948/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2229939/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2229939/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=kuewwD7B;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4wy52bPdz1xvV\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 09:05:17 +1000 (AEST)",
            "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wHrUO-00049R-I8; Tue, 28 Apr 2026 23:05:12 +0000",
            "from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <tim.whisonant@canonical.com>)\n id 1wHrUM-00047k-Mh\n for kernel-team@lists.ubuntu.com; Tue, 28 Apr 2026 23:05:10 +0000",
            "from mail-yx1-f71.google.com (mail-yx1-f71.google.com\n [74.125.224.71])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 903103F85A\n for <kernel-team@lists.ubuntu.com>; Tue, 28 Apr 2026 23:05:10 +0000 (UTC)",
            "by mail-yx1-f71.google.com with SMTP id\n 956f58d0204a3-650709ef300so1301694d50.0\n for <kernel-team@lists.ubuntu.com>; Tue, 28 Apr 2026 16:05:10 -0700 (PDT)",
            "from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 956f58d0204a3-65bff6c4113sm344475d50.11.2026.04.28.16.05.07\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 28 Apr 2026 16:05:08 -0700 (PDT)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777417510;\n bh=O5wdeBaHNUO7og758evU4NAujJzWjWCkxlXlk1lGRPc=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=kuewwD7BS10mHVj0JrzP4r0XRQKsI0gMiNE06c5xsXPH23Y1p9Pk/FH0xPIKAgL92\n 2+B/xGIkw6CUUnM1SNi/QdIeDNTv92K0Y03H73m9rIwbSnh6TcYCU9dmu+iD6T4tJ4\n 1ZXsx77q04IXg57l2ov2lPvD65f12aei1mwPSiohPy98bDweuRBQ4mjaW2VigC3EfA\n yJFiZATsNjDlpjsSdPDaohAfn/vaI43qB9J/j0T4f2OCGK1hkSPkcoKdROYTrzLwkP\n jSppdtmwdG2ZQb5ABH0ohrl8qAZci4HSyPFwvfmiAsSSVirQtInU4dFWrrYdzukMmI\n YArXBhBbwq2DEys+W5Q8PxXn7YZkx8rfNQ2Bxuewc1xMCTYHWONvWQE6vmpkS9vGJf\n o3y0zhSXq3jN9zYeuBRdfeSUgR6dZy8+vQTplzQOpKSNpbD82oCDcskL1cc4uHVpBg\n sVeQw9dnBSGZtaPT+bLsKPrA08nkJA+9kcTjvOVtVqDBFrCXU/yLf/L6OeRS8q4dur\n 7c1y+QYrvY6WQPE3plhzZtGB9ir0XwhTQ/vTZwrun/pt2j/CjonkpA14K9NH6fC2T7\n M8bv2f+pwFBI1HRAyXEswWY/iyE9JSmG96HE0spgDh8vzRlVNkTaPkjwCohHR623iI\n Y6vYxkjQ1OdDqGSS+SeQhqcM=",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777417509; x=1778022309;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=O5wdeBaHNUO7og758evU4NAujJzWjWCkxlXlk1lGRPc=;\n b=hN8u6Axl54smyBoexKdK7sW/RPIl5DG44DznhXAKQLI3+EMbEoFPvwfBG0ug3P62rp\n XPxVGt/1cegFuenTXzMeWXLokGbnSVk94ZNh1v3LiO/nFifbW5AzRouV1qET1k2Sv9Rj\n ZDSrn8n98FvLridJxcvIuRw1PRnAdZ1PtnRAB934QQq7BS8fqnpl7h33RD9s0RQIjsvT\n IPnR7/cX+0M4i+0xs4Q2NDENIoV9jeid2JLwQA6tvgz48ym7bbyMR3EujdCXOEKR0qOr\n 3ErTpWXi90wXpXS20rv6RmX+Of0uMJqC6RB26byE7TC/3sD8LMlqIseupaPhVklGWiM1\n jtzg==",
        "X-Gm-Message-State": "AOJu0YxmXc8wf7r3HijaBBGXWpF9nchxuX1DmrImYgrroe695MG2ElFq\n BkMgmjZNUH9r30r5MQIEEelUSx2J15OFX4ux8PMWmgQPILMepbsGRJBLCAlEpu2kmuVv/EV9ouZ\n 0ikb6SnvylCO8tSXUqeA39l3e4H29F9rheWWHElGWIcyLzJeTmkB+fpzhtjkFMp5yN1lDCrLrvK\n ETlR7b2jYNH8xFrA==",
        "X-Gm-Gg": "AeBDiesHe9rgYwUTY5mPVTrkPcYKBy1NSIr8mGKobzAeB7XJZ89vnLv3nqiHwYv73uK\n 1CnGaGrBCzDF3XYw+VJbl1rpwfjsa5ThTkNTfn4MA77QiVKXnfKMGtPkqh35ayEe6oNF5/fZxzi\n 3zDmPjZpsPxhGIcGhqgrTLNIz/4a5McKIjPftzI7zk4tHbTRO2iDb8OkKqOZPc4mgFAna54Gg5F\n I6yKXvB+JvIA+uro4WdHkhMcgFYoL0WjRG2BJmn553V3x1IPo4cteemd9k5sHWA0FfED40+SuJR\n TcydN+K62xjCT0RUYt7/nbx5fjDGHfSEL42gwdNyJGIEeh6Po4Qu9i8/A72AVP0mVb8pOH/Pmoa\n Jc8xJUsbU5B63Dvm1j+/GeAIW2u0wq9oPQ53tZBuVStLNnyvl4DkLnboNJbiiFyX/IM1uMrE65G\n vC1ZpMOZTv5Ues",
        "X-Received": [
            "by 2002:a05:690e:e8d:b0:654:6ccc:69ec with SMTP id\n 956f58d0204a3-65bfe52fa64mr736302d50.13.1777417509138;\n Tue, 28 Apr 2026 16:05:09 -0700 (PDT)",
            "by 2002:a05:690e:e8d:b0:654:6ccc:69ec with SMTP id\n 956f58d0204a3-65bfe52fa64mr736263d50.13.1777417508561;\n Tue, 28 Apr 2026 16:05:08 -0700 (PDT)"
        ],
        "From": "Tim Whisonant <tim.whisonant@canonical.com>",
        "To": "kernel-team@lists.ubuntu.com",
        "Subject": "[SRU][J/N/Q][PATCH 1/1] net: fix fanout UAF in packet_release() via\n NETDEV_UP race",
        "Date": "Tue, 28 Apr 2026 16:04:57 -0700",
        "Message-ID": "<20260428230500.4105927-2-tim.whisonant@canonical.com>",
        "X-Mailer": "git-send-email 2.43.0",
        "In-Reply-To": "<20260428230500.4105927-1-tim.whisonant@canonical.com>",
        "References": "<20260428230500.4105927-1-tim.whisonant@canonical.com>",
        "MIME-Version": "1.0",
        "X-BeenThere": "kernel-team@lists.ubuntu.com",
        "X-Mailman-Version": "2.1.20",
        "Precedence": "list",
        "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>",
        "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>",
        "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>",
        "List-Post": "<mailto:kernel-team@lists.ubuntu.com>",
        "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>",
        "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "base64",
        "Errors-To": "kernel-team-bounces@lists.ubuntu.com",
        "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"
    },
    "content": "From: Yochai Eisenrich <echelonh@gmail.com>\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.\n\nFixes: ce06b03e60fc (\"packet: Add helpers to register/unregister ->prot_hook\")\nLink: https://blog.calif.io/p/a-race-within-a-race-exploiting-cve\nSigned-off-by: Yochai Eisenrich <echelonh@gmail.com>\nReviewed-by: Willem de Bruijn <willemb@google.com>\nLink: https://patch.msgid.link/20260319200610.25101-1-echelonh@gmail.com\nSigned-off-by: Jakub Kicinski <kuba@kernel.org>\n(cherry picked from commit 42156f93d123436f2a27c468f18c966b7e5db796)\nCVE-2026-31504\nSigned-off-by: Tim Whisonant <tim.whisonant@canonical.com>\n---\n net/packet/af_packet.c | 1 +\n 1 file changed, 1 insertion(+)",
    "diff": "diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c\nindex 6e7c94fa02bd9..d1ad069271f8b 100644\n--- a/net/packet/af_packet.c\n+++ b/net/packet/af_packet.c\n@@ -3147,6 +3147,7 @@ static int packet_release(struct socket *sock)\n \n \tspin_lock(&po->bind_lock);\n \tunregister_prot_hook(sk, false);\n+\tWRITE_ONCE(po->num, 0);\n \tpacket_cached_dev_reset(po);\n \n \tif (po->prot_hook.dev) {\n",
    "prefixes": [
        "SRU",
        "J/N/Q",
        "1/1"
    ]
}