Cover Letter Detail
Show a cover letter.
GET /api/covers/2194772/?format=api
{ "id": 2194772, "url": "http://patchwork.ozlabs.org/api/covers/2194772/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260209204547.486260-1-tim.whisonant@canonical.com/", "project": { "id": 15, "url": "http://patchwork.ozlabs.org/api/projects/15/?format=api", "name": "Ubuntu Kernel", "link_name": "ubuntu-kernel", "list_id": "kernel-team.lists.ubuntu.com", "list_email": "kernel-team@lists.ubuntu.com", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260209204547.486260-1-tim.whisonant@canonical.com>", "list_archive_url": null, "date": "2026-02-09T20:45:42", "name": "[SRU,J/N/Q,0/1] CVE-2026-23074", "submitter": { "id": 89903, "url": "http://patchwork.ozlabs.org/api/people/89903/?format=api", "name": "Tim Whisonant", "email": "tim.whisonant@canonical.com" }, "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260209204547.486260-1-tim.whisonant@canonical.com/mbox/", "series": [ { "id": 491568, "url": "http://patchwork.ozlabs.org/api/series/491568/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=491568", "date": "2026-02-09T20:45:42", "name": "CVE-2026-23074", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/491568/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/covers/2194772/comments/", "headers": { "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=Tjixrwwj;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4f8xYY6g7rz1xwH\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 10 Feb 2026 07:46:09 +1100 (AEDT)", "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1vpY8n-0007lX-4k; Mon, 09 Feb 2026 20:45:53 +0000", "from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <tim.whisonant@canonical.com>)\n id 1vpY8l-0007lG-I7\n for kernel-team@lists.ubuntu.com; Mon, 09 Feb 2026 20:45:51 +0000", "from mail-yw1-f200.google.com (mail-yw1-f200.google.com\n [209.85.128.200])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 5C0393F0F8\n for <kernel-team@lists.ubuntu.com>; Mon, 9 Feb 2026 20:45:51 +0000 (UTC)", "by mail-yw1-f200.google.com with SMTP id\n 00721157ae682-7962f1424d2so1928077b3.2\n for <kernel-team@lists.ubuntu.com>; Mon, 09 Feb 2026 12:45:51 -0800 (PST)", "from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 00721157ae682-79653267f4bsm19855447b3.21.2026.02.09.12.45.48\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 09 Feb 2026 12:45:48 -0800 (PST)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1770669951;\n bh=D1A1iEPqzG6ClfPgQGww/+4WqujjZH+DyMr4trR9FEo=;\n h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type;\n b=Tjixrwwj2GD0/yL/6KW3rhRWOydtcevx67gjZILmpqyrnQvAjyqnbGMHvmU/jAlzV\n HYTnpMssJBRSQboF+Ql67iaeB4wEWSSDNdZz6ZgWetIcFKKyVLzT2+rv5WyTQ7oAGe\n Up0RBnWMO9m+cqn2tMrRECr3KFjyNt+kglgZA5Nq68oOmslewy9G9KJq159bVo5SpW\n 06mnZuvd2HmGh8SRAzAFWL5B/l1nm22avDk5nCCzdp83OgwTy7wJSkHpsM/0tpKDej\n 8KUtdI31c7eUzTIKAe7l95RrwoQ7uFnkoZbYqLeNgV9yUWXjyfIhJuhKq5t6Ii0PF3\n Q0dNzwDnLrywG1mgXpICCDjjYydUYWZgbee2G59/e2GT3DyjB47qpwg32XK4Rs92ua\n TANCg8qgufEMlPtI6A2Q6sSXV1WpenOXhSVQeedD4sG5CAYsDrBb/CPYVzrPfBOFK7\n 905BFHnSoji76yMKNc6T9F0AITvhUOFCeTS5a/BgLZhj7s1B7hQ7tCvu1bfrBYeHKU\n bbrep3LV8ApJ+GEnb06rKAf1B24C6VFW260CLwiPXTf0mrFLZvvfguHhDFE30HgiJM\n Xv+CQgCGADvM8as/pMYVxD+c3aEh0j/8KVERNzdAvra1camdcS30Ydp//gTuFb0g9R\n 9y9KbKsS2LeG6NQxf3IpG2BA=", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1770669950; x=1771274750;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=D1A1iEPqzG6ClfPgQGww/+4WqujjZH+DyMr4trR9FEo=;\n b=EgPijBXcm//jLJP2qa9ulWNCwV4JrGi8EU7bkQtMQD/oLRXp4uG+/TRQCOsNcuQl2Y\n Ul+lB3LMp0/is1jUTXLhS8p8IczYz8w6pmasPA5FfKm2KTyMkR9+q1CAW/o5kNf3+BAo\n JfJ0MQZPY5ck9gQQ50bAgPRqY78qz6gEYySg3mZdCpIMg3++TvOxpdryFGh/UNA0bAsC\n WlOv5vCfADqB1sdSfFtvqOYWYdBesdoMHq0MTEuQVC7m7KP+P1pELC/r4d8VihTZtXdA\n DkAuPYZTvw3SVNruDO6yVpGX0/Y7bJxckuRbMTb5GrjC0kZ8DTtKsVqVL3tO/IJmqS92\n XDSQ==", "X-Gm-Message-State": "AOJu0Yx5RqNNa7G3GvIOtcTJIEvikUOiNAe9tPd6u0Ggs+QDofZ+6xxZ\n VzeXVJv64CMQ2ATUMk+GECwR9hcemkfg6OU2G2whpGptmRdXovkSbIY+az/ZmAUfP0RFv1jrlqq\n Jx43N/lW0kMZxjDaIXLVv93unMBbEwKrWJRTnx1Mlcs/e8fIFDj2ncLvA+2o0nAO86MbFQKbcf6\n 1Z58k5vAiakLeiYw==", "X-Gm-Gg": "AZuq6aIETjZopz/8ofwXMQl9Pzxkb8AITfl7sGmDe/WqMJ9ml1Bku6jhi0RjkThpaG0\n BrMMTdodTyFLFi3TUJeGlo+0nJ8QJaGpBF/O1ZYfXp6lmKGa7mEa4+AnF8woW3mk5MuRDwhGU4y\n lWi0dH2datzS4NbQWSjgufqCV6gw1ZW2ecT9pallpo2yDDnws8fbrTJVb8/DOnAqwcGwVpKRkbr\n hlhMcT8hq/7Sq2T0gsBjl5hegvRzT9ax2GkROD9h8l3rqTfPZROiE21zgEKQOT2oaj0p6n7TSrU\n l+d4w9BSlhTD2t0GHvpMe7mVpZ6V7ChGRNieDXsAlTzLXbk6w0MMxgbJAMDM+ce88EP4HLfcM5Y\n +z6zISVnY7U8FHPlVA7+SG5XwGEmSCrszqhhr81Nc600/+Iw/4GG/QTx3YRxco0SP", "X-Received": [ "by 2002:a05:690c:6b09:b0:794:f6e5:b1a1 with SMTP id\n 00721157ae682-7952ab3cca0mr115409987b3.58.1770669949737;\n Mon, 09 Feb 2026 12:45:49 -0800 (PST)", "by 2002:a05:690c:6b09:b0:794:f6e5:b1a1 with SMTP id\n 00721157ae682-7952ab3cca0mr115409747b3.58.1770669949163;\n Mon, 09 Feb 2026 12:45:49 -0800 (PST)" ], "From": "Tim Whisonant <tim.whisonant@canonical.com>", "To": "kernel-team@lists.ubuntu.com", "Subject": "[SRU][J/N/Q][PATCH 0/1] CVE-2026-23074", "Date": "Mon, 9 Feb 2026 12:45:42 -0800", "Message-ID": "<20260209204547.486260-1-tim.whisonant@canonical.com>", "X-Mailer": "git-send-email 2.43.0", "MIME-Version": "1.0", "X-BeenThere": "kernel-team@lists.ubuntu.com", "X-Mailman-Version": "2.1.20", "Precedence": "list", "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>", "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>", "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>", "List-Post": "<mailto:kernel-team@lists.ubuntu.com>", "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>", "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "kernel-team-bounces@lists.ubuntu.com", "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>" }, "content": "SRU Justification:\n\n[Impact]\n\nnet/sched: Enforce that teql can only be used as root qdisc\n\nDesign intent of teql is that it is only supposed to be used as root qdisc.\nWe need to check for that constraint.\n\nAlthough not important, I will describe the scenario that unearthed this\nissue for the curious.\n\nGangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:\n\nROOT qdisc 1:0 (QFQ)\n ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s\n └── class 1:2 (weight=1, lmax=1514) teql\n\nGangMin sends a packet which is enqueued to 1:1 (netem).\nAny invocation of dequeue by QFQ from this class will not return a packet\nuntil after 6.4s. In the meantime, a second packet is sent and it lands on\n1:2. teql's enqueue will return success and this will activate class 1:2.\nMain issue is that teql only updates the parent visible qlen (sch->q.qlen)\nat dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's\npeek always returns NULL), dequeue will never be called and thus the qlen\nwill remain as 0. With that in mind, when GangMin updates 1:2's lmax value,\nthe qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's\nqlen was not incremented, qfq fails to deactivate the class, but still\nfrees its pointers from the aggregate. So when the first packet is\nrescheduled after 6.4 seconds (netem's delay), a dangling pointer is\naccessed causing GangMin's causing a UAF.\n\n[Fix]\n\nQuesting: applied Jammy patch\nNoble: applied Jammy patch\nJammy: cherry-picked from upstream\nFocal: sent to forgejo\nBionic: sent to ESM ML\nXenial: sent to ESM ML\nTrusty: sent to ESM ML\n\n[Test Plan]\n\nCompile and boot tested.\n\n[Where problems could occur]\n\nThe change is applied to the True Link Equalizer (TEQL)\npacket scheduling queueing discipline to avoid a use\nafter free. Issues might arise in workloads utilizing\nthis queueing discipline.\n\nJamal Hadi Salim (1):\n net/sched: Enforce that teql can only be used as root qdisc\n\n net/sched/sch_teql.c | 5 +++++\n 1 file changed, 5 insertions(+)" }