Cover Letter Detail
Show a cover letter.
GET /api/covers/2218773/?format=api
{ "id": 2218773, "url": "http://patchwork.ozlabs.org/api/covers/2218773/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260401215936.1178011-1-tim.whisonant@canonical.com/", "project": { "id": 15, "url": "http://patchwork.ozlabs.org/api/projects/15/?format=api", "name": "Ubuntu Kernel", "link_name": "ubuntu-kernel", "list_id": "kernel-team.lists.ubuntu.com", "list_email": "kernel-team@lists.ubuntu.com", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260401215936.1178011-1-tim.whisonant@canonical.com>", "list_archive_url": null, "date": "2026-04-01T21:59:35", "name": "[SRU,J/N/Q,0/1] CVE-2026-23351", "submitter": { "id": 89903, "url": "http://patchwork.ozlabs.org/api/people/89903/?format=api", "name": "Tim Whisonant", "email": "tim.whisonant@canonical.com" }, "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260401215936.1178011-1-tim.whisonant@canonical.com/mbox/", "series": [ { "id": 498397, "url": "http://patchwork.ozlabs.org/api/series/498397/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=498397", "date": "2026-04-01T21:59:35", "name": "CVE-2026-23351", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/498397/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/covers/2218773/comments/", "headers": { "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=ZjsUhs4k;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fmJnC1Vs9z1yGY\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 02 Apr 2026 08:59:58 +1100 (AEDT)", "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1w83bC-0007M7-SL; Wed, 01 Apr 2026 21:59:42 +0000", "from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <tim.whisonant@canonical.com>)\n id 1w83bB-0007Le-M2\n for kernel-team@lists.ubuntu.com; Wed, 01 Apr 2026 21:59:41 +0000", "from mail-ot1-f71.google.com (mail-ot1-f71.google.com\n [209.85.210.71])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 8C8A93F27F\n for <kernel-team@lists.ubuntu.com>; Wed, 1 Apr 2026 21:59:41 +0000 (UTC)", "by mail-ot1-f71.google.com with SMTP id\n 46e09a7af769-7d9d60f8e3aso900167a34.3\n for <kernel-team@lists.ubuntu.com>; Wed, 01 Apr 2026 14:59:41 -0700 (PDT)", "from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 46e09a7af769-7dba7199862sm770123a34.12.2026.04.01.14.59.37\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 01 Apr 2026 14:59:37 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775080781;\n bh=6UYDfB5ote1XoNBnohqNMVn+SqKn6dIrNCm3fCCLI8E=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=ZjsUhs4k5rV4eJmMDPvlPOooWweHP9U1IokM+E5mOKGi8mg06dRjjMXF46IwYPPwZ\n MMuqUFJ0Si7qB66ZjBX00AG5Vi2Gon0IBBAc49x/i/IOZEBjtSetmZmctkgr8ouZQx\n lf9PSpjVVBVidsheVUSHtM6ZzR+dGeRpmTAc2eXhZA9+f3AEAwVwo/LBUHtkcY6Bee\n D3mQ8E6He3oFH7cgJic0tuDyqP86wFQWv53Esp/l6vWromcpb8PD4/rmqMlQ5fw2nv\n fW5+4jIwaLQPLX2ZPv1waQCi5QSsEUKsNUUAayLi/zd7ZOC4wL/291yus3pc4WC2e8\n TVWJNMdzh13Y6hqpO4fYdSYul3c98MsKYwCMf6UqSJ1LtLPGpQGwaE5EQxkIusvNfy\n mjplpWQC5t08DOcHeJz/Ak5JDbOa0Cbw7A8Cw6dg4g1X6fVdBDqGGLDPz+Viwen7Ye\n 8AuzgYeCZnjBdHmUzn071t37FdvCK8yGLD1n/LN6RTb5LVDLgktFOQVpo2JvRZF06k\n 6TUzWMOYK5lk6wtzH3J9wQXWeF1yAjC4jaaCKLXwlnb8qKUDS5uF4Uasi+/BwP9HWG\n jLO6WTqupNVyP3f/xkBOEoNp1Sh7zSGnrdIn4xuhx+ZMgknERWUj4XUtVYlW/lGSmC\n I3Y/AsAgsYt89QLi2x3qiWXw=", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775080780; x=1775685580;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=6UYDfB5ote1XoNBnohqNMVn+SqKn6dIrNCm3fCCLI8E=;\n b=CuZUae6pVBQPRSUVx8JFe+KnZN1VdpqswlootDMj1Y5rZ84rxhmnsxXW0dsDvstnEt\n AfTN5N3aimnGFjClJ8Khkh6oy/7hAbDAKb3O8u+k1qo9D2sgn7piIEZiFgoZs5Xb/hat\n lv0yxrV44XXz37nHpa57C+8alKFEFgEm/qyVWF1PH9XCaO6NgxaESQ2I4B0VoILvumqd\n Ty5aKlRZxBVu/4dSlBUYx1zJy3URUj42rxysGoz3v+TBQcypPw6peVliKEcoOAaQy9mx\n 1mm4DIunJQHtjKd72L+/psyfgLj1BfMxhCD/8su09tORi79QajH38mO7O1Vnsapdgls0\n 6xUA==", "X-Gm-Message-State": "AOJu0Yz/71tGuCoQMHzkmzvs8shuM1tsKItdsVBI4LQAMdhq1VPnbZ2h\n cKw+/8ktyuSw8FR2+y0u9lHALQqVaguBb4ASrWrUSmn9TwZi02v8OqGYh8LXufgbUCaNkubIXb6\n pv8d+rTu609zQURI+5GkOQraAFGRnXq04/IC9QPUE2IF5ELzqLkiFLV1CPPoQgonEguy+WFpmzr\n /XD/ML5tqKQN00QQ==", "X-Gm-Gg": "ATEYQzz2aN/WllqDlsZsZ2dAX64ld3UpzeChxqrigGtI6Q4ve3vxeXLuelhILwzoubd\n pfMouLQkzlC3gapNwtAOXvazQazGR3NFj8EJiTurrDHKNcc5r8pO6a1kl0kW9VN12Oi8iHgplfx\n oywnJpmzLHQJm7dssx1DD8GLC+FCHy0+/BCY4ga++4Zdx7DE+y2e5lWpebYTBNG1jDPQKndsREl\n Gp23HU5G8D3oKQuedDevjvlGQ/ail5X0jv6l40xXhWrveqstVY2m2jHjk6KGbT1fwQ5tpNvIF8O\n y4iiKbzWcuzM3Rb62X+MV+gdhmn/tvHCxY0WN/4IEEmyuxSj7eYi3PoLR6okVcux44b7vra0iCm\n 4rOhobeyPTYWcuv+28Hz3h8mzwsy9nqZ7+0J/Cuhxixb92BQVjK02du8Z/vnX7z65cE2iXAedS1\n P+9Q==", "X-Received": [ "by 2002:a05:6830:67c5:b0:7d7:d0f1:a132 with SMTP id\n 46e09a7af769-7db99414916mr3273648a34.22.1775080779711;\n Wed, 01 Apr 2026 14:59:39 -0700 (PDT)", "by 2002:a05:6830:67c5:b0:7d7:d0f1:a132 with SMTP id\n 46e09a7af769-7db99414916mr3273639a34.22.1775080779347;\n Wed, 01 Apr 2026 14:59:39 -0700 (PDT)" ], "From": "Tim Whisonant <tim.whisonant@canonical.com>", "To": "kernel-team@lists.ubuntu.com", "Subject": "[SRU][J/N/Q][PATCH 0/1] CVE-2026-23351", "Date": "Wed, 1 Apr 2026 14:59:35 -0700", "Message-ID": "<20260401215936.1178011-1-tim.whisonant@canonical.com>", "X-Mailer": "git-send-email 2.43.0", "MIME-Version": "1.0", "X-BeenThere": "kernel-team@lists.ubuntu.com", "X-Mailman-Version": "2.1.20", "Precedence": "list", "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>", "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>", "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>", "List-Post": "<mailto:kernel-team@lists.ubuntu.com>", "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>", "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "base64", "Errors-To": "kernel-team-bounces@lists.ubuntu.com", "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>" }, "content": "SRU Justification:\n\n[Impact]\n\nnetfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n\nYiming Qian reports Use-after-free in the pipapo set type:\n Under a large number of expired elements, commit-time GC can run for a very\n long time in a non-preemptible context, triggering soft lockup warnings and\n RCU stall reports (local denial of service).\n\nWe must split GC in an unlink and a reclaim phase.\n\nWe cannot queue elements for freeing until pointers have been swapped.\nExpired elements are still exposed to both the packet path and userspace\ndumpers via the live copy of the data structure.\n\ncall_rcu() does not protect us: dump operations or element lookups starting\nafter call_rcu has fired can still observe the free'd element, unless the\ncommit phase has made enough progress to swap the clone and live pointers\nbefore any new reader has picked up the old version.\n\nThis a similar approach as done recently for the rbtree backend in commit\n35f83a75529a (\"netfilter: nft_set_rbtree: don't gc elements on insert\").\n\n[Fix]\n\nQuesting: cherry picked from upstream\nNoble: backported from linux-6.6.y\nJammy: cherry picked from linux-6.1.y\nFocal: not affected\nBionic: not affected\nXenial: not affected\nTrusty: not affected\n\n[Test Plan]\n\nCompile and boot tested.\n\n[Where problems could occur]\n\nThe change affects the Pile Packet Policies set type portion of the\nnftables framework, specifically the garbage collector, to address\na use after free. Issues would affect handling of these set type\ndata structures.\n\n[Notes]\n\n* The Jammy fix consists of two patches:\n * 25600167215 (\"netfilter: nf_tables: de-constify set commit ops function argument\")\n This patch brings the code closer to upstream. It also allows\n the fix commit to apply as a clean cherry pick.\n * 16f3595c044 (\"netfilter: nft_set_pipapo: split gc into unlink and reclaim phase\")\n This patch is a backport of the fix commit to 6.1. It applies as a\n clean cherry pick, thanks to the first patch.\n\nFlorian Westphal (1):\n netfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n\n include/net/netfilter/nf_tables.h | 5 +++\n net/netfilter/nf_tables_api.c | 5 ---\n net/netfilter/nft_set_pipapo.c | 51 ++++++++++++++++++++++++++-----\n net/netfilter/nft_set_pipapo.h | 2 ++\n 4 files changed, 50 insertions(+), 13 deletions(-)" }