[{"id":3685592,"web_url":"http://patchwork.ozlabs.org/comment/3685592/","msgid":"","list_archive_url":null,"date":"2026-05-04T08:56:01","subject":"ACK: [SRU][J/N/Q][PATCH 0/1] CVE-2026-31533","submitter":{"id":89057,"url":"http://patchwork.ozlabs.org/api/people/89057/","name":"Massimiliano Pellizzer","email":"massimiliano.pellizzer@canonical.com"},"content":"On Wed, 29 Apr 2026 at 23:46, Tim Whisonant wrote:\n>\n> SRU Justification:\n>\n> [Impact]\n>\n> net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n>\n> The -EBUSY handling in tls_do_encryption(), introduced by commit\n> 859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\n> a use-after-free due to double cleanup of encrypt_pending and the\n> scatterlist entry.\n>\n> When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\n> the cryptd backlog and the async callback tls_encrypt_done() will be\n> invoked upon completion. That callback unconditionally restores the\n> scatterlist entry (sge->offset, sge->length) and decrements\n> ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an\n> error, the synchronous error path in tls_do_encryption() performs the\n> same cleanup again, double-decrementing encrypt_pending and\n> double-restoring the scatterlist.\n>\n> The double-decrement corrupts the encrypt_pending sentinel (initialized\n> to 1), making tls_encrypt_async_wait() permanently skip the wait for\n> pending async callbacks. A subsequent sendmsg can then free the\n> tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\n> pending, resulting in a use-after-free when the callback fires on the\n> freed record.\n>\n> Fix this by skipping the synchronous cleanup when the -EBUSY async\n> wait returns an error, since the callback has already handled\n> encrypt_pending and sge restoration.\n>\n> [Fix]\n>\n> Resolute: not affected\n> Questing: applied Jammy patch\n> Noble: applied Jammy patch\n> Jammy: cherry picked from upstream\n> Focal: sent to forgejo\n> Bionic: not affected\n> Xenial: not affected\n> Trusty: not affected\n>\n> [Test Plan]\n>\n> Compile and boot tested.\n>\n> [Where problems could occur]\n>\n> The change affects the main encryption function for software-\n> based kernel TLS in order to correct a use-after-free. Issues\n> might manifest as failed or aborted encryption requests.\n>\n> Muhammad Alifa Ramdhan (1):\n> net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n>\n> net/tls/tls_sw.c | 10 ++++++++++\n> 1 file changed, 10 insertions(+)\n>\n> --\n> 2.43.0\n>\n>\n> --\n> kernel-team mailing list\n> kernel-team@lists.ubuntu.com\n> https://lists.ubuntu.com/mailman/listinfo/kernel-team\n\nAcked-by: Massimiliano Pellizzer ","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=ohOnlV/W;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g8Fr945w6z1y04\n\tfor ; Mon, 04 May 2026 18:56:40 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1wJp6C-0004Kk-5h; Mon, 04 May 2026 08:56:20 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from )\n id 1wJp6B-0004Kd-2v\n for kernel-team@lists.ubuntu.com; Mon, 04 May 2026 08:56:19 +0000","from mail-yw1-f197.google.com (mail-yw1-f197.google.com\n [209.85.128.197])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E93A33F1CC\n for ; Mon, 4 May 2026 08:56:18 +0000 (UTC)","by mail-yw1-f197.google.com with SMTP id\n 00721157ae682-7bd6fc10a42so41234767b3.2\n for ; Mon, 04 May 2026 01:56:18 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777884978;\n bh=sJtSNyxzMldiljQKKPAELdlvrEgS79QO6uWNAhvCVfo=;\n h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n To:Content-Type;\n b=ohOnlV/WbR9M/YHU4zfj6DXJ6KWuP4iWCfQXZt/eq3WKPFWx8Z1UP7VI+hBHNf+ex\n 5DWGMCqAaLfbA+zrBAh5UGOrUxnK4bBZDxUDxYFlM52Wg81LFQSvBAZa7oQstsX3ac\n nxeEULK7e1qvfb7amRlNuTtbuViO8txzgB7WXwrgtLnyh7LoJvkDMWutQJ/PbAbnhj\n SrzIm5Sdx/jVqx24gzTZIw5okoCuoy00O8jrccz82FihrWkYAiZqL1YxxDp2uMzTvb\n BjYgjTASLfuvRfCez8DjWKNa6vVPZDmNmJULc6iq04dmvi14KDWcWjX90JVpRNFOgM\n Kh6YQ+wIxDDcj8TIk8bHoBMECKStM/5oDsCyeZvmkPOS7y7e+9/dTUoFEQqAXDKKik\n vKEuzDY3LEhZVi4jdD/RwIdgigQigkMPFiFesddaE84mICuFd+dB66CRHuyiZsyL5m\n G5cYk2c45M4o0G7N41wd4TENulyQ2BL5c0ToufDnvtPrNjigTAWfnzb5m83ZNW7iOp\n l662hF1dibWY6TMocBK9cphGdcxtpA42efrsy7hS7EqNeQQWFAKQH/GIEma/tRx86+\n avdsfZaw4qCsqU9C69WGgQjiYR5R9lI/6glKYd1rYWlU91BbDBu5zrsUBV9SgpE70k\n ZLSx7l9QJ/DvHl8bq+9gTbRE=","ARC-Seal":"i=1; a=rsa-sha256; t=1777884978; cv=none;\n d=google.com; s=arc-20240605;\n b=XEzlK9+p+znWjRogNpzQmzCqSIukfsn/CxGAjrhGvkZb1dbUhWFCtz2IGjHLIlBjzN\n lrerR/Ao+y2/4h7tG8aT21i1FVq4oO1E2lF7Vhg8XjAy0JTdRFQU4wtdBhpZ8l0CG4Bj\n uizXlIfIgV2PDrRssFsPegdj01D/Gnfw1mCs+yWPt1gzcY7nC6XFlh/E09wcotGZoH0W\n g4H3IlOnu5dtIkLsT/luucRUSKC9ebVdx5PDWiEuQDvGl54iynaXIylgBRFxb3OevtrO\n /uHVV4fGfDfjjgjQ2IapwNdFudGoVcuK/vWGc9hS57Ku/Wozz05f5JokQHI3RwPVSB49\n 0lLw==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=to:subject:message-id:date:from:in-reply-to:references:mime-version;\n bh=sJtSNyxzMldiljQKKPAELdlvrEgS79QO6uWNAhvCVfo=;\n fh=+omZd+Si5sAm2/4YiqjqxCkMtIumFPFe1EIby1yU6Jg=;\n b=gzh5rdH1L9WaGutNlZy6NkHnKO5lY/M/SYBQ1WDd9wPO2WvJ+cGsztLKhiRd1WBLJp\n Qp9Hew5jOCvQgxajbsjmqGCskcSgXtfRtPnGZ9m/jdivKXTaqflpiLm/DWol5tlQfeth\n lCMX2kIFojxVgxDqN66ZuhB7GLgDJIYJF1DOO+R9we1WZcsX1Fe7u0VcAp2cYauuckXK\n mA7BMt/ZNovZ/nREnevOt8nGYvnWcWdlMxqCx1sQYeVPA2fSlsX3I8kau8PbUMpLAgse\n hLIdwa2JD2dEPlmLzNkbTmuX7eH1qbuK358M61IJWVydmsNKTB+uIic/zy8aWG+HCy7j\n 1yww==; darn=lists.ubuntu.com","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777884978; x=1778489778;\n h=to:subject:message-id:date:from:in-reply-to:references:mime-version\n :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=sJtSNyxzMldiljQKKPAELdlvrEgS79QO6uWNAhvCVfo=;\n b=JI+EKWlyHTd/BhPwGXWmNkt2KgNk3q6ne5tbxWMTo8p7wnoQmcAgwAJH/in0kkkXRm\n 4Rpcu0c4ZOkhn0v4QJUQT/sQTUSfcFAlUZHs5Mj0f34ExqHpzHpkpbG4eTt7nP+Qs2oR\n ISOJrIRuiWA7xTM+G6QZGepO900F/CtIIG7xQWKU+Jo1xxLNcijcARg2ljT/Tq7FMd24\n esibWfKSdCqE3GeOAyV8cmXjs5/oYd9B5zIiJGlqUwaIQdVX1sOfqmFk8Ce2mTGmGEzO\n 7RXWga3fIaaBTJhWqNwmtCkHMy8sGvLk8GzAjQTrlLJQpGM9zKZDC1yTvx1/W6K64Z3e\n 0tCA==","X-Gm-Message-State":"AOJu0YwAgvxa677kUDDULTpiGlYx1QxH/7veb9oyLMaSbxEeBd9vQoTk\n vYgD9N33s9edK7iq2dq2jMQZPiw3hMU1p8MoIL31vNC7/O4/iJJWIPWzwkon8+bXkKgRT1SoyLJ\n teP4zShdNUGvy9W84HAcCEhXZyhn88qz+QT0//YTwRPjacjTJDLvIEQhlCNYvPt7cUMdsAmFHO7\n Q3WL6a/dn8LO29kJqshpoWGDZeJR4eXXcEurE3T8xzEIGaZPJnaD74S6q1egJRSjwHO6s=","X-Gm-Gg":"AeBDieuQH3vaF4LnjtKJcsoIbDofnkdCFRp9jZBTdPsxv6uwKWDHYD/WCinbTka0s6N\n LUX2MnFrD72hgElwhHaoy2cX4K4YaCdUiUmkkwhAd5i/7omPNiXdKVqI2jvb/q/styr7uc6ErnB\n 7fGMFzIe+uiAPFKdPOuBidlNWN2mJWM8SUleDWHptYFykWwI8ueb9C0bfM9HXLG3RtysEBd/W8w\n qtup3akN83vA2GTzcj0RkatiXQ/047tMS8TzOj2MCk8OAeHthpJ04vuTX9ZHCo8pAj4eWqKOQ==","X-Received":["by 2002:a05:690e:168f:b0:65c:39db:7ab7 with SMTP id\n 956f58d0204a3-65c3db5108bmr8225807d50.55.1777884977868;\n Mon, 04 May 2026 01:56:17 -0700 (PDT)","by 2002:a05:690e:168f:b0:65c:39db:7ab7 with SMTP id\n 956f58d0204a3-65c3db5108bmr8225795d50.55.1777884977439; Mon, 04 May 2026\n 01:56:17 -0700 (PDT)"],"MIME-Version":"1.0","References":"<20260429214512.15496-1-tim.whisonant@canonical.com>","In-Reply-To":"<20260429214512.15496-1-tim.whisonant@canonical.com>","From":"Massimiliano Pellizzer ","Date":"Mon, 4 May 2026 10:56:01 +0200","X-Gm-Features":"AVHnY4IVTEx3KTsSB0A8yNg0UkGRgoXuRKiqq4O92hd3qOVIGRc8npz7MZkUans","Message-ID":"\n ","Subject":"ACK: [SRU][J/N/Q][PATCH 0/1] CVE-2026-31533","To":"Ubuntu Kernel Team ","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}}]