Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2230585,
    "url": "http://patchwork.ozlabs.org/api/patches/2230585/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260429214512.15496-2-tim.whisonant@canonical.com/",
    "project": {
        "id": 15,
        "url": "http://patchwork.ozlabs.org/api/projects/15/?format=api",
        "name": "Ubuntu Kernel",
        "link_name": "ubuntu-kernel",
        "list_id": "kernel-team.lists.ubuntu.com",
        "list_email": "kernel-team@lists.ubuntu.com",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260429214512.15496-2-tim.whisonant@canonical.com>",
    "list_archive_url": null,
    "date": "2026-04-29T21:45:09",
    "name": "[SRU,J/N/Q,1/1] net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "fb53265d74ab5cc3359a4668d20f6aa6eaabf02b",
    "submitter": {
        "id": 89903,
        "url": "http://patchwork.ozlabs.org/api/people/89903/?format=api",
        "name": "Tim Whisonant",
        "email": "tim.whisonant@canonical.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260429214512.15496-2-tim.whisonant@canonical.com/mbox/",
    "series": [
        {
            "id": 502156,
            "url": "http://patchwork.ozlabs.org/api/series/502156/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=502156",
            "date": "2026-04-29T21:45:08",
            "name": "CVE-2026-31533",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/502156/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2230585/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2230585/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=KFToemmv;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5W7f1v8bz1yGq\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 07:45:33 +1000 (AEST)",
            "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wICii-00078f-5y; Wed, 29 Apr 2026 21:45:24 +0000",
            "from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <tim.whisonant@canonical.com>)\n id 1wICih-00078Y-Qz\n for kernel-team@lists.ubuntu.com; Wed, 29 Apr 2026 21:45:23 +0000",
            "from mail-yx1-f72.google.com (mail-yx1-f72.google.com\n [74.125.224.72])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id B7A8B3FA63\n for <kernel-team@lists.ubuntu.com>; Wed, 29 Apr 2026 21:45:23 +0000 (UTC)",
            "by mail-yx1-f72.google.com with SMTP id\n 956f58d0204a3-6501bab91baso405506d50.2\n for <kernel-team@lists.ubuntu.com>; Wed, 29 Apr 2026 14:45:23 -0700 (PDT)",
            "from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 956f58d0204a3-65bff6c3f5csm1831459d50.12.2026.04.29.14.45.20\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 29 Apr 2026 14:45:20 -0700 (PDT)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777499123;\n bh=jjYIpcbYxvChFXhEBdocxgdref4Ti67DD6dCcySCCgY=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=KFToemmv8yjaaO5LbrOXq4QZyqnJ866ApridgBWg7J9U5/3QzmSzGEmgtQe9QRSxX\n q41TzqfCzj8YFNQiCqomth5/LRO5swo2/Y1gDkbdABieGEnEq/p8Zl6xevaNWtd0+h\n TdCcBD1LqL25o/Rvc5CX9BD8n4SQjhk38RSiYJqJ3EZLrWZazl/kVN1TkPUOGIgvyw\n zhha1N8n43j1lSyAGTcE7Cm8fOLcPpDGpVums3tgSd/qTjjgLSI4tQAXJAlIeakC9j\n g9Wg1R1dEhSj8jWuw8DKP9iOT7c/AGtiV/lbfNWdzUFjtlBdG9NEG7cxOHs/9kUan1\n NjIfa7EUpniDq2L/t2EMUNuLEa556+SolejKjslgDozrEyZEqj3khVqs7DU8Agbqxu\n 4Ozi6QLec/pZ/tBVKyTMskCh1q+LjB775Xc/M2HgTBKSYtZl3An8gSWYqvB1/Ov0V5\n Kv7dmnmhkFwCF64p9ixavIr1iMSI5o1rjZKAcUWZNKdNKRHuuKpqHUNgZ7bdx+gcBX\n g62LBHRDCQ2o30Fc+I7e2CB7vJK7FEYgAbJtZoWOBMTv1W9xOn2sOpxWL8b0/tFpBW\n zGalj8Disx178wnxn3IJRy8Mkyauu3o/7JZqWD8jHlddoWg1zWmy5rUmbqlFRz/Aqd\n 3iRKVb61tThvh4HYZs8jjSRA=",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777499122; x=1778103922;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=jjYIpcbYxvChFXhEBdocxgdref4Ti67DD6dCcySCCgY=;\n b=mF+9a4Y3QAMvyoQ4aLKVwm7q5mg9AaXOlOm5ZhTCqds5uLOBc7ho+4KyIukASDVxXF\n Jqvk3nxlcfotVX9RNv0SkXTBVCme2cW6ww5vpjPSQMZkOfwtBZN+R8VZp56qNTZIlE8+\n 9+ZGgkdn3AbW6hkpk8mZ5WlvnJhBIGYKdMuTT1Ih0YpyIRxRXnRQxxa+CK8ejXmVuM+t\n hLCBTNW6Xqf9hFDPtGAjFnGqYGHaQ1/BVOI3bhugXjnTV9fUf/iQI/CLkjteZJg4G5Fd\n rwgs5wfTsI8jpa6zClwYwDG+bGZtfIL8JaFkzcIGhgP4bz+QXx94HEF6faISI06+Y3Sn\n WKhA==",
        "X-Gm-Message-State": "AOJu0Yw5Rg39FyUTS4ckehxedf/MDG49dDw4P8MkBgKRyfUPk7V2BQoS\n VY0s/TddV+06klKZkkM/TjsqFh0fGZz1ZZ7X+xAiPQ/W7TwHVuOOd488t43GqtlSD9y0t4EGFpT\n LeI3OU0MkrEn1RG9K7NaqVfmeG9k4jMp5c3XvNVYnfyadVqZhFBiMRS5hxp8ILF1Cfi9BQ9jQ8d\n SQREcJRdOKwSZBCA==",
        "X-Gm-Gg": "AeBDietw1DGJGNYJnTMW4sk1BXm8PuIYvp7oK5e+Qeu5Rp8hVevQXotUJptba4d2vMd\n PjIPYgBY3tp5EHNwuZeEVgZroUC+cws8cLqbPCUp47cR4i/zjAVSe2V4uO7DkYsf5aQuUedSMxV\n 3LxlKaP4l4O2ULl5xtX9GnccoBBh9hText005T/rV8JBahdLkUFxRNXoGjlGwC2F4L/9oKegUA0\n FqoCcRCGSnK9kJbjgGm7NSus1nOa09ZjPA1owiKx7g++PSDYwgKd6kes+m0yluvgrgx1h2BfFl7\n Uedq3ZEH/4o5HUxLX27uWqNbXDty1IZPy1tYOCF7/VfBzdBnxs5NuIOUQG+0kkJ6xtjFWcgUYyp\n L22koslEN0YAoECfDkeiiZzwoXSfMI/8/CdILlLxQoy83x1ivlGfOEI9Fx39FqP9v4TczNYQrxN\n yfGeFaXzSgyNod",
        "X-Received": [
            "by 2002:a05:690e:258a:b0:654:5ffa:35af with SMTP id\n 956f58d0204a3-65c18fea1ecmr41172d50.62.1777499122129;\n Wed, 29 Apr 2026 14:45:22 -0700 (PDT)",
            "by 2002:a05:690e:258a:b0:654:5ffa:35af with SMTP id\n 956f58d0204a3-65c18fea1ecmr41157d50.62.1777499121707;\n Wed, 29 Apr 2026 14:45:21 -0700 (PDT)"
        ],
        "From": "Tim Whisonant <tim.whisonant@canonical.com>",
        "To": "kernel-team@lists.ubuntu.com",
        "Subject": "[SRU][J/N/Q][PATCH 1/1] net/tls: fix use-after-free in -EBUSY error\n path of tls_do_encryption",
        "Date": "Wed, 29 Apr 2026 14:45:09 -0700",
        "Message-ID": "<20260429214512.15496-2-tim.whisonant@canonical.com>",
        "X-Mailer": "git-send-email 2.43.0",
        "In-Reply-To": "<20260429214512.15496-1-tim.whisonant@canonical.com>",
        "References": "<20260429214512.15496-1-tim.whisonant@canonical.com>",
        "MIME-Version": "1.0",
        "X-BeenThere": "kernel-team@lists.ubuntu.com",
        "X-Mailman-Version": "2.1.20",
        "Precedence": "list",
        "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>",
        "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>",
        "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>",
        "List-Post": "<mailto:kernel-team@lists.ubuntu.com>",
        "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>",
        "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "base64",
        "Errors-To": "kernel-team-bounces@lists.ubuntu.com",
        "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"
    },
    "content": "From: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>\n\nThe -EBUSY handling in tls_do_encryption(), introduced by commit\n859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\na use-after-free due to double cleanup of encrypt_pending and the\nscatterlist entry.\n\nWhen crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\nthe cryptd backlog and the async callback tls_encrypt_done() will be\ninvoked upon completion. That callback unconditionally restores the\nscatterlist entry (sge->offset, sge->length) and decrements\nctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an\nerror, the synchronous error path in tls_do_encryption() performs the\nsame cleanup again, double-decrementing encrypt_pending and\ndouble-restoring the scatterlist.\n\nThe double-decrement corrupts the encrypt_pending sentinel (initialized\nto 1), making tls_encrypt_async_wait() permanently skip the wait for\npending async callbacks. A subsequent sendmsg can then free the\ntls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\npending, resulting in a use-after-free when the callback fires on the\nfreed record.\n\nFix this by skipping the synchronous cleanup when the -EBUSY async\nwait returns an error, since the callback has already handled\nencrypt_pending and sge restoration.\n\nFixes: 859054147318 (\"net: tls: handle backlogging of crypto requests\")\nCc: stable@vger.kernel.org\nSigned-off-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>\nReviewed-by: Sabrina Dubroca <sd@queasysnail.net>\nLink: https://patch.msgid.link/20260403013617.2838875-1-ramdhan@starlabs.sg\nSigned-off-by: Paolo Abeni <pabeni@redhat.com>\n(cherry picked from commit a9b8b18364fffce4c451e6f6fd218fa4ab646705)\nCVE-2026-31533\nSigned-off-by: Tim Whisonant <tim.whisonant@canonical.com>\n---\n net/tls/tls_sw.c | 10 ++++++++++\n 1 file changed, 10 insertions(+)",
    "diff": "diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c\nindex d5986bb636824..c482307e0677d 100644\n--- a/net/tls/tls_sw.c\n+++ b/net/tls/tls_sw.c\n@@ -573,6 +573,16 @@ static int tls_do_encryption(struct sock *sk,\n \tif (rc == -EBUSY) {\n \t\trc = tls_encrypt_async_wait(ctx);\n \t\trc = rc ?: -EINPROGRESS;\n+\t\t/*\n+\t\t * The async callback tls_encrypt_done() has already\n+\t\t * decremented encrypt_pending and restored the sge on\n+\t\t * both success and error. Skip the synchronous cleanup\n+\t\t * below on error, just remove the record and return.\n+\t\t */\n+\t\tif (rc != -EINPROGRESS) {\n+\t\t\tlist_del(&rec->list);\n+\t\t\treturn rc;\n+\t\t}\n \t}\n \tif (!rc || rc != -EINPROGRESS) {\n \t\tatomic_dec(&ctx->encrypt_pending);\n",
    "prefixes": [
        "SRU",
        "J/N/Q",
        "1/1"
    ]
}