{"id":2231266,"url":"http://patchwork.ozlabs.org/api/patches/2231266/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/137966d0b7070d6b063a9bea4ba89598ce54240a.1777552173.git.massimiliano.pellizzer@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<137966d0b7070d6b063a9bea4ba89598ce54240a.1777552173.git.massimiliano.pellizzer@canonical.com>","list_archive_url":null,"date":"2026-04-30T12:30:32","name":"[SRU,J,4/9] crypto: algif_aead - snapshot IV for async AEAD requests","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"f875013c8eddd9c6fad201e06f6939349fe96f51","submitter":{"id":89057,"url":"http://patchwork.ozlabs.org/api/people/89057/?format=json","name":"Massimiliano Pellizzer","email":"massimiliano.pellizzer@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/137966d0b7070d6b063a9bea4ba89598ce54240a.1777552173.git.massimiliano.pellizzer@canonical.com/mbox/","series":[{"id":502300,"url":"http://patchwork.ozlabs.org/api/series/502300/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=502300","date":"2026-04-30T12:30:28","name":"CVE-2026-31431","version":1,"mbox":"http://patchwork.ozlabs.org/series/502300/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231266/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231266/checks/","tags":{},"related":[],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=ZAKY20yK;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5tpP1Q04z1yGq\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 22:31:57 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wIQYV-0005lT-8h; Thu, 30 Apr 2026 12:31:47 +0000","from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <massimiliano.pellizzer@canonical.com>)\n id 1wIQYJ-00052q-Pn\n for kernel-team@lists.ubuntu.com; Thu, 30 Apr 2026 12:31:35 +0000","from mail-wm1-f70.google.com (mail-wm1-f70.google.com\n [209.85.128.70])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 1D0D83F427\n for <kernel-team@lists.ubuntu.com>; Thu, 30 Apr 2026 12:31:35 +0000 (UTC)","by mail-wm1-f70.google.com with SMTP id\n 5b1f17b1804b1-488c2aa6becso6892565e9.2\n for <kernel-team@lists.ubuntu.com>; Thu, 30 Apr 2026 05:31:35 -0700 (PDT)","from tuxedo-infinitybook.ts.net\n (net-93-71-66-38.cust.vodafonedsl.it. [93.71.66.38])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48a81ed6bafsm103695005e9.2.2026.04.30.05.31.33\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 30 Apr 2026 05:31:33 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777552295;\n bh=IcmmCslG0s/RQKLumpZClUY5ZfbkBC1XRMA3o/OywM8=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=ZAKY20yK6LO799kj1mH3ksw+OABzGZZ0mHf9ZrdzYYBJC5Fw1AXNwMXkVS3B7fFZr\n 1WrG8eV4RgKBD413XjrEYGkdfcN4kPi1dfKTXvNc4b6KX1SFehLYuZZ12Qmw4SpT1T\n 8ZsceBvugIIlRrvrdW26dGqrSiHi9LpCCKnQda5WZjS+ZoK03DZ/1oZnwKjKu70z3J\n gLfad82Z1TkIasAx3LSJ3RTJvFZeVrfvYTtTW4i4pYyhs/CR61QoUYopSrVlQKri4t\n g66TfAwG2yo1WKOgzg8JX9uiqbj3ordc0mARN3zz9PE83DUJ6SLCbVTnDm+AVqszOY\n dp9KxZciJ7mJdqjB8pspxy6GcjSuSdH3sHnQ8DQUS6vu4IVxqDN8UgZeh3CfafoBDj\n 5c7TSN5JcHKubgffLQ/+WXIHMBP1ofT1Di72bOnOZjI3WN4D+P6FORxISVxWiJcRZe\n cMfVLjw9YUqZpksmdOXy4WhQjlSe+LAPnlu9fnRImMIIxXtGMaD4EWG/acbKbjlbJd\n LULdIq+Y7VyH4CCVlFvwITQwUPNi2ZuLRaK4+CNqLcLw1xC6dmR6yScvtxpxGZq1vF\n dZrD0Y7bUKJFZSrqPXlFNYQFFLR3fSLI+h7KzpBBNDkY5kUU5tvSR4LOMybdJ29KAT\n yYkx20pc1OgWNuILHym7HBSY=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777552294; x=1778157094;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=IcmmCslG0s/RQKLumpZClUY5ZfbkBC1XRMA3o/OywM8=;\n b=rK13Ks+UpPLZHfeCTyMgy2RXJAigDPor6rTm6mniGcWk8wgWzgvNzmGdgSdJtKTsMI\n rWDLVurFaqPP8z968TN3qLVriVWas4eguWV8aD44ncHr+9kxwvEaaMFmW8GhpfL20kVk\n GUvT8LdJf2lXuql2qjzqd8bARHMfqmtpaawSKLKpMHKXU7ALGLifw0BdIDlOLnDVSHQ4\n qEZ/6cx9XkIyGLNYUkA4TCA/0qS/GDJWXISRfxbfy2R2ys+lP8rGZzYf5HbluYQsKQGQ\n /At/TVfaQWKrhLJ15LtvY0xIjlugfNtWYMTeSWaaMS8NoLONqt8VJ6B6T0ALcH+AurcN\n rz7A==","X-Gm-Message-State":"AOJu0YwbwLcGmcbDF9Qwxc67EGDkamtP96nuenFDEQ7OLRFHaDIXwxSs\n H/7XMBJNgtvTqha8p+oK45lqAYJm13OAPKjbnbrNPUYB/kWODyWvf9TMHoM/eHBrM7CWMbnqPZ5\n LM9C+0EaL7UQy4sxMQWXNGYHxyZPgZkz/VnmZD8RNXuIg8anbI00GYMLZJk/9azKmaznMooZi8Z\n zgiR2iqmL9nFsxSQ==","X-Gm-Gg":"AeBDieu7itT9D+mpbPOMoQVzF/P27IKgubBFpoGVNw6TKZ1NOH9wRkFVxlDPE/QgjpU\n 4Aa7tLeCLFEV+fHf8wF3F9lIgk0/qHKDsodPAIGlsiFue7oWe8q7dMjV9Tsd66IN8mUVXQEuvYZ\n G/jOfhluXHjF2MPn+jhgszrTARKS7ZomwTgQm5kJ7XFSs/PFxvTAIjvZh1uk4Iko3dMjQqqHYdD\n TzksGK+fXz3fkQh8OENUHwUuumr1kldCekxKkyDA9kl6F2QKNAynESCm97PojF9vk1zNkHNjxIe\n vX3fb2BHBoXIXkvCrDd9NTyAAzNOvFzxCkyyI5vC/lVMr8IKvuWPBsTjdjnn37lrQv/vjWveDr5\n N90EGr/WNJbhUPtDnqTSE88apka1FozreQ34UZ7YdzWgXAl2Fir+MK3DOLhPvMAFXLpAjDpE3C2\n hp9nLMu1MR3vqfribqIVQczs8jF0LW4EmS7Qal4YXBMt9OJsg7rh7FDr3/PuvmATSP+dZqHABcf\n TgtZ/Ss3dxfoaFPUDoeC6E=","X-Received":["by 2002:a05:600c:19c9:b0:488:b749:8482 with SMTP id\n 5b1f17b1804b1-48a83d66bb4mr45223615e9.4.1777552294330;\n Thu, 30 Apr 2026 05:31:34 -0700 (PDT)","by 2002:a05:600c:19c9:b0:488:b749:8482 with SMTP id\n 5b1f17b1804b1-48a83d66bb4mr45223005e9.4.1777552293780;\n Thu, 30 Apr 2026 05:31:33 -0700 (PDT)"],"From":"Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][J][PATCH 4/9] crypto: algif_aead - snapshot IV for async AEAD\n requests","Date":"Thu, 30 Apr 2026 14:30:32 +0200","Message-ID":"\n <137966d0b7070d6b063a9bea4ba89598ce54240a.1777552173.git.massimiliano.pellizzer@canonical.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<cover.1777552173.git.massimiliano.pellizzer@canonical.com>","References":"\n <177754965576.503496.12142658280614619991@tuxedo-infinitybook.public>\n <cover.1777552173.git.massimiliano.pellizzer@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: Douya Le <ldy3087146292@gmail.com>\n\ncommit 5aa58c3a572b3e3b6c786953339f7978b845cc52 upstream.\n\nAF_ALG AEAD AIO requests currently use the socket-wide IV buffer during\nrequest processing.  For async requests, later socket activity can\nupdate that shared state before the original request has fully\ncompleted, which can lead to inconsistent IV handling.\n\nSnapshot the IV into per-request storage when preparing the AEAD\nrequest, so in-flight operations no longer depend on mutable socket\nstate.\n\nFixes: d887c52d6ae4 (\"crypto: algif_aead - overhaul memory management\")\nCc: stable@kernel.org\nReported-by: Yuan Tan <yuantan098@gmail.com>\nReported-by: Yifan Wu <yifanwucs@gmail.com>\nReported-by: Juefei Pu <tomapufckgml@gmail.com>\nReported-by: Xin Liu <bird@lzu.edu.cn>\nCo-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>\nSigned-off-by: Luxing Yin <tr0jan@lzu.edu.cn>\nTested-by: Yucheng Lu <kanolyc@gmail.com>\nSigned-off-by: Douya Le <ldy3087146292@gmail.com>\nSigned-off-by: Ren Wei <n05ec@lzu.edu.cn>\nSigned-off-by: Herbert Xu <herbert@gondor.apana.org.au>\nSigned-off-by: Eric Biggers <ebiggers@kernel.org>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\n(cherry picked from commit a920cabdb0b7cf1f4e11a20524253ae5bd09092b linux-5.15.y)\nCVE-2026-31431\nSigned-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>\n---\n crypto/algif_aead.c | 10 ++++++++--\n 1 file changed, 8 insertions(+), 2 deletions(-)","diff":"diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c\nindex f59728c021fc8..24e77f4968a61 100644\n--- a/crypto/algif_aead.c\n+++ b/crypto/algif_aead.c\n@@ -72,8 +72,10 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,\n \tstruct af_alg_ctx *ctx = ask->private;\n \tstruct crypto_aead *tfm = pask->private;\n \tunsigned int as = crypto_aead_authsize(tfm);\n+\tunsigned int ivsize = crypto_aead_ivsize(tfm);\n \tstruct af_alg_async_req *areq;\n \tstruct scatterlist *rsgl_src, *tsgl_src = NULL;\n+\tvoid *iv;\n \tint err = 0;\n \tsize_t used = 0;\t\t/* [in]  TX bufs to be en/decrypted */\n \tsize_t outlen = 0;\t\t/* [out] RX bufs produced by kernel */\n@@ -125,10 +127,14 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,\n \n \t/* Allocate cipher request for current operation. */\n \tareq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) +\n-\t\t\t\t     crypto_aead_reqsize(tfm));\n+\t\t\t\t     crypto_aead_reqsize(tfm) + ivsize);\n \tif (IS_ERR(areq))\n \t\treturn PTR_ERR(areq);\n \n+\tiv = (u8 *)aead_request_ctx(&areq->cra_u.aead_req) +\n+\t     crypto_aead_reqsize(tfm);\n+\tmemcpy(iv, ctx->iv, ivsize);\n+\n \t/* convert iovecs of output buffers into RX SGL */\n \terr = af_alg_get_rsgl(sk, msg, flags, areq, outlen, &usedpages);\n \tif (err)\n@@ -187,7 +193,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,\n \n \t/* Initialize the crypto operation */\n \taead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,\n-\t\t\t       areq->first_rsgl.sgl.sg, used, ctx->iv);\n+\t\t\t       areq->first_rsgl.sgl.sg, used, iv);\n \taead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);\n \taead_request_set_tfm(&areq->cra_u.aead_req, tfm);\n \n","prefixes":["SRU","J","4/9"]}