ACK: [SRU][J/N/Q][PATCH 0/1] CVE-2026-31533

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Mon May 4 08:56:01 UTC 2026 

On Wed, 29 Apr 2026 at 23:46, Tim Whisonant <tim.whisonant at canonical.com> wrote:
>
> SRU Justification:
>
> [Impact]
>
> net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
>
> The -EBUSY handling in tls_do_encryption(), introduced by commit
> 859054147318 ("net: tls: handle backlogging of crypto requests"), has
> a use-after-free due to double cleanup of encrypt_pending and the
> scatterlist entry.
>
> When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
> the cryptd backlog and the async callback tls_encrypt_done() will be
> invoked upon completion. That callback unconditionally restores the
> scatterlist entry (sge->offset, sge->length) and decrements
> ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
> error, the synchronous error path in tls_do_encryption() performs the
> same cleanup again, double-decrementing encrypt_pending and
> double-restoring the scatterlist.
>
> The double-decrement corrupts the encrypt_pending sentinel (initialized
> to 1), making tls_encrypt_async_wait() permanently skip the wait for
> pending async callbacks. A subsequent sendmsg can then free the
> tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still
> pending, resulting in a use-after-free when the callback fires on the
> freed record.
>
> Fix this by skipping the synchronous cleanup when the -EBUSY async
> wait returns an error, since the callback has already handled
> encrypt_pending and sge restoration.
>
> [Fix]
>
> Resolute: not affected
> Questing: applied Jammy patch
> Noble:    applied Jammy patch
> Jammy:    cherry picked from upstream
> Focal:    sent to forgejo
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the main encryption function for software-
> based kernel TLS in order to correct a use-after-free. Issues
> might manifest as failed or aborted encryption requests.
>
> Muhammad Alifa Ramdhan (1):
>   net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
>
>  net/tls/tls_sw.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com>

-- 
Massimiliano Pellizzer

More information about the kernel-team mailing list