APPLIED: [SRU][J/N/Q][PATCH 0/1] CVE-2026-31533

Edoardo Canepa edoardo.canepa at canonical.com
Fri May 8 16:25:14 UTC 2026 

Applied to J/N/Q:linux/master-next. Thanks.

On 4/29/26 23:45, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
>
> The -EBUSY handling in tls_do_encryption(), introduced by commit
> 859054147318 ("net: tls: handle backlogging of crypto requests"), has
> a use-after-free due to double cleanup of encrypt_pending and the
> scatterlist entry.
>
> When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to
> the cryptd backlog and the async callback tls_encrypt_done() will be
> invoked upon completion. That callback unconditionally restores the
> scatterlist entry (sge->offset, sge->length) and decrements
> ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an
> error, the synchronous error path in tls_do_encryption() performs the
> same cleanup again, double-decrementing encrypt_pending and
> double-restoring the scatterlist.
>
> The double-decrement corrupts the encrypt_pending sentinel (initialized
> to 1), making tls_encrypt_async_wait() permanently skip the wait for
> pending async callbacks. A subsequent sendmsg can then free the
> tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still
> pending, resulting in a use-after-free when the callback fires on the
> freed record.
>
> Fix this by skipping the synchronous cleanup when the -EBUSY async
> wait returns an error, since the callback has already handled
> encrypt_pending and sge restoration.
>
> [Fix]
>
> Resolute: not affected
> Questing: applied Jammy patch
> Noble:    applied Jammy patch
> Jammy:    cherry picked from upstream
> Focal:    sent to forgejo
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the main encryption function for software-
> based kernel TLS in order to correct a use-after-free. Issues
> might manifest as failed or aborted encryption requests.
>
> Muhammad Alifa Ramdhan (1):
>    net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
>
>   net/tls/tls_sw.c | 10 ++++++++++
>   1 file changed, 10 insertions(+)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/a11a095b/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/a11a095b/attachment-0001.sig>

More information about the kernel-team mailing list