[SRU][N][PATCH 0/1] TLS socket disconnection causes various issues
Gerald Yang
gerald.yang at canonical.com
Wed Aug 13 08:06:29 UTC 2025
BugLink: https://bugs.launchpad.net/bugs/2120516
[Impact]
Disconnect a kernel TLS socket causes various unexpected issues.
[Fix]
This has been fixed by upstream:
commit 5071a1e606b30c0c11278d3c6620cd6a24724cf6
Author: Jakub Kicinski <kuba at kernel.org>
Date: Fri Apr 4 11:03:33 2025 -0700
net: tls: explicitly disallow disconnect
syzbot discovered that it can disconnect a TLS socket and then
run into all sort of unexpected corner cases. I have a vague
recollection of Eric pointing this out to us a long time ago.
Supporting disconnect is really hard, for one thing if offload
is enabled we'd need to wait for all packets to be _acked_.
Disconnect is not commonly used, disallow it.
It's also CVE 2025-37756 and has been SRU to 5.15 jammy kernel.
6.14 Pluky kernel also has this commit.
[Test Plan]
Use ktls_test tool to verify the basic kernel tls function
https://github.com/insanum/ktls_test.git
[Where problems could occur]
This commit only adds disconnect function and return not support directly, shouldn't have any regression.
If there is something wrong, it's in the disconnect stage, the impact should be minor.
Jakub Kicinski (1):
net: tls: explicitly disallow disconnect
net/tls/tls_main.c | 6 ++++++
1 file changed, 6 insertions(+)
--
2.43.0
More information about the kernel-team
mailing list