ACK: [SRU][N][PATCH 0/1] TLS socket disconnection causes various issues
Wen-chien Jesse Sung
jesse.sung at canonical.com
Tue Aug 19 03:44:22 UTC 2025
Gerald Yang <gerald.yang at canonical.com> writes:
> BugLink: https://bugs.launchpad.net/bugs/2120516
>
> [Impact]
>
> Disconnect a kernel TLS socket causes various unexpected issues.
>
> [Fix]
>
> This has been fixed by upstream:
>
> commit 5071a1e606b30c0c11278d3c6620cd6a24724cf6
> Author: Jakub Kicinski <kuba at kernel.org>
> Date: Fri Apr 4 11:03:33 2025 -0700
>
> net: tls: explicitly disallow disconnect
>
> syzbot discovered that it can disconnect a TLS socket and then
> run into all sort of unexpected corner cases. I have a vague
> recollection of Eric pointing this out to us a long time ago.
> Supporting disconnect is really hard, for one thing if offload
> is enabled we'd need to wait for all packets to be _acked_.
> Disconnect is not commonly used, disallow it.
>
> It's also CVE 2025-37756 and has been SRU to 5.15 jammy kernel.
> 6.14 Pluky kernel also has this commit.
>
> [Test Plan]
>
> Use ktls_test tool to verify the basic kernel tls function
> https://github.com/insanum/ktls_test.git
>
> [Where problems could occur]
>
> This commit only adds disconnect function and return not support directly, shouldn't have any regression.
> If there is something wrong, it's in the disconnect stage, the impact should be minor.
>
> Jakub Kicinski (1):
> net: tls: explicitly disallow disconnect
>
> net/tls/tls_main.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Wen-chien Jesse Sung <jesse.sung at canonical.com>
More information about the kernel-team
mailing list