ACK: [SRU][N][PATCH 0/1] net/tls: Three upstream fixes without CVE missing from Ubuntu 6.8.0-124-generic (LP: #2155609)

Jian Hui Lee jianhui.lee at canonical.com
Tue Jul 7 06:18:20 UTC 2026


Acked-by: Jian Hui Lee <jianhui.lee at canonical.com>

On Thu, Jun 25, 2026 at 6:58 AM Cengiz Can via kernel-team
<kernel-team at lists.ubuntu.com> wrote:
>
> BugLink: https://bugs.launchpad.net/bugs/2155609
>
> [ Impact ]
>
> Three upstream net/tls bug fixes are missing from Noble (6.8.0, present
> through 6.8.0-132.133). All three touch net/tls/tls_sw.c, affect only
> kTLS sockets, and were not assigned a CVE upstream. They address data
> integrity and memory safety issues in the TLS software path:
>
>  1) Silent data drop under pipe back-pressure.
>     tls_sw_splice_read() advances rxm->offset / rxm->full_len by the
>     requested length instead of the number of bytes actually spliced
>     into the pipe. When the destination pipe cannot accept everything,
>     splice_to_pipe() returns fewer bytes than requested and the
>     difference is silently skipped, corrupting the TLS RX stream.
>
>  2) Off-by-one in the sg_chain() entry count for a wrapped sk_msg ring.
>     When the sk_msg scatterlist ring wraps (sg.end < sg.start), the
>     chain pointer is placed one entry short of the true last entry, so
>     the crypto engine is handed a malformed scatterlist.
>
>  3) chain-after-chain in the plaintext SG path.
>     When the ring is empty (end == 0) the existing code emits a chain
>     link that points directly at another chain link. The scatterlist
>     API (sg_next) does not resolve consecutive chain links, so this is
>     illegal input to crypto.
>
> [ Fix ]
>
> Clean cherry-picks of the following upstream commits, in order:
>
>   7e7be31bfdb0 ("net: tls: fix silent data drop under pipe back-pressure")
>   285943c6e7ca ("net: tls: fix off-by-one in sg_chain entry count for
>                  wrapped sk_msg ring")
>   ff26a0e8377d ("net: tls: prevent chain-after-chain in plain text SG")
>
> (1) fixes commit e062fe99cccd; (2) and (3) fix commit 9aaaa56845a0.
> Both Fixes: targets are present in Noble.
>
> [ Test Plan ]
>
> Build: CBD build cengiz-noble-a55bcaa0d741-8479
>   amd64:   BUILD-OK
>   arm64:   BUILD-OK
>   armhf:   BUILD-OK
>   ppc64el: BUILD-OK
>   s390x:   BUILD-OK
>
> Boot: PASS (Kybele uvt-kvm boot test using the amd64 CBD artifacts)
>   Kernel: 6.8.0-132-generic
>   uname -v: #133 SMP PREEMPT_DYNAMIC Wed Jun 24 11:46:08 UTC 2026
>
> [ Where Problems Could Occur ]
>
> The changes are confined to net/tls/tls_sw.c and only affect TLS
> sockets that use the kernel TLS software path. A regression would
> manifest as TLS send/receive failures or data corruption on kTLS
> sockets; traffic that does not use kTLS is unaffected.
>
> [ Other Info ]
>
> None of these commits carry a CVE upstream. They are pure upstream
> cherry-picks with no Ubuntu-specific adaptations.
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team



More information about the kernel-team mailing list