ACK: [SRU][N][PATCH 0/1] net/tls: Three upstream fixes without CVE missing from Ubuntu 6.8.0-124-generic (LP: #2155609)
Jian Hui Lee
jianhui.lee at canonical.com
Tue Jul 7 06:18:20 UTC 2026
Acked-by: Jian Hui Lee <jianhui.lee at canonical.com>
On Thu, Jun 25, 2026 at 6:58 AM Cengiz Can via kernel-team
<kernel-team at lists.ubuntu.com> wrote:
>
> BugLink: https://bugs.launchpad.net/bugs/2155609
>
> [ Impact ]
>
> Three upstream net/tls bug fixes are missing from Noble (6.8.0, present
> through 6.8.0-132.133). All three touch net/tls/tls_sw.c, affect only
> kTLS sockets, and were not assigned a CVE upstream. They address data
> integrity and memory safety issues in the TLS software path:
>
> 1) Silent data drop under pipe back-pressure.
> tls_sw_splice_read() advances rxm->offset / rxm->full_len by the
> requested length instead of the number of bytes actually spliced
> into the pipe. When the destination pipe cannot accept everything,
> splice_to_pipe() returns fewer bytes than requested and the
> difference is silently skipped, corrupting the TLS RX stream.
>
> 2) Off-by-one in the sg_chain() entry count for a wrapped sk_msg ring.
> When the sk_msg scatterlist ring wraps (sg.end < sg.start), the
> chain pointer is placed one entry short of the true last entry, so
> the crypto engine is handed a malformed scatterlist.
>
> 3) chain-after-chain in the plaintext SG path.
> When the ring is empty (end == 0) the existing code emits a chain
> link that points directly at another chain link. The scatterlist
> API (sg_next) does not resolve consecutive chain links, so this is
> illegal input to crypto.
>
> [ Fix ]
>
> Clean cherry-picks of the following upstream commits, in order:
>
> 7e7be31bfdb0 ("net: tls: fix silent data drop under pipe back-pressure")
> 285943c6e7ca ("net: tls: fix off-by-one in sg_chain entry count for
> wrapped sk_msg ring")
> ff26a0e8377d ("net: tls: prevent chain-after-chain in plain text SG")
>
> (1) fixes commit e062fe99cccd; (2) and (3) fix commit 9aaaa56845a0.
> Both Fixes: targets are present in Noble.
>
> [ Test Plan ]
>
> Build: CBD build cengiz-noble-a55bcaa0d741-8479
> amd64: BUILD-OK
> arm64: BUILD-OK
> armhf: BUILD-OK
> ppc64el: BUILD-OK
> s390x: BUILD-OK
>
> Boot: PASS (Kybele uvt-kvm boot test using the amd64 CBD artifacts)
> Kernel: 6.8.0-132-generic
> uname -v: #133 SMP PREEMPT_DYNAMIC Wed Jun 24 11:46:08 UTC 2026
>
> [ Where Problems Could Occur ]
>
> The changes are confined to net/tls/tls_sw.c and only affect TLS
> sockets that use the kernel TLS software path. A regression would
> manifest as TLS send/receive failures or data corruption on kTLS
> sockets; traffic that does not use kTLS is unaffected.
>
> [ Other Info ]
>
> None of these commits carry a CVE upstream. They are pure upstream
> cherry-picks with no Ubuntu-specific adaptations.
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list