CVE-2025-68775

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/handshake: duplicate handshake cancellations leak socket<br /> <br /> When a handshake request is cancelled it is removed from the<br /> handshake_net-&gt;hn_requests list, but it is still present in the<br /> handshake_rhashtbl until it is destroyed.<br /> <br /> If a second cancellation request arrives for the same handshake request,<br /> then remove_pending() will return false... and assuming<br /> HANDSHAKE_F_REQ_COMPLETED isn&amp;#39;t set in req-&gt;hr_flags, we&amp;#39;ll continue<br /> processing through the out_true label, where we put another reference on<br /> the sock and a refcount underflow occurs.<br /> <br /> This can happen for example if a handshake times out - particularly if<br /> the SUNRPC client sends the AUTH_TLS probe to the server but doesn&amp;#39;t<br /> follow it up with the ClientHello due to a problem with tlshd. When the<br /> timeout is hit on the server, the server will send a FIN, which triggers<br /> a cancellation request via xs_reset_transport(). When the timeout is<br /> hit on the client, another cancellation request happens via<br /> xs_tls_handshake_sync().<br /> <br /> Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel<br /> path so duplicate cancels can be detected.