tls: rx: fix return value for async crypto

bmastbergen · bmastbergen · commit 9b76fe0b62f3 · 2025-11-12T10:59:27.000-05:00
jira VULN-136507 cve-pre CVE-2025-39682 commit-author Jakub Kicinski <kuba@kernel.org> commit 4d42cd6 Gaurav reports that TLS Rx is broken with async crypto accelerators. The commit under fixes missed updating the retval byte counting logic when updating how records are stored. Even tho both before and after the change 'decrypted' was updated inside the main loop, it was completely overwritten when processing the async completions. Now that the rx_list only holds non-zero-copy records we need to add, not overwrite. Reported-and-bisected-by: Gaurav Jain <gaurav.jain@nxp.com> Fixes: cbbdee9 ("tls: rx: async: don't put async zc on the list") Link: https://bugzilla.kernel.org/show_bug.cgi?id=217064 Tested-by: Gaurav Jain <gaurav.jain@nxp.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Link: https://lore.kernel.org/r/20230227181201.1793772-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 4d42cd6) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
@@ -2111,7 +2111,7 @@ int tls_sw_recvmsg(struct sock *sk,
 		else
 			err = process_rx_list(ctx, msg, &control, 0,
 					      async_copy_bytes, is_peek);
-		decrypted = max(err, 0);
+		decrypted += max(err, 0);
 	}
 
 	copied += decrypted;

Original file line number	Diff line number	Diff line change
`@@ -2111,7 +2111,7 @@ int tls_sw_recvmsg(struct sock *sk,`
`2111`	`2111`	`else`
`2112`	`2112`	`err = process_rx_list(ctx, msg, &control, 0,`
`2113`	`2113`	`async_copy_bytes, is_peek);`
`2114`		`- decrypted = max(err, 0);`
	`2114`	`+ decrypted += max(err, 0);`
`2115`	`2115`	`}`
`2116`	`2116`
`2117`	`2117`	`copied += decrypted;`