tls: rx: device: don't try to copy too much on detach

Another device offload bug, we use the length of the output
skb as an indication of how much data to copy. But that skb
is sized to offset + record length, and we start from offset.
So we end up double-counting the offset which leads to
skb_copy_bits() returning -EFAULT.

Reported-by: Tariq Toukan <tariqt@nvidia.com>
Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
Tested-by: Ran Rozenstein <ranro@nvidia.com>
Link: https://lore.kernel.org/r/20220809175544.354343-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c
index f0b7c9122fbae21799ae2b8f2f9b115f7d4f2f67..9b79e334dbd9efa6fd05230d48a5fc6cd9faed55 100644 (file)
--- a/net/tls/tls_strp.c
+++ b/net/tls/tls_strp.c
@@ -41,7 +41,7 @@ static struct sk_buff *tls_strp_msg_make_copy(struct tls_strparser *strp)
        struct sk_buff *skb;
        int i, err, offset;
 
-       skb = alloc_skb_with_frags(0, strp->anchor->len, TLS_PAGE_ORDER,
+       skb = alloc_skb_with_frags(0, strp->stm.full_len, TLS_PAGE_ORDER,
                                   &err, strp->sk->sk_allocation);
        if (!skb)
                return NULL;