2 files changed, 30 insertions, 12 deletions

diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
index 26f26e71ef3f..e225c81e6b35 100644
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -580,7 +580,7 @@ void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn)
 static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
 {
         struct strp_msg *rxm = strp_msg(skb);
-        int err = 0, offset = rxm->offset, copy, nsg;
+        int err = 0, offset = rxm->offset, copy, nsg, data_len, pos;
         struct sk_buff *skb_iter, *unused;
         struct scatterlist sg[1];
         char *orig_buf, *buf;
@@ -611,25 +611,42 @@ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
         else
                 err = 0;
 
-        copy = min_t(int, skb_pagelen(skb) - offset,
-                     rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE);
+        data_len = rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE;
 
-        if (skb->decrypted)
-                skb_store_bits(skb, offset, buf, copy);
+        if (skb_pagelen(skb) > offset) {
+                copy = min_t(int, skb_pagelen(skb) - offset, data_len);
 
-        offset += copy;
-        buf += copy;
+                if (skb->decrypted)
+                        skb_store_bits(skb, offset, buf, copy);
 
+                offset += copy;
+                buf += copy;
+        }
+
+        pos = skb_pagelen(skb);
         skb_walk_frags(skb, skb_iter) {
-                copy = min_t(int, skb_iter->len,
-                             rxm->full_len - offset + rxm->offset -
-                             TLS_CIPHER_AES_GCM_128_TAG_SIZE);
+                int frag_pos;
+
+                /* Practically all frags must belong to msg if reencrypt
+                 * is needed with current strparser and coalescing logic,
+                 * but strparser may "get optimized", so let's be safe.
+                 */
+                if (pos + skb_iter->len <= offset)
+                        goto done_with_frag;
+                if (pos >= data_len + rxm->offset)
+                        break;
+
+                frag_pos = offset - pos;
+                copy = min_t(int, skb_iter->len - frag_pos,
+                             data_len + rxm->offset - offset);
 
                 if (skb_iter->decrypted)
-                        skb_store_bits(skb_iter, offset, buf, copy);
+                        skb_store_bits(skb_iter, frag_pos, buf, copy);
 
                 offset += copy;
                 buf += copy;
+done_with_frag:
+                pos += skb_iter->len;
         }
 
 free_buf:
diff --git a/net/tls/tls_device_fallback.c b/net/tls/tls_device_fallback.c
index a3ebd4b02714..c3a5fe624b4e 100644
--- a/net/tls/tls_device_fallback.c
+++ b/net/tls/tls_device_fallback.c
@@ -201,13 +201,14 @@ static void complete_skb(struct sk_buff *nskb, struct sk_buff *skb, int headln)
 
         skb_put(nskb, skb->len);
         memcpy(nskb->data, skb->data, headln);
-        update_chksum(nskb, headln);
 
         nskb->destructor = skb->destructor;
         nskb->sk = sk;
         skb->destructor = NULL;
         skb->sk = NULL;
 
+        update_chksum(nskb, headln);
+
         delta = nskb->truesize - skb->truesize;
         if (likely(delta < 0))
                 WARN_ON_ONCE(refcount_sub_and_test(-delta, &sk->sk_wmem_alloc));