On Thu, 31 Mar 2022 10:35:41 +0800 Ziyang Xuan (William) wrote:

I am thinking about is skb_copy_bits() necessary in non-TLS_1_3_VERSION
and non-TLS_CIPHER_CHACHA20_POLY1305 scenarios?

It's not necessary there, but we should not make that change be part of
the fix, the fix should be minimal. I'll send a separate patch to move
the skb_copy_bits() call later on.

I think for the fix all you should do is replace the
	crypto_aead_ivsize(ctx->aead_recv));
line with
	prot->iv_size + prot->salt_size);

If the inital iv+salt negotiated configuration for tx/rx offload is right
and reliable, what is the reason why we have to extract the iv value from
received skb instead if using the negotiated iv value? Does it can be
modified or just follow spec that versions below TLS_1_3_VERSION?

TLS 1.3 does not send the nonce as part of the record. Instead 
the record number is always used as nonce in crypto.