This fixes a kTLS TX bug in the BPF sk_msg apply_bytes path when the selected AEAD provider completes asynchronously.
tls_push_record() can split ctx->open_rec into the record being encrypted and a remainder record. If tls_do_encryption() returns -EINPROGRESS, the current code returns before reattaching the remainder. The peer observes a truncated stream, and the orphaned tls_rec is leaked. Patch 1 keeps the split remainder rooted on the async path and lets the BPF verdict loop continue draining queued records while preserving the async return signal. Patch 2 adds a regression selftest which compares the sync and async providers for the same BPF apply_bytes split-record stream. The selftest fails on the vulnerable tree with the async provider receiving 12916 bytes instead of 17312. It passes with this series: TAP version 13 1..2 ok 1 sync provider transmits split record ok 2 async provider transmits split record This work is LLM-assisted. The static-analysis variant hunt and async-boundary state-retention class sweep that surfaced this candidate site at net/tls/tls_sw.c were performed using Codex (gpt-5.5); the writeup, patch refinement, and this cover letter were performed using Claude (claude-opus-4-7). Hardware validation (QEMU/KVM kernel run, deterministic 17312 vs 12916 sync/async byte-count delta, lifetime-probe linear-leak scaling) and operator review at every external gate were human-driven. Methodology context at https://northecho.dev/posts/codex-vs-claude-code-vuln-research/. Sent to the public list per the security-bugs.rst exception for findings trivial to discover via automated tooling, as interpreted by the kernel security team for LLM-assisted reports (Willy Tarreau, 2026-05-14, IVPU thread). Christopher Lusk (2): net: tls: preserve split open record on async encrypt selftests: net: add kTLS async split record regression net/tls/tls_sw.c | 29 +- tools/testing/selftests/net/Makefile | 5 + .../selftests/net/ktls_async_split.bpf.c | 24 ++ .../testing/selftests/net/ktls_async_split.c | 391 ++++++++++++++++++ 4 files changed, 441 insertions(+), 8 deletions(-) create mode 100644 tools/testing/selftests/net/ktls_async_split.bpf.c create mode 100644 tools/testing/selftests/net/ktls_async_split.c -- 2.54.0
