net: tls: fix messing up lists when bpf enabled

Artem points out that skb may try to take over the skb and queue it to its own list. Unlink the skb before calling out. Fixes: b1a2c178 ("tls: rx: clear ctx->recv_pkt earlier") Reported-by: Artem Savkov <asavkov@redhat.com> Tested-by: Artem Savkov <asavkov@redhat.com> Link: https://lore.kernel.org/r/20220518205644.2059468-1-kuba@kernel.orgSigned-off-by: Jakub Kicinski <kuba@kernel.org>

net: tls: fix messing up lists when bpf enabled
Artem points out that skb may try to take over the skb and queue it to its own list. Unlink the skb before calling out. Fixes: b1a2c178 ("tls: rx: clear ctx->recv_pkt earlier") Reported-by: Artem Savkov <asavkov@redhat.com> Tested-by: Artem Savkov <asavkov@redhat.com> Link: https://lore.kernel.org/r/20220518205644.2059468-1-kuba@kernel.orgSigned-off-by: Jakub Kicinski <kuba@kernel.org>
1c213311 · Jakub Kicinski · df98714e · 1c213311
Commit 1c213311 authored May 18, 2022 by Jakub Kicinski
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

net/tls/tls_sw.c net/tls/tls_sw.c +3 -1

No files found.
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1837,15 +1837,17 @@ int tls_sw_recvmsg(struct sock *sk,
 			bool partially_consumed = chunk > len;

 			if (bpf_strp_enabled) {
+				/* BPF may try to queue the skb */
+				__skb_unlink(skb, &ctx->rx_list);
 				err = sk_psock_tls_strp_read(psock, skb);
 				if (err != __SK_PASS) {
 					rxm->offset = rxm->offset + rxm->full_len;
 					rxm->full_len = 0;
-					__skb_unlink(skb, &ctx->rx_list);
 					if (err == __SK_DROP)
 						consume_skb(skb);
 					continue;
 				}
+				__skb_queue_tail(&ctx->rx_list, skb);
 			}

 			if (partially_consumed)