From: Jakub Kicinski <kuba@kernel.org>
Date: Wed, 18 May 2022 20:56:44 +0000 (-0700)
Subject: net: tls: fix messing up lists when bpf enabled
X-Git-Tag: v5.19-rc1~159^2~55
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c2133114d2d11c10ffb0da4e12904bde0478beb;p=thirdparty%2Fkernel%2Flinux.git

net: tls: fix messing up lists when bpf enabled

Artem points out that skb may try to take over the skb and
queue it to its own list. Unlink the skb before calling out.

Fixes: b1a2c1786330 ("tls: rx: clear ctx->recv_pkt earlier")
Reported-by: Artem Savkov <asavkov@redhat.com>
Tested-by: Artem Savkov <asavkov@redhat.com>
Link: https://lore.kernel.org/r/20220518205644.2059468-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 939d1673f508e..0513f82b8537e 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1837,15 +1837,17 @@ leave_on_list:
 			bool partially_consumed = chunk > len;
 
 			if (bpf_strp_enabled) {
+				/* BPF may try to queue the skb */
+				__skb_unlink(skb, &ctx->rx_list);
 				err = sk_psock_tls_strp_read(psock, skb);
 				if (err != __SK_PASS) {
 					rxm->offset = rxm->offset + rxm->full_len;
 					rxm->full_len = 0;
-					__skb_unlink(skb, &ctx->rx_list);
 					if (err == __SK_DROP)
 						consume_skb(skb);
 					continue;
 				}
+				__skb_queue_tail(&ctx->rx_list, skb);
 			}
 
 			if (partially_consumed)