net: tls: fix messing up lists when bpf enabled

Artem points out that skb may try to take over the skb and
queue it to its own list. Unlink the skb before calling out.

Fixes: b1a2c1786330 ("tls: rx: clear ctx->recv_pkt earlier")
Reported-by: Artem Savkov <asavkov@redhat.com>
Tested-by: Artem Savkov <asavkov@redhat.com>
Link: https://lore.kernel.org/r/20220518205644.2059468-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 939d1673f508e970dfcc40a7f34862b8233c24bc..0513f82b8537ed5885f4ff667fa1dd040a4baa6e 100644 (file)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1837,15 +1837,17 @@ leave_on_list:
                        bool partially_consumed = chunk > len;
 
                        if (bpf_strp_enabled) {
+                               /* BPF may try to queue the skb */
+                               __skb_unlink(skb, &ctx->rx_list);
                                err = sk_psock_tls_strp_read(psock, skb);
                                if (err != __SK_PASS) {
                                        rxm->offset = rxm->offset + rxm->full_len;
                                        rxm->full_len = 0;
-                                       __skb_unlink(skb, &ctx->rx_list);
                                        if (err == __SK_DROP)
                                                consume_skb(skb);
                                        continue;
                                }
+                               __skb_queue_tail(&ctx->rx_list, skb);
                        }
 
                        if (partially_consumed)