net: tls: fix messing up lists when bpf enabled

Artem points out that skb may try to take over the skb and
queue it to its own list. Unlink the skb before calling out.

Fixes: b1a2c1786330 ("tls: rx: clear ctx->recv_pkt earlier")
Reported-by: Artem Savkov <asavkov@redhat.com>
Tested-by: Artem Savkov <asavkov@redhat.com>
Link: https://lore.kernel.org/r/20220518205644.2059468-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 939d167..0513f82 100644 (file)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1837,15 +1837,17 @@ leave_on_list:
                        bool partially_consumed = chunk > len;
 
                        if (bpf_strp_enabled) {
+                               /* BPF may try to queue the skb */
+                               __skb_unlink(skb, &ctx->rx_list);
                                err = sk_psock_tls_strp_read(psock, skb);
                                if (err != __SK_PASS) {
                                        rxm->offset = rxm->offset + rxm->full_len;
                                        rxm->full_len = 0;
-                                       __skb_unlink(skb, &ctx->rx_list);
                                        if (err == __SK_DROP)
                                                consume_skb(skb);
                                        continue;
                                }
+                               __skb_queue_tail(&ctx->rx_list, skb);
                        }
 
                        if (partially_consumed)