net/tls: avoid NULL pointer deref on nskb->sk in fallback

[ Upstream commit 2dcb003314032c6efb13a065ffae60d164b2dd35 ]

update_chksum() accesses nskb->sk before it has been set
by complete_skb(), move the init up.

Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/tls/tls_device_fallback.c b/net/tls/tls_device_fallback.c
index ef8934f..426dd97 100644 (file)
--- a/net/tls/tls_device_fallback.c
+++ b/net/tls/tls_device_fallback.c
@@ -200,13 +200,14 @@ static void complete_skb(struct sk_buff *nskb, struct sk_buff *skb, int headln)
 
        skb_put(nskb, skb->len);
        memcpy(nskb->data, skb->data, headln);
-       update_chksum(nskb, headln);
 
        nskb->destructor = skb->destructor;
        nskb->sk = sk;
        skb->destructor = NULL;
        skb->sk = NULL;
 
+       update_chksum(nskb, headln);
+
        delta = nskb->truesize - skb->truesize;
        if (likely(delta < 0))
                WARN_ON_ONCE(refcount_sub_and_test(-delta, &sk->sk_wmem_alloc));