From 1c2133114d2d11c10ffb0da4e12904bde0478beb Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Wed, 18 May 2022 13:56:44 -0700 Subject: [PATCH] net: tls: fix messing up lists when bpf enabled Artem points out that skb may try to take over the skb and queue it to its own list. Unlink the skb before calling out. Fixes: b1a2c1786330 ("tls: rx: clear ctx->recv_pkt earlier") Reported-by: Artem Savkov Tested-by: Artem Savkov Link: https://lore.kernel.org/r/20220518205644.2059468-1-kuba@kernel.org Signed-off-by: Jakub Kicinski --- net/tls/tls_sw.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index 939d1673f508..0513f82b8537 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1837,15 +1837,17 @@ leave_on_list: bool partially_consumed = chunk > len; if (bpf_strp_enabled) { + /* BPF may try to queue the skb */ + __skb_unlink(skb, &ctx->rx_list); err = sk_psock_tls_strp_read(psock, skb); if (err != __SK_PASS) { rxm->offset = rxm->offset + rxm->full_len; rxm->full_len = 0; - __skb_unlink(skb, &ctx->rx_list); if (err == __SK_DROP) consume_skb(skb); continue; } + __skb_queue_tail(&ctx->rx_list, skb); } if (partially_consumed)