From 6ac63699319cfa601c2783c05b47ab6a89ecfe83 Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Wed, 18 May 2022 13:56:44 -0700 Subject: [PATCH] net: tls: fix messing up lists when bpf enabled Artem points out that skb may try to take over the skb and queue it to its own list. Unlink the skb before calling out. Fixes: f1127d8d3980 ("tls: rx: clear ctx->recv_pkt earlier") Reported-by: Artem Savkov Tested-by: Artem Savkov Link: https://lore.kernel.org/r/20220518205644.2059468-1-kuba@kernel.org Signed-off-by: Jakub Kicinski --- net/tls/tls_sw.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index 939d1673f508e..0513f82b8537e 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1837,15 +1837,17 @@ leave_on_list: bool partially_consumed = chunk > len; if (bpf_strp_enabled) { + /* BPF may try to queue the skb */ + __skb_unlink(skb, &ctx->rx_list); err = sk_psock_tls_strp_read(psock, skb); if (err != __SK_PASS) { rxm->offset = rxm->offset + rxm->full_len; rxm->full_len = 0; - __skb_unlink(skb, &ctx->rx_list); if (err == __SK_DROP) consume_skb(skb); continue; } + __skb_queue_tail(&ctx->rx_list, skb); } if (partially_consumed) -- 2.39.5