xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()

commit f63c2c2032c2e3caad9add3b82cc6e91c376fd26 upstream. The commit referenced below moved the invocation past the "next" label, without any explanation. In fact this allows misbehaving backends undue control over the domain the frontend runs in, as earlier detected errors require the skb to not be freed (it may be retained for later processing via xennet_move_rx_slot(), or it may simply be unsafe to have it freed). This is CVE-2022-33743 / XSA-405. Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Jan Beulich <jbeulich@suse.com> 2022-07-01 10:57:19 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-07-07 18:53:32 +0300
commit: 1052fc2b7391a43b25168ae69ad658fff5170f04 (patch)
tree: 4c3aa78da0977a3631320f10abd80dec60125c27
parent: 6d0a9127279a4533815202e30ad1b3a39f560ba3 (diff)
download: linux-1052fc2b7391a43b25168ae69ad658fff5170f04.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 409ee9d97af4..074dceb1930b 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1094,8 +1094,10 @@ static int xennet_get_responses(struct netfront_queue *queue,
 			}
 		}
 		rcu_read_unlock();
-next:
+
 		__skb_queue_tail(list, skb);
+
+next:
 		if (!(rx->flags & XEN_NETRXF_more_data))
 			break;
author	Jan Beulich <jbeulich@suse.com>	2022-07-01 10:57:19 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-07-07 18:53:32 +0300
commit	1052fc2b7391a43b25168ae69ad658fff5170f04 (patch)
tree	4c3aa78da0977a3631320f10abd80dec60125c27
parent	6d0a9127279a4533815202e30ad1b3a39f560ba3 (diff)
download	linux-1052fc2b7391a43b25168ae69ad658fff5170f04.tar.xz