xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()

The commit referenced below moved the invocation past the "next" label, without any explanation. In fact this allows misbehaving backends undue control over the domain the frontend runs in, as earlier detected errors require the skb to not be freed (it may be retained for later processing via xennet_move_rx_slot(), or it may simply be unsafe to have it freed). This is CVE-2022-33743 / XSA-405. Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Juergen Gross <jgross@suse.com>
author: Jan Beulich <jbeulich@suse.com> 2022-07-01 08:56:52 +0200
committer: Juergen Gross <jgross@suse.com> 2022-07-01 10:01:23 +0200
commit: f63c2c2032c2e3caad9add3b82cc6e91c376fd26 (patch)
tree: 6d196d3a64dfc32078d8676363b64568cfdbbbd8 /drivers/net
parent: 2400617da7eebf9167d71a46122828bc479d64c9 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 87f6df77bfbf..2409007f1fd9 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1092,8 +1092,10 @@ static int xennet_get_responses(struct netfront_queue *queue,
 			}
 		}
 		rcu_read_unlock();
-next:
+
 		__skb_queue_tail(list, skb);
+
+next:
 		if (!(rx->flags & XEN_NETRXF_more_data))
 			break;
author	Jan Beulich <jbeulich@suse.com>	2022-07-01 08:56:52 +0200
committer	Juergen Gross <jgross@suse.com>	2022-07-01 10:01:23 +0200
commit	f63c2c2032c2e3caad9add3b82cc6e91c376fd26 (patch)
tree	6d196d3a64dfc32078d8676363b64568cfdbbbd8 /drivers/net
parent	2400617da7eebf9167d71a46122828bc479d64c9 (diff)