From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 35927F46104 for ; Mon, 23 Mar 2026 13:04:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: Content-Type:MIME-Version:Message-ID:In-Reply-To:Date:From:Cc:To:Subject: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:References:List-Owner; bh=CIz+awaqRdIPf7rNFoZCw0iToVE/AMSylJmIkXVh+yE=; b=QPxaViQQhtjCam0ccJj1mr5X5j vL2KUK7jBcwIil3qa9jy/mTu0p1HmNz2hmitQXA2QPWHbHRYa0fswJ1fP98oDUuYP8mI7lRq0wd7C Sy8mfj2RJQxMx4liSxstXBsRGusCBQontbae45GmmgdY9eG1VaYqn2buRy7WXPc0dM6bnoWPPy0EJ jdACbT14fcyDwZc9dCkn6rzLPs1kHTFb6fck6483ZkwV6V/Md4sLf4gnFvFow6EMeSSilkKNa4d/P f9atvGCzf6c5VX3mnwxm0vwZKGNHx9nmekRX8qN6EMqMnkjTZQ7mm+6hJ1N+sMMCdK1/uSRFNwXf7 /RZM0PcQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1w4exb-0000000GkVq-09zq; Mon, 23 Mar 2026 13:04:47 +0000 Received: from sea.source.kernel.org ([172.234.252.31]) by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1w4exN-0000000GkPZ-2m4U; Mon, 23 Mar 2026 13:04:35 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 5A09541789; Mon, 23 Mar 2026 13:04:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CBE9AC4CEF7; Mon, 23 Mar 2026 13:04:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1774271073; bh=q77A4t3XRpJACiZl37rBIm9W8/FbsUkVR01ifWX4lA8=; h=Subject:To:Cc:From:Date:In-Reply-To:From; b=U9r7Sai+qqxN4pEjjJgqdnl2z9DBR0NJ9yAfJYkEsUghoVs1K9IfhfJUYwBxjTfWN jcReovgkcZAh43NYPH7KYJ/KebFXjnImc2xP7tJURQU2nUX98FO96fdCh5yuEldVCd HI+TJT9RElu8x/slOcQcUyXEiD3qwjgH5HJBT0CE= Subject: Patch "net: gso: fix tcp fraglist segmentation after pull from frag_list" has been added to the 6.1-stable tree To: 1468888505@139.com,angelogioacchino.delregno@collabora.com,davem@davemloft.net,dsahern@kernel.org,edumazet@google.com,gregkh@linuxfoundation.org,kuba@kernel.org,linux-arm-kernel@lists.infradead.org,linux-mediatek@lists.infradead.org,matthias.bgg@gmail.com,nbd@nbd.name,pabeni@redhat.com,patches@lists.linux.dev,willemb@google.com Cc: From: Date: Mon, 23 Mar 2026 14:03:46 +0100 In-Reply-To: <20260302065107.2694835-1-1468888505@139.com> Message-ID: <2026032345-ritzy-tactless-f7f3@gregkh> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit X-stable: commit X-Patchwork-Hint: ignore X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260323_060433_741738_C785747F X-CRM114-Status: GOOD ( 14.97 ) X-BeenThere: linux-mediatek@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Linux-mediatek" Errors-To: linux-mediatek-bounces+linux-mediatek=archiver.kernel.org@lists.infradead.org This is a note to let you know that I've just added the patch titled net: gso: fix tcp fraglist segmentation after pull from frag_list to the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: net-gso-fix-tcp-fraglist-segmentation-after-pull-from-frag_list.patch and it can be found in the queue-6.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >From stable+bounces-222521-greg=kroah.com@vger.kernel.org Mon Mar 2 07:52:17 2026 From: Li hongliang <1468888505@139.com> Date: Mon, 2 Mar 2026 14:51:07 +0800 Subject: net: gso: fix tcp fraglist segmentation after pull from frag_list To: gregkh@linuxfoundation.org, stable@vger.kernel.org, nbd@nbd.name Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, edumazet@google.com, davem@davemloft.net, dsahern@kernel.org, kuba@kernel.org, pabeni@redhat.com, matthias.bgg@gmail.com, angelogioacchino.delregno@collabora.com, willemb@google.com, netdev@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, bpf@vger.kernel.org Message-ID: <20260302065107.2694835-1-1468888505@139.com> From: Felix Fietkau [ Upstream commit 17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8 ] Detect tcp gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For TCP, this causes a NULL ptr deref in __tcpv4_gso_segment_list_csum at tcp_hdr(seg->next). Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment. Approach and description based on a patch by Willem de Bruijn. Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/ Link: https://lore.kernel.org/netdev/20240922150450.3873767-1-willemdebruijn.kernel@gmail.com/ Fixes: bee88cd5bd83 ("net: add support for segmenting TCP fraglist GSO packets") Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/20240926085315.51524-1-nbd@nbd.name Signed-off-by: Jakub Kicinski Signed-off-by: Li hongliang <1468888505@139.com> Signed-off-by: Greg Kroah-Hartman --- net/ipv4/tcp_offload.c | 10 ++++++++-- net/ipv6/tcpv6_offload.c | 10 ++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) --- a/net/ipv4/tcp_offload.c +++ b/net/ipv4/tcp_offload.c @@ -103,8 +103,14 @@ static struct sk_buff *tcp4_gso_segment( if (!pskb_may_pull(skb, sizeof(struct tcphdr))) return ERR_PTR(-EINVAL); - if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) - return __tcp4_gso_segment_list(skb, features); + if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) { + struct tcphdr *th = tcp_hdr(skb); + + if (skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size) + return __tcp4_gso_segment_list(skb, features); + + skb->ip_summed = CHECKSUM_NONE; + } if (unlikely(skb->ip_summed != CHECKSUM_PARTIAL)) { const struct iphdr *iph = ip_hdr(skb); --- a/net/ipv6/tcpv6_offload.c +++ b/net/ipv6/tcpv6_offload.c @@ -105,8 +105,14 @@ static struct sk_buff *tcp6_gso_segment( if (!pskb_may_pull(skb, sizeof(*th))) return ERR_PTR(-EINVAL); - if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) - return __tcp6_gso_segment_list(skb, features); + if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) { + struct tcphdr *th = tcp_hdr(skb); + + if (skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size) + return __tcp6_gso_segment_list(skb, features); + + skb->ip_summed = CHECKSUM_NONE; + } if (unlikely(skb->ip_summed != CHECKSUM_PARTIAL)) { const struct ipv6hdr *ipv6h = ipv6_hdr(skb); Patches currently in stable-queue which might be from 1468888505@139.com are queue-6.1/net-fix-segmentation-of-forwarding-fraglist-gro.patch queue-6.1/net-gso-fix-tcp-fraglist-segmentation-after-pull-from-frag_list.patch queue-6.1/net-add-support-for-segmenting-tcp-fraglist-gso-packets.patch