From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3D61D176FB1 for ; Mon, 13 Apr 2026 18:22:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776104553; cv=none; b=crKawNxrlEuJs5H9ciCqUa082t0QyiwyrxB5HV+K63Rnyd85QVlLaOoEjvfnjC4ATipmxFO3J2oRfpWVaSzQ9yRkS0QdmZfsDoqey2hfucW4JS4v9djawvCie6dxCnWnxzEw+Jvg6fUtfQkpKdlxwOLW2t2vthMIelFP7PDXh9k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776104553; c=relaxed/simple; bh=vRfn1eIpzqwwPd1PIv52bIl1PJXjLpPHi4j0z9xDlc4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=CqhRlu+pzRcfV3DdNC7Jw6c9HqEur4q/DjaybWk3qvM58c26aGVgMPyaIhW9P0PL8NO2kgHK9V55B92VeZs6Iebejxl6+0wpinDw99AnmwwmlgKIiP/Gn7RhEiDGYsyMBPDxP8xGw5+AoZ7z/m1aOhhXVJ2aR/8nAXOcuZCZ2PU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DwJIJO81; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DwJIJO81" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-488b8efed61so45635265e9.1 for ; Mon, 13 Apr 2026 11:22:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776104550; x=1776709350; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=AYKFqRHALrwX6tYikrZmISuQnQxh/bhcagdwZ5Pb5/A=; b=DwJIJO81AtnTE73M0vWwJK4bdaJxx2Awa/GRrF1W8fooPXUURNUX5qim/iCyU2wQ+O JcJ5crBV54DcOnae6qer+UFckZhDddllS9I58is5SyaT3w+dOX4tqQZPJz9NLZUy+dID 3cCV1vNxKq813i4XFXkSOo4WHPPBwSHyA3oAB/bY1gGyEplPTRsNvI4uwV//TzAn8h5I g6jtWuR2GyejNt7qsf5GlixdMyzHIgTQbyY3whFjwLAuUOoHnQENaA4cfXsnGNSG7W4+ +AEcGEz4nEbDSS+8fz5YQMlBO8nlEugIxBtIvixT0/fr7IiAA2rtKUuqQiH8h5+eBr5V 2iOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776104550; x=1776709350; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=AYKFqRHALrwX6tYikrZmISuQnQxh/bhcagdwZ5Pb5/A=; b=TP9xSQC4MxKVCj7KC4evRB1A34a5kjjsEj/WOlsXZI8FUTO53Epnl4ge96tirmlQcW F4MBMZY0AQzLm6H5F7sQeIvTbz3JUUhS2PKm7ZDFXDqpn2IzHQLfcEkCeUyY2N0Ji0Ya KvJ3vEiweMNvDJZeN4XaYp7cgOz/DDogmlUXedV5+rayHnUCK5Q0YmgZD1+yoe1RgeEU RedlZ1FE6lp7gudB9/bu0YGwbT4U8vNyQTgoYtCrJJmlEEHDF87x6giXNalq9IwvVUbh SltmeG36OsIWt/nMJHFeZGiZTAp8jKRceFRiHC0G44dq+n+23mGD5qCIK+R7e7IfVQXf PChg== X-Forwarded-Encrypted: i=1; AFNElJ9cGKXnHOwgI9VMTrAcj9FJg1BP44SRAa9/EWkBvci544UgdLL4Z5ygix2xlHLRWU/oVE9wrRoteUMaDnw=@vger.kernel.org X-Gm-Message-State: AOJu0YwUAlZExD8zXTQ5SxkVnpoYCVrt8DD7nXZdw0kRW/6MuHnpgLBL 0GpTLWRaVQxNJ6KCCTxFbOaanZpmjOvPWmF4fwjlsndJ/+Yxws+zanFH X-Gm-Gg: AeBDievPY5MJqGCR0YeBxhoBFXQ7yXNHPVvuDNJUkAG8cy1rnWw1M/gqZzmEr1F9gye 64ZfoQgDhkyfXudVxvc4ElPkc/VL+zvkW8e3Jzyvrj9m+6ky6G7vBPZ+GkoD0i/ut+RTLqPL0ok B+E79HRCdOXofvHqeBc3O7yDFNNt5gC0D6j7eT3rsQ3dx8uulfxxf55c23KsTaneTJGosS9VhyI wUk2epaNr7JCPX/ryot0f+pNxm1rrn/P5xK54s+ZEvuhmOgwMlYFQwmBWU1OcxaYDECoRmWtltL 0jr1JSUKVY9Xiqi91PmkQgoB3D5+5X9QlRhet94OLKWcTM37ZrH+pqe4V9cHOdS02vnmeiu8JbU ljExn+ebP+eEzfNx0uO0IlyJUNq27jFNphKFyutul0muukoNL5RCIyhosCzHolTz6SqAeGxsn7L seh0pqmLP2DVbJTwN9NIog3dA/b/ysbxRzv+S+bdRpeOb50NXzZKZWmtMi2YbOfIfit+Fa1H7fJ +yNjwHBS2+W X-Received: by 2002:a05:600c:a105:b0:485:fbd2:f72 with SMTP id 5b1f17b1804b1-488d681701fmr132606625e9.1.1776104549378; Mon, 13 Apr 2026 11:22:29 -0700 (PDT) Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488d532ed4dsm298282905e9.4.2026.04.13.11.22.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 11:22:28 -0700 (PDT) From: David Carlier To: Jakub Kicinski , "David S . Miller" , Eric Dumazet , Paolo Abeni Cc: Simon Horman , Stanislav Fomichev , Kuniyuki Iwashima , Samiullah Khawaja , Hangbin Liu , Krishna Kumar , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, David Carlier Subject: [PATCH net-next v2] net: check qdisc_pkt_len_segs_init() return value on ingress Date: Mon, 13 Apr 2026 19:22:25 +0100 Message-ID: <20260413182225.10683-1-devnexen@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Commit 7fb4c1967011 ("net: pull headers in qdisc_pkt_len_segs_init()") changed qdisc_pkt_len_segs_init() to return an skb drop reason when it detects malicious GSO packets. The egress path in __dev_queue_xmit() checks this return value and drops bad packets, but the ingress path in sch_handle_ingress() ignores it. This means malformed GSO packets entering via TC ingress are not dropped and could be redirected to another interface or cause incorrect qdisc accounting. Check the return value and drop the packet when a bad GSO is detected. Fixes: 7fb4c1967011 ("net: pull headers in qdisc_pkt_len_segs_init()") Signed-off-by: David Carlier --- v1 -> v2: reorder variable declarations for reverse xmas tree v1: https://lore.kernel.org/netdev/20260408172307.46498-1-devnexen@gmail.com/ net/core/dev.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/net/core/dev.c b/net/core/dev.c index 5a31f9d2128c..d11c22cafca9 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -4459,8 +4459,8 @@ sch_handle_ingress(struct sk_buff *skb, struct packet_type **pt_prev, int *ret, struct net_device *orig_dev, bool *another) { struct bpf_mprog_entry *entry = rcu_dereference_bh(skb->dev->tcx_ingress); - enum skb_drop_reason drop_reason = SKB_DROP_REASON_TC_INGRESS; struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx; + enum skb_drop_reason drop_reason; int sch_ret; if (!entry) @@ -4472,7 +4472,15 @@ sch_handle_ingress(struct sk_buff *skb, struct packet_type **pt_prev, int *ret, *pt_prev = NULL; } - qdisc_pkt_len_segs_init(skb); + drop_reason = qdisc_pkt_len_segs_init(skb); + if (unlikely(drop_reason)) { + kfree_skb_reason(skb, drop_reason); + *ret = NET_RX_DROP; + bpf_net_ctx_clear(bpf_net_ctx); + return NULL; + } + + drop_reason = SKB_DROP_REASON_TC_INGRESS; tcx_set_ingress(skb, true); if (static_branch_unlikely(&tcx_needed_key)) { -- 2.53.0