* [PATCH net] net: add pskb_may_pull() to skb_gro_receive_list()
@ 2026-06-04 14:46 HanQuan
2026-06-09 0:30 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: HanQuan @ 2026-06-04 14:46 UTC (permalink / raw)
To: netdev; +Cc: edumazet, kuba, pabeni, security, nbd, HanQuan, MingXuan
skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without
first ensuring the data is in the linear area via pskb_may_pull(). When
the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in
page fragments) while skb_gro_offset is non-zero (after IP+TCP header
parsing). The skb_pull() then decrements skb->len by skb_gro_offset
but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len)
in __skb_pull().
The UDP fraglist GRO path already contains this guard at
udp_offload.c:749. Adding it to skb_gro_receive_list() itself provides
centralized protection for all callers (TCP, UDP, and any future
protocols), and ensures the precondition of skb_pull() is satisfied
before it is called.
On pskb_may_pull() failure, set NAPI_GRO_CB(skb)->flush = 1 so the
skb is not held as a new GRO head and is instead delivered through the
normal receive path, matching the UDP handling.
Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")
Reported-by: HanQuan <eilaimemedsnaimel@gmail.com>
Reported-by: MingXuan <bwnie0730@outlook.com>
Signed-off-by: HanQuan <eilaimemedsnaimel@gmail.com>
---
net/core/gro.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/core/gro.c b/net/core/gro.c
index a84753983467..35f2f708f010 100644
--- a/net/core/gro.c
+++ b/net/core/gro.c
@@ -232,6 +232,11 @@ int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb)
if (unlikely(p->len + skb->len >= 65536))
return -E2BIG;
+ if (!pskb_may_pull(skb, skb_gro_offset(skb))) {
+ NAPI_GRO_CB(skb)->flush = 1;
+ return -ENOMEM;
+ }
+
if (NAPI_GRO_CB(p)->last == p)
skb_shinfo(p)->frag_list = skb;
else
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] net: add pskb_may_pull() to skb_gro_receive_list()
2026-06-04 14:46 [PATCH net] net: add pskb_may_pull() to skb_gro_receive_list() HanQuan
@ 2026-06-09 0:30 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-06-09 0:30 UTC (permalink / raw)
To: HanQuan; +Cc: netdev, edumazet, kuba, pabeni, security, nbd, bwnie0730
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 4 Jun 2026 14:46:25 +0000 you wrote:
> skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without
> first ensuring the data is in the linear area via pskb_may_pull(). When
> the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in
> page fragments) while skb_gro_offset is non-zero (after IP+TCP header
> parsing). The skb_pull() then decrements skb->len by skb_gro_offset
> but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len)
> in __skb_pull().
>
> [...]
Here is the summary with links:
- [net] net: add pskb_may_pull() to skb_gro_receive_list()
https://git.kernel.org/netdev/net/c/f2bb34345444
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-09 0:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-04 14:46 [PATCH net] net: add pskb_may_pull() to skb_gro_receive_list() HanQuan
2026-06-09 0:30 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox