[PATCH net] net: add pskb_may_pull() to skb_gro_receive

Netdev List
 help / color / mirror / Atom feed

* [PATCH net] net: add pskb_may_pull() to skb_gro_receive_list()
@ 2026-06-04 14:46 HanQuan
  2026-06-09  0:30 ` patchwork-bot+netdevbpf
  0 siblings, 1 reply; 2+ messages in thread
From: HanQuan @ 2026-06-04 14:46 UTC (permalink / raw)
  To: netdev; +Cc: edumazet, kuba, pabeni, security, nbd, HanQuan, MingXuan

skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without
first ensuring the data is in the linear area via pskb_may_pull(). When
the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in
page fragments) while skb_gro_offset is non-zero (after IP+TCP header
parsing). The skb_pull() then decrements skb->len by skb_gro_offset
but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len)
in __skb_pull().

The UDP fraglist GRO path already contains this guard at
udp_offload.c:749. Adding it to skb_gro_receive_list() itself provides
centralized protection for all callers (TCP, UDP, and any future
protocols), and ensures the precondition of skb_pull() is satisfied
before it is called.

On pskb_may_pull() failure, set NAPI_GRO_CB(skb)->flush = 1 so the
skb is not held as a new GRO head and is instead delivered through the
normal receive path, matching the UDP handling.

Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")
Reported-by: HanQuan <eilaimemedsnaimel@gmail.com>
Reported-by: MingXuan <bwnie0730@outlook.com>
Signed-off-by: HanQuan <eilaimemedsnaimel@gmail.com>
---
 net/core/gro.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/core/gro.c b/net/core/gro.c
index a84753983467..35f2f708f010 100644
--- a/net/core/gro.c
+++ b/net/core/gro.c
@@ -232,6 +232,11 @@ int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb)
 	if (unlikely(p->len + skb->len >= 65536))
 		return -E2BIG;

+	if (!pskb_may_pull(skb, skb_gro_offset(skb))) {
+		NAPI_GRO_CB(skb)->flush = 1;
+		return -ENOMEM;
+	}
+
 	if (NAPI_GRO_CB(p)->last == p)
 		skb_shinfo(p)->frag_list = skb;
 	else
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net] net: add pskb_may_pull() to skb_gro_receive_list()
  2026-06-04 14:46 [PATCH net] net: add pskb_may_pull() to skb_gro_receive_list() HanQuan
@ 2026-06-09  0:30 ` patchwork-bot+netdevbpf
  0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-06-09  0:30 UTC (permalink / raw)
  To: HanQuan; +Cc: netdev, edumazet, kuba, pabeni, security, nbd, bwnie0730

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu,  4 Jun 2026 14:46:25 +0000 you wrote:
> skb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without
> first ensuring the data is in the linear area via pskb_may_pull(). When
> the skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in
> page fragments) while skb_gro_offset is non-zero (after IP+TCP header
> parsing). The skb_pull() then decrements skb->len by skb_gro_offset
> but skb->data_len stays unchanged, hitting BUG_ON(skb->len < skb->data_len)
> in __skb_pull().
> 
> [...]

Here is the summary with links:
  - [net] net: add pskb_may_pull() to skb_gro_receive_list()
    https://git.kernel.org/netdev/net/c/f2bb34345444

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-09  0:30 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-04 14:46 [PATCH net] net: add pskb_may_pull() to skb_gro_receive_list() HanQuan
2026-06-09  0:30 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox