From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailgw01.mediatek.com (unknown [60.244.123.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D25D03112C0; Thu, 2 Jul 2026 03:26:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=60.244.123.138 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782962769; cv=none; b=GBmYfbGxcFBeSEYgBS96ITrD5px294zKJ/pER70J29C3kOyOIPX6B+JTKea35+Z/pBDwZmC8wCsu2B0sJ3gSImbgZ5al957TTyR8kieMotf1zfuYo7ldf5chjotV16JsYZlpMkZ+npoRaySXyeQbN4a8oNC2VoKteIfjh2pZmq8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782962769; c=relaxed/simple; bh=NV6w2JoWpHy3zUvSnRVVQfp87R8d0tS1Fyzs+r8chJc=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=M0Nh6nhSDTkN/pyKKG2ufdXhA2rtuW6n1Dj898KwzXz9ssqwYTpSW8m9QCd2CCEb7IjFyFsZO3KQV+5MA1w75u9p4MNgJlxGYoFZXcrjjx5JjDnXwAJ37jitvbi3luEL9w8r/0+CU857bV5XMQfQFTLcU0eG+0L/bI3KFYSfT+M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com; spf=pass smtp.mailfrom=mediatek.com; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b=mhmMEvun; arc=none smtp.client-ip=60.244.123.138 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mediatek.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b="mhmMEvun" X-UUID: be7013d075c511f1b1788b6acf885367-20260702 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=lLC3Ud+TVrFH8KiBacdMlSzjHyCVWCIy8gKSFh5QxrA=; b=mhmMEvunyZ1r91peMgk6mmttb45tFYL65CHidmH95ZO8yhbPcHck3+hzeqZeZlxFzZqNkDMznS5JSd/YE+aVhnJfIS3g7HAQmq1pfDFWZ8TGGx2haAkfBh8R1eQb+Fn546eDwu+kRQoR0YD2JmU3XCvJcFL4LNBcAxXc6jib92Y=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.3.17,REQID:b0e678f1-d0ed-4d07-952b-82784d172ce6,IP:0,U RL:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION: release,TS:0 X-CID-META: VersionHash:d497b38,CLOUDID:5c06e581-6310-4e6b-a6b1-aca20d98ed8b,B ulkID:nil,BulkQuantity:0,SF:102|836|865|888|898,TC:-5,Content:0|15|50|99,E DM:-3,IP:nil,URL:0,File:130,RT:0,Bulk:nil,QS:nil,BEC:-1,COL:0,OSI:0,OSA:0, AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0,ARC:0 X-CID-BVR: 2,SSN|SDN X-CID-BAS: 2,SSN|SDN,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR X-CID-RHF: D41D8CD98F00B204E9800998ECF8427E X-UUID: be7013d075c511f1b1788b6acf885367-20260702 Received: from mtkmbs11n1.mediatek.inc [(172.21.101.185)] by mailgw01.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 322319382; Thu, 02 Jul 2026 11:25:58 +0800 Received: from mtkmbs13n2.mediatek.inc (172.21.101.108) by MTKMBS09N2.mediatek.inc (172.21.101.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29; Thu, 2 Jul 2026 11:25:57 +0800 Received: from mbjsdccf07.gcn.mediatek.inc (10.15.20.246) by mtkmbs13n2.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.2562.29 via Frontend Transport; Thu, 2 Jul 2026 11:25:56 +0800 From: Shiming Cheng To: , , , , , , , , , , , , , , , , , , CC: , , Subject: [PATCH v4] net: gro: fix double aggregation of flush-marked skbs Date: Thu, 2 Jul 2026 11:25:15 +0800 Message-ID: <20260702032535.23754-1-shiming.cheng@mediatek.com> X-Mailer: git-send-email 2.45.2 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-MTK: N The new skb_gro_receive_list() function is missing a critical safety check present in the legacy skb_gro_receive() path. Specifically, it does not validate NAPI_GRO_CB(skb)->flush before allowing packet aggregation. This allows already-GRO'd packets with existing frag_list to be re-aggregated into a new GRO session, corrupting the frag_list chain structure. When skb_segment() attempts to unpack these malformed packets, it encounters invalid state and triggers a kernel panic. Scenario (Tethering/Device forwarding): 1. Driver: Generated aggregated packet P1 via LRO with frag_list 2. Dev A: Receives aggregated fraglist packet and flush flag set 3. Dev A: Re-enters GRO, skb_gro_receive_list() is called 4. Missing flush check allows re-aggregation despite flush flag 5. Frag_list chain becomes corrupted (loops or dangling refs) 6. Dev B: TX path calls skb_segment(), crashes on corrupted frag_list Root cause in skb_segment(): The check at line ~4891: if (hsize <= 0 && i >= nfrags && skb_headlen(list_skb) && (skb_headlen(list_skb) == len || sg)) { When frag_list is corrupted by double aggregation, when list_skb is a NULL pointer from skb->next, skb_headlen(list_skb) dereference NULL/corrupted pointers occurs. Call Trace: skb_headlen(NULL skb) skb_segment tcp_gso_segment tcp4_gso_segment inet_gso_segment skb_mac_gso_segment __skb_gso_segment skb_gso_segment validate_xmit_skb validate_xmit_skb_list sch_direct_xmit qdisc_restart __qdisc_run qdisc_run net_tx_action Fix: Add NAPI_GRO_CB(skb)->flush validation to the early-return check in skb_gro_receive_list(), matching the defensive programming pattern of skb_gro_receive(). Fixes: 8928756d53d5 ("net: move skb_gro_receive_list from udp to core") Cc: stable@vger.kernel.org Signed-off-by: Shiming Cheng --- net/core/gro.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/net/core/gro.c b/net/core/gro.c index 35f2f708f010..b1573d98f3a5 100644 --- a/net/core/gro.c +++ b/net/core/gro.c @@ -229,7 +229,14 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb) { - if (unlikely(p->len + skb->len >= 65536)) + /* + * Packets marked with NAPI_GRO_CB(skb)->flush have already gone + * through GRO/LRO processing and must not be aggregated again. + * Re-entering frag_list GRO may corrupt the frag_list chain and + * later crash during GSO segmentaiont. + */ + if (unlikely(p->len + skb->len >= 65536 || + NAPI_GRO_CB(skb)->flush)) return -E2BIG; if (!pskb_may_pull(skb, skb_gro_offset(skb))) { -- 2.45.2