[PATCH net-next] net: add missing check for TCP fraglist GRO

From: Felix Fietkau
Date: Tue May 07 2024 - 05:48:57 EST

Next message: Markus Elfring: "Re: [PATCH net v5 4/4] ax25: Change kfree() in ax25_dev_free() to ax25_dev_put()"
Previous message: Yan Zhao: "Re: [PATCH 3/5] x86/mm: Introduce and export interface arch_clean_nonsnoop_dma()"
Next in thread: Suman Ghosh: "RE: [EXTERNAL] [PATCH net-next] net: add missing check for TCP fraglist GRO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It turns out that the existing checks do not guarantee that the skb can be
pulled up to the GRO offset. When using the usb r8152 network driver with
GRO fraglist, the BUG() in __skb_pull is often triggered.
Fix the crash by adding the missing check.

Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")
Signed-off-by: Felix Fietkau <nbd@xxxxxxxx>
---
net/ipv4/tcp_offload.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c
index c90704befd7b..a71d2e623f0c 100644
--- a/net/ipv4/tcp_offload.c
+++ b/net/ipv4/tcp_offload.c
@@ -353,6 +353,7 @@ struct sk_buff *tcp_gro_receive(struct list_head *head, struct sk_buff *skb,
flush |= (__force int)(flags ^ tcp_flag_word(th2));
flush |= skb->ip_summed != p->ip_summed;
flush |= skb->csum_level != p->csum_level;
+ flush |= !pskb_may_pull(skb, skb_gro_offset(skb));
flush |= NAPI_GRO_CB(p)->count >= 64;

if (flush || skb_gro_receive_list(p, skb))
--
2.44.0

Next message: Markus Elfring: "Re: [PATCH net v5 4/4] ax25: Change kfree() in ax25_dev_free() to ax25_dev_put()"
Previous message: Yan Zhao: "Re: [PATCH 3/5] x86/mm: Introduce and export interface arch_clean_nonsnoop_dma()"
Next in thread: Suman Ghosh: "RE: [EXTERNAL] [PATCH net-next] net: add missing check for TCP fraglist GRO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]