1. Patchew
  2. linux
  3. View series

[PATCH net-next] net: add missing check for TCP fraglist GRO

Felix Fietkau posted 1 patch 1 year, 7 months ago 
net/ipv4/tcp_offload.c | 1 +
1 file changed, 1 insertion(+)
[PATCH net-next] net: add missing check for TCP fraglist GRO
Posted by Felix Fietkau 1 year, 7 months ago 
It turns out that the existing checks do not guarantee that the skb can be
pulled up to the GRO offset. When using the usb r8152 network driver with
GRO fraglist, the BUG() in __skb_pull is often triggered.
Fix the crash by adding the missing check.

Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 net/ipv4/tcp_offload.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c
index c90704befd7b..a71d2e623f0c 100644
--- a/net/ipv4/tcp_offload.c
+++ b/net/ipv4/tcp_offload.c
@@ -353,6 +353,7 @@ struct sk_buff *tcp_gro_receive(struct list_head *head, struct sk_buff *skb,
 		flush |= (__force int)(flags ^ tcp_flag_word(th2));
 		flush |= skb->ip_summed != p->ip_summed;
 		flush |= skb->csum_level != p->csum_level;
+		flush |= !pskb_may_pull(skb, skb_gro_offset(skb));
 		flush |= NAPI_GRO_CB(p)->count >= 64;
 
 		if (flush || skb_gro_receive_list(p, skb))
-- 
2.44.0
Re: [PATCH net-next] net: add missing check for TCP fraglist GRO
Posted by Eric Dumazet 1 year, 7 months ago 
On Tue, May 7, 2024 at 11:41 AM Felix Fietkau <nbd@nbd.name> wrote:
>
> It turns out that the existing checks do not guarantee that the skb can be
> pulled up to the GRO offset. When using the usb r8152 network driver with
> GRO fraglist, the BUG() in __skb_pull is often triggered.

Why is it crashing ? I would expect tcp_gro_pull_header() to perform this early.

Please include a stack trace.

> Fix the crash by adding the missing check.
>
> Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
> ---
>  net/ipv4/tcp_offload.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c
> index c90704befd7b..a71d2e623f0c 100644
> --- a/net/ipv4/tcp_offload.c
> +++ b/net/ipv4/tcp_offload.c
> @@ -353,6 +353,7 @@ struct sk_buff *tcp_gro_receive(struct list_head *head, struct sk_buff *skb,
>                 flush |= (__force int)(flags ^ tcp_flag_word(th2));
>                 flush |= skb->ip_summed != p->ip_summed;
>                 flush |= skb->csum_level != p->csum_level;
> +               flush |= !pskb_may_pull(skb, skb_gro_offset(skb));
>                 flush |= NAPI_GRO_CB(p)->count >= 64;
>
>                 if (flush || skb_gro_receive_list(p, skb))
> --
> 2.44.0
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.