lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260115032030.1539127-1-kuba@kernel.org>
Date: Wed, 14 Jan 2026 19:20:30 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: jibin.zhang@...iatek.com
Cc: Jakub Kicinski <kuba@...nel.org>,
	davem@...emloft.net,
	matthias.bgg@...il.com,
	horms@...nel.org,
	angelogioacchino.delregno@...labora.com,
	linux-kernel@...r.kernel.org,
	linux-mediatek@...ts.infradead.org,
	ncardwell@...gle.com,
	pabeni@...hat.com,
	edumazet@...gle.com,
	kuniyu@...gle.com,
	netdev@...r.kernel.org,
	dsahern@...nel.org,
	linux-arm-kernel@...ts.infradead.org
Subject: Re: [v2] net: fix segmentation of forwarding fraglist GRO

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least pausible.

For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
net: fix segmentation of forwarding fraglist GRO

This patch adds checks for frag_list presence and protocol consistency
when handling SKB_GSO_FRAGLIST packets in GSO segmentation. This ensures
XLAT-converted packets fall back to skb_segment instead of skb_segment_list.

> diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c
> index fdda18b1abda..6c2c10f37f87 100644
> --- a/net/ipv4/tcp_offload.c
> +++ b/net/ipv4/tcp_offload.c
> @@ -107,7 +107,9 @@ static struct sk_buff *tcp4_gso_segment(struct sk_buff *skb,
>  	if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) {
>  		struct tcphdr *th = tcp_hdr(skb);
>
> -		if (skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size)
> +		if ((skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size) &&
> +		    skb_has_frag_list(skb) &&
> +		    (skb->protocol == skb_shinfo(skb)->frag_list->protocol))
>  			return __tcp4_gso_segment_list(skb, features);

Should tcp6_gso_segment() in net/ipv6/tcpv6_offload.c receive the same
treatment? Looking at that function, it has the identical pattern before
this patch:

    if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) {
        struct tcphdr *th = tcp_hdr(skb);

        if (skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size)
            return __tcp6_gso_segment_list(skb, features);

        skb->ip_summed = CHECKSUM_NONE;
    }

If an IPv4 packet is GRO-aggregated with fraglist and then converted by
XLAT to IPv6, the same protocol mismatch could occur when it reaches
tcp6_gso_segment(). Paolo raised this point in the v1 review:
https://lore.kernel.org/all/aab6c515-12e4-48ca-8220-c0797dae781f@redhat.com/

[ ... ]
-- 
pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ