gro: fix ownership transfer

Linux kernel 安全漏洞

gro: 修正所有权转移

In the Linux kernel, the following vulnerability has been resolved: gro: fix ownership transfer If packets are GROed with fraglist they might be segmented later on and continue their journey in the stack. In skb_segment_list those skbs can be reused as-is. This is an issue as their destructor was removed in skb_gro_receive_list but not the reference to their socket, and then they can't be orphaned. Fix this by also removing the reference to the socket. For example this could be observed, kernel BUG at include/linux/skbuff.h:3131! (skb_orphan) RIP: 0010:ip6_rcv_core+0x11bc/0x19a0 Call Trace: ipv6_list_rcv+0x250/0x3f0 __netif_receive_skb_list_core+0x49d/0x8f0 netif_receive_skb_list_internal+0x634/0xd40 napi_complete_done+0x1d2/0x7d0 gro_cell_poll+0x118/0x1f0 A similar construction is found in skb_gro_receive, apply the same change there.

Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞。目前尚无此漏洞的相关信息，请随时关注CNNVD或厂商公告。

在Linux内核中，已解决以下漏洞： gro：修复所有权转移 如果通过fraglist以GRO（Generic Receive Offloading）方式接收的数据包稍后可能被分段，并继续在堆栈中进行传输。在skb_segment_list中，这些skb可能会被直接复用。这存在一个问题，因为在skb_gro_receive_list中已删除了skb的析构器，但其对套接字的引用并未被删除，因此这些skb无法被孤儿化。通过同时删除对套接字的引用来修复此问题。 例如，可能会观察到这种情况： 内核BUG在include/linux/skbuff.h:3131！（skb_orphan） RIP：0010:ip6_rcv_core+0x11bc/0x19a0 调用栈： ipv6_list_rcv+0x250/0x3f0 __netif_receive_skb_list_core+0x49d/0x8f0 netif_receive_skb_list_internal+0x634/0xd40 napi_complete_done+0x1d2/0x7d0 gro_cell_poll+0x118/0x1f0 在skb_gro_receive中亦发现了类似的构建方式，应在此处应用相同的变化。