CVE-2024-35890

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gro: fix ownership transfer<br /> <br /> If packets are GROed with fraglist they might be segmented later on and<br /> continue their journey in the stack. In skb_segment_list those skbs can<br /> be reused as-is. This is an issue as their destructor was removed in<br /> skb_gro_receive_list but not the reference to their socket, and then<br /> they can&amp;#39;t be orphaned. Fix this by also removing the reference to the<br /> socket.<br /> <br /> For example this could be observed,<br /> <br /> kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)<br /> RIP: 0010:ip6_rcv_core+0x11bc/0x19a0<br /> Call Trace:<br /> ipv6_list_rcv+0x250/0x3f0<br /> __netif_receive_skb_list_core+0x49d/0x8f0<br /> netif_receive_skb_list_internal+0x634/0xd40<br /> napi_complete_done+0x1d2/0x7d0<br /> gro_cell_poll+0x118/0x1f0<br /> <br /> A similar construction is found in skb_gro_receive, apply the same<br /> change there.