CVE-2025-68363

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Check skb-&gt;transport_header is set in bpf_skb_check_mtu<br /> <br /> The bpf_skb_check_mtu helper needs to use skb-&gt;transport_header when<br /> the BPF_MTU_CHK_SEGS flag is used:<br /> <br /> bpf_skb_check_mtu(skb, ifindex, &amp;mtu_len, 0, BPF_MTU_CHK_SEGS)<br /> <br /> The transport_header is not always set. There is a WARN_ON_ONCE<br /> report when CONFIG_DEBUG_NET is enabled + skb-&gt;gso_size is set +<br /> bpf_prog_test_run is used:<br /> <br /> WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071<br /> skb_gso_validate_network_len<br /> bpf_skb_check_mtu<br /> bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch<br /> bpf_test_run<br /> bpf_prog_test_run_skb<br /> <br /> For a normal ingress skb (not test_run), skb_reset_transport_header<br /> is performed but there is plan to avoid setting it as described in<br /> commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()").<br /> <br /> This patch fixes the bpf helper by checking<br /> skb_transport_header_was_set(). The check is done just before<br /> skb-&gt;transport_header is used, to avoid breaking the existing bpf prog.<br /> The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.