GRO hint handling must be symmetric between the receive and the complete paths, but it is not. geneve_gro_receive() reads the hint through geneve_sk_gro_hint_off(), which honours it only when the socket was configured with IFLA_GENEVE_GRO_HINT (gs->gro_hint); geneve_gro_complete() calls the low-level geneve_opt_gro_hint_off() directly and acts on the hint regardless. On a tunnel without the hint (gs->gro_hint == false, the default), receive therefore ignores any hint option a remote peer puts in the frames and aggregates them as plain ETH_P_TEB, while complete still honours it: it inflates gh_len by the attacker-controlled gro_hint->nested_hdr_len (u8) and redirects the dispatch type to ETH_P_IP / ETH_P_IPV6. The inner gro_complete handler then runs at nhoff + gh_len, an offset receive never validated nor pulled, and reads the inner L3 header out of bounds of the aggregated skb head: BUG: KASAN: slab-out-of-bounds in ipv6_gro_complete (net/ipv6/ip6_offload.c:196) Read of size 1 at addr ffff88800fe91980 by task exploit/153 ipv6_gro_complete (net/ipv6/ip6_offload.c:196) geneve_gro_complete (drivers/net/geneve.c:965) udp_gro_complete (net/ipv4/udp_offload.c:940) inet_gro_complete (net/ipv4/af_inet.c:1621) __gro_flush (net/core/gro.c:306) napi_complete_done (include/net/gro.h:530) veth_poll (drivers/net/veth.c:987) __napi_poll (net/core/dev.c:7733) net_rx_action (net/core/dev.c:7953) handle_softirqs (kernel/softirq.c:622) ... The buggy address belongs to the cache skbuff_small_head of size 704 The buggy address is located 0 bytes to the right of allocated 704-byte region [ffff88800fe916c0, ffff88800fe91980) Restore the symmetry by having geneve_gro_complete() go through geneve_sk_gro_hint_off() as well, so both paths gate on gs->gro_hint. Tunnels that enable the hint are unaffected. Fixes: fd0dd796576e ("geneve: use GRO hint option in the RX path") Reported-by: Weiming Shi Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Xiang Mei --- drivers/net/geneve.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c index 715180c3a1b3..97b203fdb753 100644 --- a/drivers/net/geneve.c +++ b/drivers/net/geneve.c @@ -954,7 +954,7 @@ static int geneve_gro_complete(struct sock *sk, struct sk_buff *skb, gh = (struct genevehdr *)(skb->data + nhoff); gh_len = geneve_hlen(gh); type = gh->proto_type; - geneve_opt_gro_hint_off(gh, &type, &gh_len); + geneve_sk_gro_hint_off(sk, gh, &type, &gh_len); /* since skb->encapsulation is set, eth_gro_complete() sets the inner mac header */ if (likely(type == htons(ETH_P_TEB))) -- 2.43.0