]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
net/sched: act_ct: preserve tc_skb_cb across defragmentation
authorZihan Xi <xizh2024@lzu.edu.cn>
Sat, 13 Jun 2026 17:42:39 +0000 (01:42 +0800)
committerJakub Kicinski <kuba@kernel.org>
Fri, 19 Jun 2026 00:38:51 +0000 (17:38 -0700)
tcf_ct_handle_fragments() calls nf_ct_handle_fragments() without saving
and restoring skb->cb. The defrag helper clears IPCB/IP6CB, which aliases
the tc_skb_cb/qdisc_skb_cb control buffer. Fragmented traffic through
act_ct therefore loses qdisc metadata such as pkt_segs and can trigger
WARN_ON_ONCE() in qdisc_pkt_segs() when panic_on_warn is enabled.

Save and restore the full tc_skb_cb around nf_ct_handle_fragments(),
matching the pattern used by ovs_ct_handle_fragments().

Fixes: ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Zihan Xi <xizh2024@lzu.edu.cn>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/510c51217fd7aaf29c6dc298bab8d643fe229b1c.1781358692.git.xizh2024@lzu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/sched/act_ct.c

index 6158e13c98d3581f16c6fdb66933aaf8c759d7b1..d47a82f9ac6ca4a4ea1967a5164a62fafe3a1c5e 100644 (file)
@@ -844,11 +844,11 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb,
                                   u8 family, u16 zone, bool *defrag)
 {
        enum ip_conntrack_info ctinfo;
+       struct tc_skb_cb cb;
        struct nf_conn *ct;
        int err = 0;
        bool frag;
        u8 proto;
-       u16 mru;
 
        /* Previously seen (loopback)? Ignore. */
        ct = nf_ct_get(skb, &ctinfo);
@@ -862,12 +862,13 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb,
        if (err || !frag)
                return err;
 
-       err = nf_ct_handle_fragments(net, skb, zone, family, &proto, &mru);
+       cb = *tc_skb_cb(skb);
+       err = nf_ct_handle_fragments(net, skb, zone, family, &proto, &cb.mru);
        if (err)
                return err;
 
        *defrag = true;
-       tc_skb_cb(skb)->mru = mru;
+       *tc_skb_cb(skb) = cb;
 
        return 0;
 }