In the Linux kernel, the following vulnerability has been resolved:

gro: fix ownership transfer

If packets are GROed with fraglist they might be segmented later on and
continue their journey in the stack. In skb_segment_list those skbs can
be reused as-is. This is an issue as their destructor was removed in
skb_gro_receive_list but not the reference to their socket, and then
they can't be orphaned. Fix this by also removing the reference to the
socket.

For example this could be observed,

  kernel BUG at include/linux/skbuff.h:3131!  (skb_orphan)
  RIP: 0010:ip6_rcv_core+0x11bc/0x19a0
  Call Trace:
   ipv6_list_rcv+0x250/0x3f0
   __netif_receive_skb_list_core+0x49d/0x8f0
   netif_receive_skb_list_internal+0x634/0xd40
   napi_complete_done+0x1d2/0x7d0
   gro_cell_poll+0x118/0x1f0

A similar construction is found in skb_gro_receive, apply the same
change there.

kernel.org https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad [No types assigned]

kernel.org https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f [No types assigned]

kernel.org https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f [No types assigned]

kernel.org https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 [No types assigned]

kernel.org https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6 [No types assigned]