udp: fix segmentation crash for GRO packet without fraglist

A GRO packet without fraglist is crashed and backtrace is as below:
 [ 1100.812205][    C3] CPU: 3 PID: 0 Comm: swapper/3 Tainted:
G        W  OE      6.6.17-android15-0-g380371ea9bf1 #1
 [ 1100.812317][    C3]  __udp_gso_segment+0x298/0x4d4
 [ 1100.812335][    C3]  __skb_gso_segment+0xc4/0x120
 [ 1100.812339][    C3]  udp_rcv_segment+0x50/0x134
 [ 1100.812344][    C3]  udp_queue_rcv_skb+0x74/0x114
 [ 1100.812348][    C3]  udp_unicast_rcv_skb+0x94/0xac
 [ 1100.812358][    C3]  udp_rcv+0x20/0x30

The reason that the packet loses its fraglist is that in ingress bpf
it makes a test pull with to make sure it can read packet headers
via direct packet access: In bpf_progs/offload.c
try_make_writable -> bpf_skb_pull_data -> pskb_may_pull ->
__pskb_pull_tail  This operation pull the data in fraglist into linear
and set the fraglist to null.

BPF needs to modify a proper length to do pull data. However kernel
should also improve the flow to avoid crash from a bpf function call.
As there is no split flow and app may not decode the merged UDP packet,
we should drop the packet without fraglist in skb_segment_list here.

Fixes: 3a1296a ("net: Support GRO/GSO fraglist chaining.")
Signed-off-by: Shiming Cheng <[email protected]>
Signed-off-by: Lena Wang <[email protected]>
Signed-off-by: NipaLocal <nipa@local>

net/core/skbuff.c

@@ -4448,6 +4448,9 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
 	if (err)
 		goto err_linearize;
 
+	if (!list_skb)
+		goto err_linearize;
+
 	skb_shinfo(skb)->frag_list = NULL;
 
 	while (list_skb) {