In the Linux kernel, the following vulnerability has been resolved:
gro: fix ownership transfer
If packets are GROed with fraglist they might be segmented later on and continue their journey in the stack. In skbsegmentlist those skbs can be reused as-is. This is an issue as their destructor was removed in skbgroreceive_list but not the reference to their socket, and then they can't be orphaned. Fix this by also removing the reference to the socket.
For example this could be observed,
kernel BUG at include/linux/skbuff.h:3131! (skborphan) RIP: 0010:ip6rcvcore+0x11bc/0x19a0 Call Trace: ipv6listrcv+0x250/0x3f0 _netifreceiveskblistcore+0x49d/0x8f0 netifreceiveskblistinternal+0x634/0xd40 napicompletedone+0x1d2/0x7d0 grocellpoll+0x118/0x1f0
A similar construction is found in skbgroreceive, apply the same change there.