diff --git a/target/linux/generic/backport-6.6/621-v6.10-03-net-add-code-for-TCP-fraglist-GRO.patch b/target/linux/generic/backport-6.6/621-v6.10-03-net-add-code-for-TCP-fraglist-GRO.patch
index a51b2ed9c9b..b76431e8ed8 100644
--- a/target/linux/generic/backport-6.6/621-v6.10-03-net-add-code-for-TCP-fraglist-GRO.patch
+++ b/target/linux/generic/backport-6.6/621-v6.10-03-net-add-code-for-TCP-fraglist-GRO.patch
@@ -20,7 +20,7 @@ Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 
 --- a/net/ipv4/tcp_offload.c
 +++ b/net/ipv4/tcp_offload.c
-@@ -342,6 +342,19 @@ found:
+@@ -342,6 +342,18 @@ found:
  	flush |= p->decrypted ^ skb->decrypted;
  #endif
  
@@ -28,7 +28,6 @@ Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 +		flush |= (__force int)(flags ^ tcp_flag_word(th2));
 +		flush |= skb->ip_summed != p->ip_summed;
 +		flush |= skb->csum_level != p->csum_level;
-+		flush |= !pskb_may_pull(skb, skb_gro_offset(skb));
 +		flush |= NAPI_GRO_CB(p)->count >= 64;
 +
 +		if (flush || skb_gro_receive_list(p, skb))
@@ -40,7 +39,7 @@ Signed-off-by: Paolo Abeni <pabeni@redhat.com>
  	if (flush || skb_gro_receive(p, skb)) {
  		mss = 1;
  		goto out_check_final;
-@@ -406,6 +419,15 @@ INDIRECT_CALLABLE_SCOPE int tcp4_gro_com
+@@ -406,6 +418,15 @@ INDIRECT_CALLABLE_SCOPE int tcp4_gro_com
  	const struct iphdr *iph = ip_hdr(skb);
  	struct tcphdr *th = tcp_hdr(skb);
  
diff --git a/target/linux/generic/backport-6.6/621-v6.10-05-net-create-tcp_gro_header_pull-helper-function.patch b/target/linux/generic/backport-6.6/621-v6.10-05-net-create-tcp_gro_header_pull-helper-function.patch
index 03f674dc2b1..607f21a665e 100644
--- a/target/linux/generic/backport-6.6/621-v6.10-05-net-create-tcp_gro_header_pull-helper-function.patch
+++ b/target/linux/generic/backport-6.6/621-v6.10-05-net-create-tcp_gro_header_pull-helper-function.patch
@@ -96,7 +96,7 @@ Signed-off-by: Paolo Abeni <pabeni@redhat.com>
  	len = skb_gro_len(skb);
  	flags = tcp_flag_word(th);
  
-@@ -385,7 +391,6 @@ out_check_final:
+@@ -384,7 +390,6 @@ out_check_final:
  	if (p && (!NAPI_GRO_CB(skb)->same_flow || flush))
  		pp = p;
  
@@ -104,7 +104,7 @@ Signed-off-by: Paolo Abeni <pabeni@redhat.com>
  	NAPI_GRO_CB(skb)->flush |= (flush != 0);
  
  	return pp;
-@@ -412,15 +417,23 @@ EXPORT_SYMBOL(tcp_gro_complete);
+@@ -411,15 +416,23 @@ EXPORT_SYMBOL(tcp_gro_complete);
  INDIRECT_CALLABLE_SCOPE
  struct sk_buff *tcp4_gro_receive(struct list_head *head, struct sk_buff *skb)
  {
diff --git a/target/linux/generic/backport-6.6/621-v6.10-06-net-add-heuristic-for-enabling-TCP-fraglist-GRO.patch b/target/linux/generic/backport-6.6/621-v6.10-06-net-add-heuristic-for-enabling-TCP-fraglist-GRO.patch
index 6ce1f891234..c3462c25454 100644
--- a/target/linux/generic/backport-6.6/621-v6.10-06-net-add-heuristic-for-enabling-TCP-fraglist-GRO.patch
+++ b/target/linux/generic/backport-6.6/621-v6.10-06-net-add-heuristic-for-enabling-TCP-fraglist-GRO.patch
@@ -35,7 +35,7 @@ Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 
 --- a/net/ipv4/tcp_offload.c
 +++ b/net/ipv4/tcp_offload.c
-@@ -414,6 +414,36 @@ void tcp_gro_complete(struct sk_buff *sk
+@@ -413,6 +413,36 @@ void tcp_gro_complete(struct sk_buff *sk
  }
  EXPORT_SYMBOL(tcp_gro_complete);
  
@@ -72,7 +72,7 @@ Signed-off-by: Paolo Abeni <pabeni@redhat.com>
  INDIRECT_CALLABLE_SCOPE
  struct sk_buff *tcp4_gro_receive(struct list_head *head, struct sk_buff *skb)
  {
-@@ -429,6 +459,8 @@ struct sk_buff *tcp4_gro_receive(struct
+@@ -428,6 +458,8 @@ struct sk_buff *tcp4_gro_receive(struct
  	if (!th)
  		goto flush;
  
diff --git a/target/linux/generic/pending-6.6/690-net-add-missing-check-for-TCP-fraglist-GRO.patch b/target/linux/generic/pending-6.6/690-net-add-missing-check-for-TCP-fraglist-GRO.patch
new file mode 100644
index 00000000000..59bb41acd01
--- /dev/null
+++ b/target/linux/generic/pending-6.6/690-net-add-missing-check-for-TCP-fraglist-GRO.patch
@@ -0,0 +1,26 @@
+From 4498f0aa561092bc656bfabe7c4bdae41bc4a5b4 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 7 May 2024 11:24:50 +0200
+Subject: [PATCH] net: add missing check for TCP fraglist GRO
+
+It turns out that the existing checks do not guarantee that the skb can be
+pulled up to the GRO offset. When using the usb r8152 network driver with
+GRO fraglist, the BUG() in __skb_pull is often triggered.
+Fix the crash by adding the missing check.
+
+Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+ net/ipv4/tcp_offload.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/tcp_offload.c
++++ b/net/ipv4/tcp_offload.c
+@@ -367,6 +367,7 @@ struct sk_buff *tcp_gro_receive(struct l
+ 		flush |= (__force int)(flags ^ tcp_flag_word(th2));
+ 		flush |= skb->ip_summed != p->ip_summed;
+ 		flush |= skb->csum_level != p->csum_level;
++		flush |= !pskb_may_pull(skb, skb_gro_offset(skb));
+ 		flush |= NAPI_GRO_CB(p)->count >= 64;
+ 
+ 		if (flush || skb_gro_receive_list(p, skb))