[PATCH net] tunnels: reset the GSO metadata before reusing the skb

[PATCH net] tunnels: reset the GSO metadata before reusing the skb

[Antoine Tenart]

If a GSO skb is sent through a Geneve tunnel and if Geneve options are
added, the split GSO skb might not fit in the MTU anymore and an ICMP
frag needed packet can be generated. In such case the ICMP packet might
go through the segmentation logic (and dropped) later if it reaches a
path were the GSO status is checked and segmentation is required.

This is especially true when an OvS bridge is used with a Geneve tunnel
attached to it. The following set of actions could lead to the ICMP
packet being wrongfully segmented:

1. An skb is constructed by the TCP layer (e.g. gso_type SKB_GSO_TCPV4,
   segs >= 2).

2. The skb hits the OvS bridge where Geneve options are added by an OvS
   action before being sent through the tunnel.

3. When the skb is xmited in the tunnel, the split skb does not fit
   anymore in the MTU and iptunnel_pmtud_build_icmp is called to
   generate an ICMP fragmentation needed packet. This is done by reusing
   the original (GSO!) skb. The GSO metadata is not cleared.

4. The ICMP packet being sent back hits the OvS bridge again and because
   skb_is_gso returns true, it goes through queue_gso_packets...

5. ...where __skb_gso_segment is called. The skb is then dropped.

6. Note that in the above example on re-transmission the skb won't be a
   GSO one as it would be segmented (len > MSS) and the ICMP packet
   should go through.

Fix this by resetting the GSO information before reusing an skb in
iptunnel_pmtud_build_icmp and iptunnel_pmtud_build_icmpv6.

Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Reported-by: Adrian Moreno <amorenoz@redhat.com>
Signed-off-by: Antoine Tenart <atenart@kernel.org>
---
 net/ipv4/ip_tunnel_core.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index cc9915543637..2e61ac137128 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -206,6 +206,9 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
 	if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct iphdr)))
 		return -EINVAL;
 
+	if (skb_is_gso(skb))
+		skb_gso_reset(skb);
+
 	skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN);
 	pskb_pull(skb, ETH_HLEN);
 	skb_reset_network_header(skb);
@@ -300,6 +303,9 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
 	if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct ipv6hdr)))
 		return -EINVAL;
 
+	if (skb_is_gso(skb))
+		skb_gso_reset(skb);
+
 	skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN);
 	pskb_pull(skb, ETH_HLEN);
 	skb_reset_network_header(skb);
-- 
2.51.0

Re: [PATCH net] tunnels: reset the GSO metadata before reusing the skb

[Stefano Brivio]

On Thu,  4 Sep 2025 14:53:50 +0200
Antoine Tenart <atenart@kernel.org> wrote:

> If a GSO skb is sent through a Geneve tunnel and if Geneve options are
> added, the split GSO skb might not fit in the MTU anymore and an ICMP
> frag needed packet can be generated. In such case the ICMP packet might
> go through the segmentation logic (and dropped) later if it reaches a
> path were the GSO status is checked and segmentation is required.
> 
> This is especially true when an OvS bridge is used with a Geneve tunnel
> attached to it. The following set of actions could lead to the ICMP
> packet being wrongfully segmented:
> 
> 1. An skb is constructed by the TCP layer (e.g. gso_type SKB_GSO_TCPV4,
>    segs >= 2).
> 
> 2. The skb hits the OvS bridge where Geneve options are added by an OvS
>    action before being sent through the tunnel.
> 
> 3. When the skb is xmited in the tunnel, the split skb does not fit
>    anymore in the MTU and iptunnel_pmtud_build_icmp is called to
>    generate an ICMP fragmentation needed packet. This is done by reusing
>    the original (GSO!) skb. The GSO metadata is not cleared.
> 
> 4. The ICMP packet being sent back hits the OvS bridge again and because
>    skb_is_gso returns true, it goes through queue_gso_packets...
> 
> 5. ...where __skb_gso_segment is called. The skb is then dropped.
> 
> 6. Note that in the above example on re-transmission the skb won't be a
>    GSO one as it would be segmented (len > MSS) and the ICMP packet
>    should go through.
> 
> Fix this by resetting the GSO information before reusing an skb in
> iptunnel_pmtud_build_icmp and iptunnel_pmtud_build_icmpv6.
> 
> Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
> Reported-by: Adrian Moreno <amorenoz@redhat.com>
> Signed-off-by: Antoine Tenart <atenart@kernel.org>

Thanks for fixing this!

Reviewed-by: Stefano Brivio <sbrivio@redhat.com>

-- 
Stefano

Re: [PATCH net] tunnels: reset the GSO metadata before reusing the skb

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Thu,  4 Sep 2025 14:53:50 +0200 you wrote:
> If a GSO skb is sent through a Geneve tunnel and if Geneve options are
> added, the split GSO skb might not fit in the MTU anymore and an ICMP
> frag needed packet can be generated. In such case the ICMP packet might
> go through the segmentation logic (and dropped) later if it reaches a
> path were the GSO status is checked and segmentation is required.
> 
> This is especially true when an OvS bridge is used with a Geneve tunnel
> attached to it. The following set of actions could lead to the ICMP
> packet being wrongfully segmented:
> 
> [...]

Here is the summary with links:
  - [net] tunnels: reset the GSO metadata before reusing the skb
    https://git.kernel.org/netdev/net/c/e3c674db356c

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html