tunnels: reset the GSO metadata before reusing the skb

Antoine Tenartrequested to merge
atenart/centos-stream-9:c9s/RHEL-101033/pmtu-gso into main

JIRA: https://issues.redhat.com/browse/RHEL-101033
Upstream Status: net.git

commit e3c674db356c4303804b2415e7c2b11776cdd8c3
Author: Antoine Tenart atenart@kernel.org
Date: Thu Sep 4 14:53:50 2025 +0200

tunnels: reset the GSO metadata before reusing the skb  

If a GSO skb is sent through a Geneve tunnel and if Geneve options are  
added, the split GSO skb might not fit in the MTU anymore and an ICMP  
frag needed packet can be generated. In such case the ICMP packet might  
go through the segmentation logic (and dropped) later if it reaches a  
path were the GSO status is checked and segmentation is required.  

This is especially true when an OvS bridge is used with a Geneve tunnel  
attached to it. The following set of actions could lead to the ICMP  
packet being wrongfully segmented:  

1. An skb is constructed by the TCP layer (e.g. gso_type SKB_GSO_TCPV4,  
   segs >= 2).  

2. The skb hits the OvS bridge where Geneve options are added by an OvS  
   action before being sent through the tunnel.  

3. When the skb is xmited in the tunnel, the split skb does not fit  
   anymore in the MTU and iptunnel_pmtud_build_icmp is called to  
   generate an ICMP fragmentation needed packet. This is done by reusing  
   the original (GSO!) skb. The GSO metadata is not cleared.  

4. The ICMP packet being sent back hits the OvS bridge again and because  
   skb_is_gso returns true, it goes through queue_gso_packets...  

5. ...where __skb_gso_segment is called. The skb is then dropped.  

6. Note that in the above example on re-transmission the skb won't be a  
   GSO one as it would be segmented (len > MSS) and the ICMP packet  
   should go through.  

Fix this by resetting the GSO information before reusing an skb in  
iptunnel_pmtud_build_icmp and iptunnel_pmtud_build_icmpv6.  

Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")  
Reported-by: Adrian Moreno <amorenoz@redhat.com>  
Signed-off-by: Antoine Tenart <atenart@kernel.org>  
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>  
Link: https://patch.msgid.link/20250904125351.159740-1-atenart@kernel.org  
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Signed-off-by: Antoine Tenart atenart@redhat.com

Merge request reports