From: Willem de Bruijn <willemdebruijn.ker...@gmail.com>
Date: Mon, 30 Apr 2018 15:58:36 -0400
> From: Willem de Bruijn <will...@google.com>
>
> Syzbot managed to send a udp gso packet without checksum offload into
> the gso stack by disabling tx checksum (UDP_NO_CHECK6_TX).
Impressive...
> This triggered the skb_warn_bad_offload.
>
> RIP: 0010:skb_warn_bad_offload+0x2bc/0x600 net/core/dev.c:2658
> skb_gso_segment include/linux/netdevice.h:4038 [inline]
> validate_xmit_skb+0x54d/0xd90 net/core/dev.c:3120
> __dev_queue_xmit+0xbf8/0x34c0 net/core/dev.c:3577
> dev_queue_xmit+0x17/0x20 net/core/dev.c:3618
>
> UDP_NO_CHECK6_TX sets skb->ip_summed to CHECKSUM_NONE just after the
> udp gso integrity checks in udp_(v6_)send_skb. Extend those checks to
> catch and fail in this case.
>
> After the integrity checks jump directly to the CHECKSUM_PARTIAL case
> to avoid reading the no_check_tx flags again (a TOCTTOU race).
>
> Fixes: bec1f6f69736 ("udp: generate gso with UDP_SEGMENT")
> Signed-off-by: Willem de Bruijn <will...@google.com>
Applied, thanks Willem.
