Linux Kernel UDP GSO Segment Vulnerability Leading to Kernel Bug

A vulnerability in the Linux kernel's UDP Generic Segmentation Offload (GSO) handling has been identified. The issue arises in the '__udp_gso_segment' function, where the socket buffer (skb) destructor is removed before the skb is segmented. However, the socket reference remains intact. This discrepancy can lead to problems if the original skb is later orphaned, causing a kernel bug related to skb orphaning. The vulnerability can be triggered when using Open vSwitch (OVS) with a specific sequence of actions that involves sending data to userspace and then back through the network, which can orphan the skb and trigger the bug.

Impact

The vulnerability can cause a kernel bug related to socket buffer management, potentially leading to undefined behavior or system instability.

Reproduction

The vulnerability can be reproduced by configuring Open vSwitch to handle actions that involve both user space and output processing. When an OVS_ACTION_ATTR_USERSPACE action is executed, the socket buffer is segmented and sent to userspace. If this is followed by an OVS_ACTION_ATTR_OUTPUT action, the original socket buffer is sent back through the network. If the socket buffer is then orphaned, it triggers the kernel bug.