From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Guoyu Su <yss2813483011xxl@gmail.com>,
edumazet@google.com, davem@davemloft.net, kuba@kernel.org,
pabeni@redhat.com
Cc: willemdebruijn.kernel@gmail.com, netdev@vger.kernel.org,
horms@kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
syzbot+1543a7d954d9c6d00407@syzkaller.appspotmail.com,
Guoyu Su <yss2813483011xxl@gmail.com>
Subject: Re: [PATCH net v6] net: use skb_header_pointer() for TCPv4 GSO frag_off
Date: Thu, 26 Mar 2026 12:25:13 -0400 [thread overview]
Message-ID: <willemdebruijn.kernel.19f0cde3c6457@gmail.com> (raw)
In-Reply-To: <20260326121813.457049-1-yss2813483011xxl@gmail.com>
Guoyu Su wrote:
> Syzbot reported a KMSAN uninit-value warning in gso_features_check()
> called from netif_skb_features() [1].
>
> gso_features_check() reads iph->frag_off to decide whether to clear
> mangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr()
> can rely on skb header offsets that are not always safe for direct
> dereference on packets injected from PF_PACKET paths.
>
> Use skb_header_pointer() for the TCPv4 frag_off check so the header read
> is robust whether data is already linear or needs copying.
>
> This also removes the SKB_GSO_DODGY special casing: skb_header_pointer()
> already fast-paths linear data, so a separate direct-access path is not
> needed.
Does not belong in the commit message. It's a diff vs the previous
version.
> [1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
>
> Link: https://lore.kernel.org/netdev/willemdebruijn.kernel.1a9f35039caab@gmail.com/
> Fixes: cbc53e08a793 ("GSO: Add GSO type for fixed IPv4 ID")
> Reported-by: syzbot+1543a7d954d9c6d00407@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
> Tested-by: syzbot+1543a7d954d9c6d00407@syzkaller.appspotmail.com
> Signed-off-by: Guoyu Su <yss2813483011xxl@gmail.com>
> ---
> v6:
> - Use skb_header_pointer() for both DODGY and non-DODGY TCPv4 GSO
> packets in gso_features_check().
> - Drop the SKB_GSO_DODGY special-casing for IPv4 header access.
>
> v5: https://lore.kernel.org/netdev/20260320141459.9691-1-yss2813483011xxl@gmail.com/
> v4: https://lore.kernel.org/netdev/20260319005421.14908-1-yss2813483011xxl@gmail.com/
> v3: https://lore.kernel.org/netdev/20260312104351.185370-1-yss2813483011xxl@gmail.com/
> v2: https://lore.kernel.org/netdev/20260308083319.1255118-1-yss2813483011xxl@gmail.com/
> v1: https://lore.kernel.org/netdev/20260307162905.3697050-1-yss2813483011xxl@gmail.com/
>
> net/core/dev.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 14a83f2035b9..8a15ca67cfed 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -3805,10 +3805,16 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
> * segmentation-offloads.rst).
> */
> if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4) {
> - struct iphdr *iph = skb->encapsulation ?
> - inner_ip_hdr(skb) : ip_hdr(skb);
> + const struct iphdr *iph;
> + struct iphdr _iph;
>
> - if (!(iph->frag_off & htons(IP_DF)))
minor: no whitespace in the middle of the variable definition block.
> + int nhoff = skb->encapsulation ?
> + skb_inner_network_offset(skb) :
> + skb_network_offset(skb);
> +
> + iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
> +
> + if (!iph || !(iph->frag_off & htons(IP_DF)))
> features &= ~dev->mangleid_features;
> }
>
> --
> 2.34.1
>
next prev parent reply other threads:[~2026-03-26 16:25 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-07 16:29 [PATCH net] net: clear mangleid_features for SKB_GSO_DODGY TCPv4 Guoyu Su
2026-03-07 16:43 ` Eric Dumazet
2026-03-08 8:33 ` [PATCH net v2] net: use skb_header_pointer() in gso_features_check() for TCPv4 GSO Guoyu Su
2026-03-11 0:48 ` Jakub Kicinski
2026-03-12 10:43 ` [PATCH net v3] net: use skb_header_pointer() only for DODGY TCPv4 GSO skbs Guoyu Su
2026-03-17 10:22 ` Paolo Abeni
2026-03-19 0:54 ` [PATCH net v4] " Guoyu Su
2026-03-19 13:17 ` Willem de Bruijn
2026-03-20 14:14 ` [PATCH net v5] " Guoyu Su
2026-03-20 19:24 ` Willem de Bruijn
2026-03-21 1:36 ` Willem de Bruijn
2026-03-21 15:31 ` Scars
2026-03-21 20:58 ` Willem de Bruijn
2026-03-22 4:26 ` Guoyu Su
2026-03-23 3:36 ` Willem de Bruijn
2026-03-24 10:40 ` Guoyu Su
2026-03-26 3:12 ` Willem de Bruijn
2026-03-26 12:18 ` [PATCH net v6] net: use skb_header_pointer() for TCPv4 GSO frag_off Guoyu Su
2026-03-26 16:25 ` Willem de Bruijn [this message]
2026-03-27 15:35 ` [PATCH net v7] net: use skb_header_pointer() for TCPv4 GSO frag_off check Guoyu Su
2026-03-27 19:56 ` Willem de Bruijn
2026-03-31 0:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=willemdebruijn.kernel.19f0cde3c6457@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+1543a7d954d9c6d00407@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yss2813483011xxl@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.