From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Guoyu Su <yss2813483011xxl@gmail.com>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: edumazet@google.com, davem@davemloft.net, kuba@kernel.org,
pabeni@redhat.com, netdev@vger.kernel.org, horms@kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
syzbot+1543a7d954d9c6d00407@syzkaller.appspotmail.com
Subject: Re: [PATCH net v5] net: use skb_header_pointer() only for DODGY TCPv4 GSO skbs
Date: Wed, 25 Mar 2026 23:12:08 -0400 [thread overview]
Message-ID: <willemdebruijn.kernel.1a9f35039caab@gmail.com> (raw)
In-Reply-To: <CAMa1Pe7Pn5+TTnsnX3yQD02sf1JiuYfnxt3==jCSeWB44rJs+w@mail.gmail.com>
Guoyu Su wrote:
> > Perhaps you're running a different repro from the one I used. Which is
> > the C repro from the run at commit ca4ee40bf13d.
Thanks for verifying.
> I reran with the exact ReproC from that run:
> https://syzkaller.appspot.com/text?tag=ReproC&x=10e3fe5a580000
> (commit ca4ee40bf13d), rebuilt locally, and reran.
>
> > I see that the virtio_net_hdr has hdr_len 106 and csum_start 88.
> > Those are fine. Same for your repro?
>
> Yes, same in my run as well:
> vnet_hlen=106, vnet_csum_start=88 (first 20 dumps are consistent).
>
> > The question is how skb->network_header can be greater than
> > skb->transport_header right after virtio_net_hdr_to_skb.
>
> From my instrumentation on the same skb in packet_snd():
> - packet_parse_headers() sets netoff from device L2 layout:
> hard_hlen=172 on ip6gretap0, so netoff=172.
I don't see this, but hard coding it gets the same issue.
More importantly, I took a closer look at a fix.
Unfortunately skb_network_offset cannot be trusted for link layers
with variable length headers. With SOCK_RAW it is the worst case
hard_header_length. PF_PACKET is network layer agnostic, and with
SOCK_RAW on variable length link layer packets, nothing communicates
this.
So, a straightforward check like this may have false positives where
a valid packet is shorter than this worst case estimation of network
offset.
@@ -103,7 +103,7 @@ static inline int __virtio_net_hdr_to_skb(struct sk_buff *skb,
if (!skb_partial_csum_set(skb, start, off))
return -EINVAL;
- if (skb_transport_offset(skb) < nh_min_len)
+ if (skb_transport_offset(skb) < skb_network_offset(skb) + nh_min_len)
As a result, I don't see any test we can do at this point that will
not have false positives.
Only for GSO packets is there downstream code that requires the network header
and that assumes this header starts at skb->network_header. __skb_gso_segment
calls skb_reset_mac_len(skb) and parses the headers in skb_mac_gso_segment and
skb_network_protocol robustly using skb_header_pointer and pskb_may_pull.
We can at this entry point anticipate reaching that code and add an
extra branch if gso_type. But might as well just make robust the one access in
the GSO path that is not yet.
So in short your original approach is probably preferable.
Please do add a Link: to this thread.
And one more thing: skb_header_pointer already takes the fast path of
just returning the offset if within linear. No need to special case
the DODGY vs non-DODGY path.
~
~
~
~
~
next prev parent reply other threads:[~2026-03-26 3:12 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-07 16:29 [PATCH net] net: clear mangleid_features for SKB_GSO_DODGY TCPv4 Guoyu Su
2026-03-07 16:43 ` Eric Dumazet
2026-03-08 8:33 ` [PATCH net v2] net: use skb_header_pointer() in gso_features_check() for TCPv4 GSO Guoyu Su
2026-03-11 0:48 ` Jakub Kicinski
2026-03-12 10:43 ` [PATCH net v3] net: use skb_header_pointer() only for DODGY TCPv4 GSO skbs Guoyu Su
2026-03-17 10:22 ` Paolo Abeni
2026-03-19 0:54 ` [PATCH net v4] " Guoyu Su
2026-03-19 13:17 ` Willem de Bruijn
2026-03-20 14:14 ` [PATCH net v5] " Guoyu Su
2026-03-20 19:24 ` Willem de Bruijn
2026-03-21 1:36 ` Willem de Bruijn
2026-03-21 15:31 ` Scars
2026-03-21 20:58 ` Willem de Bruijn
2026-03-22 4:26 ` Guoyu Su
2026-03-23 3:36 ` Willem de Bruijn
2026-03-24 10:40 ` Guoyu Su
2026-03-26 3:12 ` Willem de Bruijn [this message]
2026-03-26 12:18 ` [PATCH net v6] net: use skb_header_pointer() for TCPv4 GSO frag_off Guoyu Su
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=willemdebruijn.kernel.1a9f35039caab@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+1543a7d954d9c6d00407@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yss2813483011xxl@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox