Commit ddc748a3 authored Mar 27, 2026 by Guoyu Su Committed by Jakub Kicinski Mar 30, 2026

net: use skb_header_pointer() for TCPv4 GSO frag_off check

Syzbot reported a KMSAN uninit-value warning in gso_features_check()
called from netif_skb_features() [1].

gso_features_check() reads iph->frag_off to decide whether to clear
mangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr()
can rely on skb header offsets that are not always safe for direct
dereference on packets injected from PF_PACKET paths.

Use skb_header_pointer() for the TCPv4 frag_off check so the header read
is robust whether data is already linear or needs copying.

[1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407

Link: https://lore.kernel.org/netdev/willemdebruijn.kernel.1a9f35039caab@gmail.com/


Fixes: cbc53e08 ("GSO: Add GSO type for fixed IPv4 ID")
Reported-by:  <syzbot+1543a7d954d9c6d00407@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407


Tested-by:  <syzbot+1543a7d954d9c6d00407@syzkaller.appspotmail.com>
Signed-off-by: Guoyu Su <yss2813483011xxl@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260327153507.39742-1-yss2813483011xxl@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 514aac35

net/core/dev.c

+8 −3

Original line number	Diff line number	Diff line
		@@ -3821,10 +3821,15 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
		* segmentation-offloads.rst).
		*/
		if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4) {
		struct iphdr *iph = skb->encapsulation ?
		inner_ip_hdr(skb) : ip_hdr(skb);
		const struct iphdr *iph;
		struct iphdr _iph;
		int nhoff = skb->encapsulation ?
		skb_inner_network_offset(skb) :
		skb_network_offset(skb);

		if (!(iph->frag_off & htons(IP_DF)))
		iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);

		if (!iph \|\| !(iph->frag_off & htons(IP_DF)))
		features &= ~dev->mangleid_features;
		}