Re: [PATCH net v7] net: use skb_header_pointer() for TCPv4 GSO frag_off check
From: Willem de Bruijn
Date: Fri Mar 27 2026 - 16:02:28 EST
Guoyu Su wrote:
> Syzbot reported a KMSAN uninit-value warning in gso_features_check()
> called from netif_skb_features() [1].
>
> gso_features_check() reads iph->frag_off to decide whether to clear
> mangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr()
> can rely on skb header offsets that are not always safe for direct
> dereference on packets injected from PF_PACKET paths.
>
> Use skb_header_pointer() for the TCPv4 frag_off check so the header read
> is robust whether data is already linear or needs copying.
>
> [1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
>
> Link: https://lore.kernel.org/netdev/willemdebruijn.kernel.1a9f35039caab@xxxxxxxxx/
> Fixes: cbc53e08a793 ("GSO: Add GSO type for fixed IPv4 ID")
> Reported-by: syzbot+1543a7d954d9c6d00407@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
> Tested-by: syzbot+1543a7d954d9c6d00407@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Guoyu Su <yss2813483011xxl@xxxxxxxxx>
Reviewed-by: Willem de Bruijn <willemb@xxxxxxxxxx>
Sashiko asks about similar inner_ip_hdr in skb_gso_has_extension_hdr,
but userspace cannot set skb->encapsulation, so that's a false positive.