Re: [PATCH net] net: clear mangleid_features for SKB_GSO_DODGY TCPv4
0 views
Skip to first unread message
Eric Dumazet
Mar 7, 2026, 11:43:42 AM (3 days ago) Mar 7
to Guoyu Su, da...@davemloft.net, ku...@kernel.org, pab...@redhat.com, net...@vger.kernel.org, ho...@kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+1543a7...@syzkaller.appspotmail.com
On Sat, Mar 7, 2026 at 5:29 PM Guoyu Su <yss28134...@gmail.com> wrote:
>
> Syzbot reported a KMSAN uninit-value warning in netif_skb_features() [1], which originates from gso_features_check():
>
> BUG: KMSAN: uninit-value in gso_features_check net/core/dev.c:3804 [inline]
> BUG: KMSAN: uninit-value in netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
> gso_features_check net/core/dev.c:3804 [inline]
> netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
> validate_xmit_skb+0xb6/0x2400 net/core/dev.c:4003
> ...
> __dev_queue_xmit+0x3016/0x5a50 net/core/dev.c:4795
> packet_snd net/packet/af_packet.c:3077 [inline]
> packet_sendmsg+0x91d9/0xa320 net/packet/af_packet.c:3109
>
> SKB_GSO_DODGY marks packets whose GSO-related header metadata should be treated as untrusted (for example, packets injected via AF_PACKET).
>
> gso_features_check() checks IP_DF through iph->frag_off for SKB_GSO_TCPV4 packets. For DODGY packets with untrusted metadata, this may result in a KMSAN uninit-value report.
>
> Handle such packets conservatively by clearing mangleid_features when SKB_GSO_DODGY is set, without relying on iph->frag_off.
>
> [1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
>
> Reported-by: syzbot+1543a7...@syzkaller.appspotmail.com
> Tested-by: syzbot+1543a7...@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/68e4b5d8.050a022...@google.com/T/
> Signed-off-by: Guoyu Su <yss28134...@gmail.com>
Missing FIxes: tag. Please help us.
> ---
> net/core/dev.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 14a83f2035b9..9b19154b6f7f 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -3808,7 +3808,12 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
> struct iphdr *iph = skb->encapsulation ?
> inner_ip_hdr(skb) : ip_hdr(skb);
>
> - if (!(iph->frag_off & htons(IP_DF)))
> + /* SKB_GSO_DODGY packets carry untrusted L3/L4 header metadata.
> + * Avoid dereferencing IPv4 header fields and conservatively
> + * clear mangleid support in that case.
> + */
> + if ((skb_shinfo(skb)->gso_type & SKB_GSO_DODGY) ||
> + !(iph->frag_off & htons(IP_DF)))
> features &= ~dev->mangleid_features;
> }
You are not really fixing the bug, you hide it with another.
Please take a look at qdisc_pkt_len_segs_init() for a hint.
>
> Syzbot reported a KMSAN uninit-value warning in netif_skb_features() [1], which originates from gso_features_check():
>
> BUG: KMSAN: uninit-value in gso_features_check net/core/dev.c:3804 [inline]
> BUG: KMSAN: uninit-value in netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
> gso_features_check net/core/dev.c:3804 [inline]
> netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
> validate_xmit_skb+0xb6/0x2400 net/core/dev.c:4003
> ...
> __dev_queue_xmit+0x3016/0x5a50 net/core/dev.c:4795
> packet_snd net/packet/af_packet.c:3077 [inline]
> packet_sendmsg+0x91d9/0xa320 net/packet/af_packet.c:3109
>
> SKB_GSO_DODGY marks packets whose GSO-related header metadata should be treated as untrusted (for example, packets injected via AF_PACKET).
>
> gso_features_check() checks IP_DF through iph->frag_off for SKB_GSO_TCPV4 packets. For DODGY packets with untrusted metadata, this may result in a KMSAN uninit-value report.
>
> Handle such packets conservatively by clearing mangleid_features when SKB_GSO_DODGY is set, without relying on iph->frag_off.
>
> [1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
>
> Reported-by: syzbot+1543a7...@syzkaller.appspotmail.com
> Tested-by: syzbot+1543a7...@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/68e4b5d8.050a022...@google.com/T/
> Signed-off-by: Guoyu Su <yss28134...@gmail.com>
Missing FIxes: tag. Please help us.
> ---
> net/core/dev.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 14a83f2035b9..9b19154b6f7f 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -3808,7 +3808,12 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
> struct iphdr *iph = skb->encapsulation ?
> inner_ip_hdr(skb) : ip_hdr(skb);
>
> - if (!(iph->frag_off & htons(IP_DF)))
> + /* SKB_GSO_DODGY packets carry untrusted L3/L4 header metadata.
> + * Avoid dereferencing IPv4 header fields and conservatively
> + * clear mangleid support in that case.
> + */
> + if ((skb_shinfo(skb)->gso_type & SKB_GSO_DODGY) ||
> + !(iph->frag_off & htons(IP_DF)))
> features &= ~dev->mangleid_features;
> }
You are not really fixing the bug, you hide it with another.
Please take a look at qdisc_pkt_len_segs_init() for a hint.
Guoyu Su
Mar 7, 2026, 2:07:37 PM (2 days ago) Mar 7
to da...@davemloft.net, edum...@google.com, ku...@kernel.org, pab...@redhat.com, net...@vger.kernel.org, ho...@kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+1543a7...@syzkaller.appspotmail.com, Guoyu Su
Syzbot reported a KMSAN uninit-value warning in netif_skb_features() [1], which originates from gso_features_check():
BUG: KMSAN: uninit-value in gso_features_check net/core/dev.c:3804 [inline]
BUG: KMSAN: uninit-value in netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
gso_features_check net/core/dev.c:3804 [inline]
netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
validate_xmit_skb+0xb6/0x2400 net/core/dev.c:4003
...
__dev_queue_xmit+0x3016/0x5a50 net/core/dev.c:4795
packet_snd net/packet/af_packet.c:3077 [inline]
packet_sendmsg+0x91d9/0xa320 net/packet/af_packet.c:3109
SKB_GSO_DODGY marks packets whose GSO-related header metadata should be treated as untrusted (for example, packets injected via AF_PACKET).
gso_features_check() checks IP_DF through iph->frag_off for SKB_GSO_TCPV4 packets. For DODGY packets with untrusted metadata, this may result in a KMSAN uninit-value report.
Handle such packets conservatively by clearing mangleid_features when SKB_GSO_DODGY is set, without relying on iph->frag_off.
[1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
Reported-by: syzbot+1543a7...@syzkaller.appspotmail.com
Tested-by: syzbot+1543a7...@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68e4b5d8.050a022...@google.com/T/
Signed-off-by: Guoyu Su <yss28134...@gmail.com>
BUG: KMSAN: uninit-value in gso_features_check net/core/dev.c:3804 [inline]
BUG: KMSAN: uninit-value in netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
gso_features_check net/core/dev.c:3804 [inline]
netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
validate_xmit_skb+0xb6/0x2400 net/core/dev.c:4003
...
__dev_queue_xmit+0x3016/0x5a50 net/core/dev.c:4795
packet_snd net/packet/af_packet.c:3077 [inline]
packet_sendmsg+0x91d9/0xa320 net/packet/af_packet.c:3109
SKB_GSO_DODGY marks packets whose GSO-related header metadata should be treated as untrusted (for example, packets injected via AF_PACKET).
gso_features_check() checks IP_DF through iph->frag_off for SKB_GSO_TCPV4 packets. For DODGY packets with untrusted metadata, this may result in a KMSAN uninit-value report.
Handle such packets conservatively by clearing mangleid_features when SKB_GSO_DODGY is set, without relying on iph->frag_off.
[1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
Reported-by: syzbot+1543a7...@syzkaller.appspotmail.com
Tested-by: syzbot+1543a7...@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68e4b5d8.050a022...@google.com/T/
Signed-off-by: Guoyu Su <yss28134...@gmail.com>
---
net/core/dev.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 14a83f2035b9..9b19154b6f7f 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3808,7 +3808,12 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
struct iphdr *iph = skb->encapsulation ?
inner_ip_hdr(skb) : ip_hdr(skb);
- if (!(iph->frag_off & htons(IP_DF)))
+ /* SKB_GSO_DODGY packets carry untrusted L3/L4 header metadata.
+ * Avoid dereferencing IPv4 header fields and conservatively
+ * clear mangleid support in that case.
+ */
+ if ((skb_shinfo(skb)->gso_type & SKB_GSO_DODGY) ||
+ !(iph->frag_off & htons(IP_DF)))
features &= ~dev->mangleid_features;
}
--
net/core/dev.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 14a83f2035b9..9b19154b6f7f 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3808,7 +3808,12 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
struct iphdr *iph = skb->encapsulation ?
inner_ip_hdr(skb) : ip_hdr(skb);
- if (!(iph->frag_off & htons(IP_DF)))
+ /* SKB_GSO_DODGY packets carry untrusted L3/L4 header metadata.
+ * Avoid dereferencing IPv4 header fields and conservatively
+ * clear mangleid support in that case.
+ */
+ if ((skb_shinfo(skb)->gso_type & SKB_GSO_DODGY) ||
+ !(iph->frag_off & htons(IP_DF)))
features &= ~dev->mangleid_features;
}
2.34.1
Guoyu Su
Mar 8, 2026, 4:33:44 AM (2 days ago) Mar 8
to edum...@google.com, da...@davemloft.net, ku...@kernel.org, pab...@redhat.com, net...@vger.kernel.org, ho...@kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+1543a7...@syzkaller.appspotmail.com, Guoyu Su
Syzbot reported a KMSAN uninit-value warning in netif_skb_features() [1],
which originates from gso_features_check():
BUG: KMSAN: uninit-value in gso_features_check net/core/dev.c:3804 [inline]
BUG: KMSAN: uninit-value in netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
gso_features_check net/core/dev.c:3804 [inline]
netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
validate_xmit_skb+0xb6/0x2400 net/core/dev.c:4003
...
__dev_queue_xmit+0x3016/0x5a50 net/core/dev.c:4795
packet_snd net/packet/af_packet.c:3077 [inline]
packet_sendmsg+0x91d9/0xa320 net/packet/af_packet.c:3109
The current code dereferences iph->frag_off directly to decide whether to
which originates from gso_features_check():
BUG: KMSAN: uninit-value in gso_features_check net/core/dev.c:3804 [inline]
BUG: KMSAN: uninit-value in netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
gso_features_check net/core/dev.c:3804 [inline]
netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828
validate_xmit_skb+0xb6/0x2400 net/core/dev.c:4003
...
__dev_queue_xmit+0x3016/0x5a50 net/core/dev.c:4795
packet_snd net/packet/af_packet.c:3077 [inline]
packet_sendmsg+0x91d9/0xa320 net/packet/af_packet.c:3109
clear mangleid_features. For malformed or truncated skb data, this can
read invalid/uninitialized header bytes.
Use skb_header_pointer() to read the IPv4 header safely from either the
outer or inner network header offset. If the header is not accessible,
conservatively clear mangleid_features.
This keeps the original behavior for valid packets while fixing the unsafe
header access pattern.
[1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
Fixes: cbc53e08a793 ("GSO: Add GSO type for fixed IPv4 ID")
Reported-by: syzbot+1543a7...@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68e4b5d8.050a022...@google.com/T/
Tested-by: syzbot+1543a7...@syzkaller.appspotmail.com
v2:
- Drop the SKB_GSO_DODGY shortcut.
- Use skb_header_pointer() for safe IPv4 header access.
- Add missing Fixes tag as requested.
v1: https://lore.kernel.org/netdev/20260307162905.36970...@gmail.com/
net/core/dev.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 14a83f2035b9..c70263654680 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3805,10 +3805,13 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
* segmentation-offloads.rst).
*/
if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4) {
- struct iphdr *iph = skb->encapsulation ?
- inner_ip_hdr(skb) : ip_hdr(skb);
+ struct iphdr _iph;
+ const struct iphdr *iph;
+ int nhoff = skb->encapsulation ?
+ skb_inner_network_offset(skb) : skb_network_offset(skb);
- if (!(iph->frag_off & htons(IP_DF)))
+ if (!iph || !(iph->frag_off & htons(IP_DF)))
Reply all
Reply to author
Forward
0 new messages