Fix an issue detected by syzbot with KMSAN BUG: KMSAN: uninit-value in cfg80211_classify8021d+0x99d/0x12b0 net/wireless/util.c:1027 The function accessed DSCP fields from IP and IPv6 headers without first verifying that sufficient header data was present in the skb. When a packet reaches this path, the header dereference could access uninitialized memory, as reported by KMSAN under fuzzing with syzkaller. Add explicit pskb_may_pull() checks for both IPv4 and IPv6 headers to ensure that the required header data is available before extracting the DSCP field. This prevents uninitialized memory reads while preserving existing behavior for valid packets This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link.Fixes the uninitialized header access. Reported-by: syzbot+878ddc3962f792e9af59@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com./bug?extid=878ddc3962f792e9af59 Tested-by: syzbot+878ddc3962f792e9af59@syzkaller.appspotmail.com Fixes: b156579b1404 ("Treat IPv6 diffserv the same as IPv4 for 802.11e") Signed-off-by: Ranganath V N --- validate header before DSCP read in cfg80211_classify8021d(). pskb_may_pull() checks before accessing header structures to ensure safe and fully initialized data access. --- net/wireless/util.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/wireless/util.c b/net/wireless/util.c index 56724b33af04..23bca5e687c1 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -963,9 +963,13 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb, switch (skb->protocol) { case htons(ETH_P_IP): + if (!pskb_may_pull(skb, sizeof(struct iphdr))) + return 0; dscp = ipv4_get_dsfield(ip_hdr(skb)) & 0xfc; break; case htons(ETH_P_IPV6): + if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) + return 0; dscp = ipv6_get_dsfield(ipv6_hdr(skb)) & 0xfc; break; case htons(ETH_P_MPLS_UC): --- base-commit: ba36dd5ee6fd4643ebbf6ee6eefcecf0b07e35c7 change-id: 20251101-fifth-84c599edf594 Best regards, -- Ranganath V N