Syzbot reported a KMSAN uninit-value warning in netif_skb_features() [1], which originates from gso_features_check(): BUG: KMSAN: uninit-value in gso_features_check net/core/dev.c:3804 [inline] BUG: KMSAN: uninit-value in netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828 gso_features_check net/core/dev.c:3804 [inline] netif_skb_features+0x6fb/0x1870 net/core/dev.c:3828 validate_xmit_skb+0xb6/0x2400 net/core/dev.c:4003 ... __dev_queue_xmit+0x3016/0x5a50 net/core/dev.c:4795 packet_snd net/packet/af_packet.c:3077 [inline] packet_sendmsg+0x91d9/0xa320 net/packet/af_packet.c:3109 SKB_GSO_DODGY marks packets whose GSO-related header metadata should be treated as untrusted (for example, packets injected via AF_PACKET). gso_features_check() checks IP_DF through iph->frag_off for SKB_GSO_TCPV4 packets. For DODGY packets with untrusted metadata, this may result in a KMSAN uninit-value report. Handle such packets conservatively by clearing mangleid_features when SKB_GSO_DODGY is set, without relying on iph->frag_off. [1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407 Reported-by: syzbot+1543a7d954d9c6d00407@syzkaller.appspotmail.com Tested-by: syzbot+1543a7d954d9c6d00407@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e4b5d8.050a0220.256323.0018.GAE@google.com/T/ Signed-off-by: Guoyu Su --- net/core/dev.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/core/dev.c b/net/core/dev.c index 14a83f2035b9..9b19154b6f7f 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -3808,7 +3808,12 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb, struct iphdr *iph = skb->encapsulation ? inner_ip_hdr(skb) : ip_hdr(skb); - if (!(iph->frag_off & htons(IP_DF))) + /* SKB_GSO_DODGY packets carry untrusted L3/L4 header metadata. + * Avoid dereferencing IPv4 header fields and conservatively + * clear mangleid support in that case. + */ + if ((skb_shinfo(skb)->gso_type & SKB_GSO_DODGY) || + !(iph->frag_off & htons(IP_DF))) features &= ~dev->mangleid_features; } -- 2.34.1