From nobody Tue Dec  2 02:42:37 2025
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
 [209.85.214.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 61BF72FC02D
	for <linux-kernel@vger.kernel.org>; Tue, 18 Nov 2025 15:05:38 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1763478339; cv=none;
 b=A+n7e2EeAHTre7puUJbenuTM4p8aDfo8G5EtgKvswuZVDkiT/wzWEm74I+iWg8IMCqLM7iWHddP6JD+I1UUTKieTquAi93TV7sJ0DKTCpKmUZNZC5j7P5VJRnLIiCXNphsOm3zYzMfncLTWsEp07vlv5YbdxMr5ma0hGHvxpQJk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1763478339; c=relaxed/simple;
	bh=5JOsnWWQuvsyVMYIYp1NHcoGzOeXw2DkggiJvUv9HVM=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=K5vBi3uVDQwM/LXINEeFC56ZpaEYyLG5GuXpcRmHTcmWEqPyKfyXirqfS+qCtM4N2zFkdL9LhgxA5O1/7b6nfJ3nD660ARNDdaGiBWLi0XBuzCPDZuvmZnzfkgTd/jrp59Uc0Vn3MKGcstyPI4rCQ/imtC/gdWFYjTDvLCYGAEY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=O5IlITRH; arc=none smtp.client-ip=209.85.214.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="O5IlITRH"
Received: by mail-pl1-f179.google.com with SMTP id
 d9443c01a7336-297ec8a6418so5739615ad.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 18 Nov 2025 07:05:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1763478338; x=1764083138;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=krvx9iMaxQ5G7caufLAI1QL4/vfOL4iJbw0Bt3cLPco=;
        b=O5IlITRHuGy0RbaEMUnDWgn5MXUlu1s5tWfyAvO5Jp39fRPq95k7vKfNlgDy9IOGW1
         pMZOgmnT3GiipbOYXsCJzhSC0HM1E3jgkhYKpg6GZ19SVUdSZKbrnsj/SdV29b0FQakq
         kvVOlfXgdmuMPRgnh6R0OMNAsOPg/unQ1SkfSbPpfL+oI/iSUEhP0SXJKJZ0MlUx0CPD
         FUtsdPhSMB5FKN0pwH4NkBmBoAQ9OtQ/08ciTYtysAMOmZOdJPJvZKwkwXDtLeGmyY/M
         5TpnxCIFkNRF1P0uYtljC/x1q0aNouTDozHAjOb+nCf1VHLEpE16vvYnF+3Y+m5ZCk0k
         pzMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763478338; x=1764083138;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=krvx9iMaxQ5G7caufLAI1QL4/vfOL4iJbw0Bt3cLPco=;
        b=hztzCQjVYqi0OjJL3RoQlpchIP+80wWNUFtHIC22ZJ6VzFX+uMx57J04/JpsedXsng
         MYI8W5VyghbkZJ8cOJxCZmMkVs0JVVkglZrP8IgdDROoOsYDdDghpDulgQ/e5YmTn9yq
         3BL9LOOvkNb9YrftDxCA/+0GKn/CL1SKtBvLwPbuKx79rV8DtIfrG7BpLk0lTzVum8f5
         F6Oyv3nA/w4sURbO/cMasMF5gCmIDZ/IGnnEHhSHjh3QFMKKr4Dsv8L3xefYno8ch/ef
         CmuCAxXJuouW07Z1sb9+poi6Xc9CbN+jOGGmePweOuNyCy+ru6tWsL3ETzNWylffNG7c
         x52A==
X-Forwarded-Encrypted: i=1;
 AJvYcCW7k1VA28VmoU83KM4ehLUC/G5TJp0GFRg3CnI+vKDOcSITVbMTbXD41PZOwkiF9WmZUCoV+jHzrSAetoE=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz5IAqhUnvNk3wkg6nN6Ph3O3zeWRTlxO4m2O2RpEZuLxo8sMDA
	ISH5QGltZrSjg8c22Q6/OXpx+ksFrY0FeDtL/xn70KgG0g3Ok9fDJ6wa
X-Gm-Gg: ASbGncvq9thmXTHK2faRvyx+8QvOLsCz9uHPytKdKmuvB7uij2vUOMhaQOSUp2qvboE
	C2whiRbTwwGqe4J/yYg9NZIyNdIDXlSaWM5nv0d6WzLAZJ4ioVr0bi4j4TVxfZnOjwIGyUBb8kr
	/kN+ZHSf92NyNzKim+xIpbBqq/7tfsyKlcq3eFS8pzmHQVpysAEcoA2xLWu0EBS55RY3BoCjqzZ
	6elUsHK4+7pOGI/pGzWA8/il1I5ysxRtSuukPpR5AfxnBFLdHtD07fxGVtg4aTODhbwxhpn3JMY
	Q8A6TIQfAg5kz0xx8tKwkyBdnH7cs9fq5ErCirGBBeI9Aj1nL5aeuLQeCLAZ8/yVEKtabwNat5Z
	eSQA5LaR+PzAaFlV/aF0bHY9QuOzggTOeGu7tHMqQgCKL+wdAwmOfAA4P38H0GHFpYv1u3sCzk8
	DoPFMpE3ab7OBDTlEgpkQZ2RvhnYja4/QncIjk7nMB1zeFhOoRM1tT
X-Google-Smtp-Source: 
 AGHT+IEMuGD101lyS+SaNmSnHdTEBmMKbQ1S6BZ+VBGNRmCkOSSB9VbplurCIK5Cfp/TjeGmqi8YJA==
X-Received: by 2002:a17:902:ce90:b0:295:f926:c030 with SMTP id
 d9443c01a7336-299f6546befmr23941315ad.2.1763478336930;
        Tue, 18 Nov 2025 07:05:36 -0800 (PST)
Received: from ranganath.. ([2406:7400:10c:8926:7d63:4fa7:baf4:c76c])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2985c245f8asm177700835ad.37.2025.11.18.07.05.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 18 Nov 2025 07:05:36 -0800 (PST)
From: Ranganath V N <vnranganath.20@gmail.com>
To: johannes@sipsolutions.net,
	dave.taht@bufferbloat.net,
	linville@tuxdriver.com
Cc: linux-wireless@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	skhan@linuxfoundation.org,
	david.hunter.linux@gmail.com,
	khalid@kernel.org,
	Ranganath V N <vnranganath.20@gmail.com>,
	syzbot+878ddc3962f792e9af59@syzkaller.appspotmail.com
Subject: [PATCH v3] wifi: cfg80211: Fix uninitialized header access in
 cfg80211_classify8021d
Date: Tue, 18 Nov 2025 20:35:24 +0530
Message-ID: <20251118150524.7973-1-vnranganath.20@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Fix an issue detected by  syzbot with KMSAN
BUG: KMSAN: uninit-value in cfg80211_classify8021d+0x99d/0x12b0
net/wireless/util.c:1027

The function accessed DSCP fields from IP and IPv6 headers without first
verifying that sufficient header data was present in the skb. When a
packet reaches this path, the header dereference could access
uninitialized memory, as reported by KMSAN under fuzzing with syzkaller.

Add explicit skb_header_pointer() checks for both IPv4 and IPv6 headers to
ensure that the required header data is available before extracting the
DSCP field. This prevents uninitialized memory reads while preserving
existing behavior for valid packets

This fix has been tested and validated by syzbot. This patch closes the
bug reported at the following syzkaller link.Fixes the uninitialized
header access.

Reported-by: syzbot+878ddc3962f792e9af59@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com./bug?extid=3D878ddc3962f792e9af59
Tested-by: syzbot+878ddc3962f792e9af59@syzkaller.appspotmail.com
Fixes: b156579b1404 ("wireless: Treat IPv6 diffserv the same as IPv4 for 80=
2.11e")
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
validate header before DSCP read in cfg80211_classify8021d().
skb_header_pointer() checks before accessing header structures to ensure
safe and fully initialized data access.

Changes in v3:
- Corrected the code by using the correct offset  past the header.
  similar to the existing MPLs handling logic.
- Link to v2:https://lore.kernel.org/all/20251108-fifth-v2-1-405da01c6684@g=
mail.com

Changes in v2:
- Corrected the commit subject and Fixes tag.
- Link to v1: https://lore.kernel.org/r/20251103-fifth-v1-1-4a221737ddfe@gm=
ail.com
---
 net/wireless/util.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 56724b33af04..f2a6644d854e 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -963,9 +963,23 @@ unsigned int cfg80211_classify8021d(struct sk_buff *sk=
b,
=20
 	switch (skb->protocol) {
 	case htons(ETH_P_IP):
+		struct iphdr iph, *ip;
+
+		ip =3D skb_header_pointer(skb, sizeof(struct ethhdr),
+					sizeof(*ip), &iph);
+		if (!ip)
+			return 0;
+
 		dscp =3D ipv4_get_dsfield(ip_hdr(skb)) & 0xfc;
 		break;
 	case htons(ETH_P_IPV6):
+		struct ipv6hdr ip6h, *ip6;
+
+		ip6 =3D skb_header_pointer(skb, sizeof(struct ethhdr),
+					 sizeof(*ip6), &ip6h);
+		if (!ip6)
+			return 0;
+
 		dscp =3D ipv6_get_dsfield(ipv6_hdr(skb)) & 0xfc;
 		break;
 	case htons(ETH_P_MPLS_UC):
--=20
2.43.0