On Tue, 1 Dec 2020 01:05:07 -0800 Eric Dumazet wrote:
> From: Eric Dumazet <eduma...@google.com>
>
> IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume
> IP header is already pulled.
>
> geneve does not ensure this yet.
>
> Fixing this generically in IP_ECN_decapsulate() and
> IP6_ECN_decapsulate() is not possible, since callers
> pass a pointer that might be freed by pskb_may_pull()
>
> syzbot reported :
>
> BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:238
> [inline]
> BUG: KMSAN: uninit-value in INET_ECN_decapsulate+0x345/0x1db0
> include/net/inet_ecn.h:260
>
> Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: syzbot <syzkal...@googlegroups.com>
Applied, thanks!
