[PATCH net-next v1 2/2] net: add DEBUG_NET_WARN_ON_ONCE for negative transport offset

Next message: Alex Williamson: "[GIT PULL] VFIO updates for v7.1-rc1"
Previous message: Jiayuan Chen: "[PATCH net v1 1/2] net: tunnel: fix stale transport header after GRE/TEB decap"
In reply to: Jiayuan Chen: "[PATCH net v1 1/2] net: tunnel: fix stale transport header after GRE/TEB decap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiayuan Chen

Date: Wed Apr 15 2026 - 23:47:34 EST

skb_transport_offset() can silently return a negative
value when the transport_header becomes stale after tunnel
decapsulation. A negative offset is never valid — it means
transport_header points before skb->data, which will cause unsigned
wraparound in any caller that assigns the result to an unsigned
variable.

Add a DEBUG_NET_WARN_ON_ONCE(off < 0) check so that such cases are
caught early in CONFIG_DEBUG_NET=y builds (e.g., syzkaller, kernel test
bots) with a full stack trace pointing to the caller, rather than
silently propagating a bogus offset until something crashes downstream.

Signed-off-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>
---
include/linux/skbuff.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 2bcf78a4de7b..0b1aeacc25f7 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -3234,7 +3234,10 @@ static inline unsigned char *skb_checksum_start(const struct sk_buff *skb)

static inline int skb_transport_offset(const struct sk_buff *skb)
{
- return skb_transport_header(skb) - skb->data;
+ int off = skb_transport_header(skb) - skb->data;
+
+ DEBUG_NET_WARN_ON_ONCE(off < 0);
+ return off;
}

static inline u32 skb_network_header_len(const struct sk_buff *skb)
--
2.43.0