Re: [BUG] Potential Null Pointer Dereference in tcp_mtu_probe Function

[Eric Dumazet]

On Sat, Feb 14, 2026 at 1:11 PM 冯嘉仪 <23210240148@xxxxxxxxxxxxxx> wrote:
>
> Dear Maintainer,
>
> Our team recently developed a null-pointer-dereference (NPD) vulnerability detection tool, and we used it to scan the Linux Kernel (version 6.9.6). After manual review, we identified a potentially vulnerable code snippet that could lead to a null-pointer dereference bug. We would appreciate your expert insight to confirm whether this vulnerability could indeed pose a risk to the system.
>
> Vulnerability Description:
> File:  net/ipv4/tcp_output.c
> In the function tcp_mtu_probe, we found the following line of code:
>
> TCP_SKB_CB(nskb)->seq = TCP_SKB_CB(skb)->seq
>
> The issue arises because the skb pointer may be passed as NULL in certain situations.  The statement passes the skb pointer to TCP_SKB_CB without any check, but TCP_SKB_CB might contain a dereference operation on the skb pointer, which could result in a null-pointer dereference.

Which pointer could be NULL here ? Be specific please.

>
> Proposed Fix:
> To prevent the potential null-pointer dereference, we suggest adding a NULL check for the skb pointer before attempting to pass the pointer to TCP_SKB_CB.
>
> Request for Review:
> We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate. If there are reasons why this issue does not present a real risk (e.g., the NULL check is redundant or unnecessary), we would be grateful for clarification.
>
> Thank you for your time and consideration.

I think you probably should fix your tool, and use a more recent kernel anyway.

Try to have a human validation before sending such reports, thank you.