On Sat, 3 Jan 2026 13:20:34 +0100 Oliver Hartkopp wrote:

Hello Jakub,

thanks for stepping in!

On 02.01.26 21:04, Jakub Kicinski wrote:

quoted

You're asking the wrong person, IIUC Andrii is tangentially involved
in XDP (via bpf links?):
  

(..)

quoted

Without looking too deeply - XDP has historically left the new space
uninitialized after push, expecting programs to immediately write the
headers in that space. syzbot had run into this in the past but I can't
find any references to past threads quickly :(  

To identify Andrii I mainly looked into the code with 'git blame' that 
led to this problematic call chain:

   pskb_expand_head+0x226/0x1a60 net/core/skbuff.c:2275
   netif_skb_check_for_xdp net/core/dev.c:5081 [inline]
   netif_receive_generic_xdp net/core/dev.c:5112 [inline]
   do_xdp_generic+0x9e3/0x15a0 net/core/dev.c:5180

Having in mind that the syzkaller refers to 
6.13.0-rc7-syzkaller-00039-gc3812b15000c I wonder if we can leave this 
report as-is, as the problem might be solved in the meantime??

In any case I wonder, if we should add some code to re-check if the 
headroom of the CAN-related skbs is still consistent and not changed in 
size by other players. And maybe add some WARN_ON_ONCE() before dropping 
the skb then.

When the skb headroom is not safe to be used we need to be able to 
identify and solve it.

Ugh, I should have looked at the report. The struct can_skb_priv
business is highly unconventional for the networking stack.
Would it be possible to kmalloc() this info and pass it to the socket
via shinfo->destructor_arg?