The following is not something I'm planning to work on in the near future, but I think this would be helpful to allow fuzzers to more easily detect OOB access bugs in the networking subsystem - maybe someone else is interested in working on this?
As described in https://docs.kernel.org/networking/skbuff.html , in the networking subsystem, SKB head buffers are stored with a "struct skb_shared_info" at the end. This means that out-of-bounds accesses to SKB data in the head buffer can't be detected by KASAN unless they go far enough out of bounds to go beyond the skb_shared_info. For debugging/fuzzing, it might be useful to have a KASAN redzone somewhere between legitimate data in an SKB and skb_shared_info metadata, accesses into which would cause KASAN splats. Maybe we could split sk_buff::end into two separate members for "end of tailroom" and "start of skb_shared_info" so that a redzone can be placed in between? Or let debug builds store the skb_shared_info in a separate memory allocation? (We could also try to go further and KASAN-poison the headroom and tailroom until they're actually used, but that might require an annoying amount of refactoring of existing code, so probably not great as an initial goal.)
