Fix a KMSAN kernel-infoleak detected by the syzbot .
[net?] KMSAN: kernel-infoleak in __skb_datagram_iter
In tcf_ife_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.
Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.
This change silences the KMSAN report and prevents potential information
leaks from the kernel memory.
This fix has been tested and validated by syzbot. This patch closes the
bug reported at the following syzkaller link and ensures no infoleak.
Reported-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0c85cae3350b7d486aee
Tested-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com
Fixes: ef6980b6becb ("introduce IFE action")
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
net/sched/act_ife.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 107c6d83dc5c..ff1d9d6dcc0a 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -644,13 +644,15 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
unsigned char *b = skb_tail_pointer(skb);
struct tcf_ife_info *ife = to_ife(a);
struct tcf_ife_params *p;
- struct tc_ife opt = {
- .index = ife->tcf_index,
- .refcnt = refcount_read(&ife->tcf_refcnt) - ref,
- .bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
- };
+ struct tc_ife opt;
struct tcf_t t;
+ memset(&opt, 0, sizeof(opt));
+
+ index = ife->tcf_index;
+ refcnt = refcount_read(&ife->tcf_refcnt) - ref;
+ bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
+
spin_lock_bh(&ife->tcf_lock);
opt.action = ife->tcf_action;
p = rcu_dereference_protected(ife->params,
--
2.43.0Hi Ranganath,
kernel test robot noticed the following build errors:
[auto build test ERROR on net-next/main]
[also build test ERROR on net/main linus/master v6.18-rc4 next-20251107]
[cannot apply to horms-ipvs/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Ranganath-V-N/net-sched-act_connmark-initialize-struct-tc_ife-to-fix-kernel-leak/20251107-035911
base: net-next/main
patch link: https://lore.kernel.org/r/20251106195635.2438-3-vnranganath.20%40gmail.com
patch subject: [PATCH v3 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
config: i386-buildonly-randconfig-003-20251108 (https://download.01.org/0day-ci/archive/20251108/202511080909.0OWvBSbY-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251108/202511080909.0OWvBSbY-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511080909.0OWvBSbY-lkp@intel.com/
All errors (new ones prefixed by >>):
net/sched/act_ife.c: In function 'tcf_ife_dump':
>> net/sched/act_ife.c:652:9: error: 'index' undeclared (first use in this function)
652 | index = ife->tcf_index;
| ^~~~~
net/sched/act_ife.c:652:9: note: each undeclared identifier is reported only once for each function it appears in
>> net/sched/act_ife.c:653:9: error: 'refcnt' undeclared (first use in this function)
653 | refcnt = refcount_read(&ife->tcf_refcnt) - ref;
| ^~~~~~
>> net/sched/act_ife.c:654:9: error: 'bindcnt' undeclared (first use in this function); did you mean 'bind'?
654 | bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
| ^~~~~~~
| bind
vim +/index +652 net/sched/act_ife.c
640
641 static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
642 int ref)
643 {
644 unsigned char *b = skb_tail_pointer(skb);
645 struct tcf_ife_info *ife = to_ife(a);
646 struct tcf_ife_params *p;
647 struct tc_ife opt;
648 struct tcf_t t;
649
650 memset(&opt, 0, sizeof(opt));
651
> 652 index = ife->tcf_index;
> 653 refcnt = refcount_read(&ife->tcf_refcnt) - ref;
> 654 bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
655
656 spin_lock_bh(&ife->tcf_lock);
657 opt.action = ife->tcf_action;
658 p = rcu_dereference_protected(ife->params,
659 lockdep_is_held(&ife->tcf_lock));
660 opt.flags = p->flags;
661
662 if (nla_put(skb, TCA_IFE_PARMS, sizeof(opt), &opt))
663 goto nla_put_failure;
664
665 tcf_tm_dump(&t, &ife->tcf_tm);
666 if (nla_put_64bit(skb, TCA_IFE_TM, sizeof(t), &t, TCA_IFE_PAD))
667 goto nla_put_failure;
668
669 if (!is_zero_ether_addr(p->eth_dst)) {
670 if (nla_put(skb, TCA_IFE_DMAC, ETH_ALEN, p->eth_dst))
671 goto nla_put_failure;
672 }
673
674 if (!is_zero_ether_addr(p->eth_src)) {
675 if (nla_put(skb, TCA_IFE_SMAC, ETH_ALEN, p->eth_src))
676 goto nla_put_failure;
677 }
678
679 if (nla_put(skb, TCA_IFE_TYPE, 2, &p->eth_type))
680 goto nla_put_failure;
681
682 if (dump_metalist(skb, ife)) {
683 /*ignore failure to dump metalist */
684 pr_info("Failed to dump metalist\n");
685 }
686
687 spin_unlock_bh(&ife->tcf_lock);
688 return skb->len;
689
690 nla_put_failure:
691 spin_unlock_bh(&ife->tcf_lock);
692 nlmsg_trim(skb, b);
693 return -1;
694 }
695
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Ranganath,
kernel test robot noticed the following build errors:
[auto build test ERROR on net-next/main]
[also build test ERROR on net/main linus/master v6.18-rc4 next-20251107]
[cannot apply to horms-ipvs/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Ranganath-V-N/net-sched-act_connmark-initialize-struct-tc_ife-to-fix-kernel-leak/20251107-035911
base: net-next/main
patch link: https://lore.kernel.org/r/20251106195635.2438-3-vnranganath.20%40gmail.com
patch subject: [PATCH v3 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
config: s390-randconfig-r073-20251108 (https://download.01.org/0day-ci/archive/20251108/202511080954.ZMCEd0sG-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project d78e0ded5215824a63ac04fb87effd9eacf875eb)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251108/202511080954.ZMCEd0sG-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511080954.ZMCEd0sG-lkp@intel.com/
All errors (new ones prefixed by >>):
>> net/sched/act_ife.c:652:2: error: call to undeclared library function 'index' with type 'char *(const char *, int)'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
652 | index = ife->tcf_index;
| ^
net/sched/act_ife.c:652:2: note: include the header <strings.h> or explicitly provide a declaration for 'index'
>> net/sched/act_ife.c:652:8: error: non-object type 'char *(const char *, int)' is not assignable
652 | index = ife->tcf_index;
| ~~~~~ ^
>> net/sched/act_ife.c:653:2: error: use of undeclared identifier 'refcnt'
653 | refcnt = refcount_read(&ife->tcf_refcnt) - ref;
| ^~~~~~
>> net/sched/act_ife.c:654:2: error: use of undeclared identifier 'bindcnt'
654 | bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
| ^~~~~~~
4 errors generated.
vim +652 net/sched/act_ife.c
640
641 static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
642 int ref)
643 {
644 unsigned char *b = skb_tail_pointer(skb);
645 struct tcf_ife_info *ife = to_ife(a);
646 struct tcf_ife_params *p;
647 struct tc_ife opt;
648 struct tcf_t t;
649
650 memset(&opt, 0, sizeof(opt));
651
> 652 index = ife->tcf_index;
> 653 refcnt = refcount_read(&ife->tcf_refcnt) - ref;
> 654 bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
655
656 spin_lock_bh(&ife->tcf_lock);
657 opt.action = ife->tcf_action;
658 p = rcu_dereference_protected(ife->params,
659 lockdep_is_held(&ife->tcf_lock));
660 opt.flags = p->flags;
661
662 if (nla_put(skb, TCA_IFE_PARMS, sizeof(opt), &opt))
663 goto nla_put_failure;
664
665 tcf_tm_dump(&t, &ife->tcf_tm);
666 if (nla_put_64bit(skb, TCA_IFE_TM, sizeof(t), &t, TCA_IFE_PAD))
667 goto nla_put_failure;
668
669 if (!is_zero_ether_addr(p->eth_dst)) {
670 if (nla_put(skb, TCA_IFE_DMAC, ETH_ALEN, p->eth_dst))
671 goto nla_put_failure;
672 }
673
674 if (!is_zero_ether_addr(p->eth_src)) {
675 if (nla_put(skb, TCA_IFE_SMAC, ETH_ALEN, p->eth_src))
676 goto nla_put_failure;
677 }
678
679 if (nla_put(skb, TCA_IFE_TYPE, 2, &p->eth_type))
680 goto nla_put_failure;
681
682 if (dump_metalist(skb, ife)) {
683 /*ignore failure to dump metalist */
684 pr_info("Failed to dump metalist\n");
685 }
686
687 spin_unlock_bh(&ife->tcf_lock);
688 return skb->len;
689
690 nla_put_failure:
691 spin_unlock_bh(&ife->tcf_lock);
692 nlmsg_trim(skb, b);
693 return -1;
694 }
695
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
© 2016 - 2025 Red Hat, Inc.