From nobody Fri Dec 19 17:14:33 2025 Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C53A2DF700 for ; Thu, 6 Nov 2025 19:57:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762459024; cv=none; b=Ph+T+4idHXUhNSrKd8PgoJwpHgZHgwfwJgFfcKtQCBdXxyX1+5yo/eGXSFpeei00etVjh0HvQzv0LMIDmONm4tPeHyjxvEBaYFYbbui2zZIycs9BVZlSl7eOROcgYZ8gPCXl2T91MU6z/IPZCf3kMm9H/u0nXgBiNgeNYoO8Ta4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762459024; c=relaxed/simple; bh=hsCI2B35eg3VdUKU7IHlxYdYmWmKF/gxitpVILRLqSY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tujFy/pIG5XY1M7w3dxg1/eK80XZTypPzH7B6IsfFGV/TPrMnSRbNytfKlmDWl/mBkilk60Ygg+4Zs1H3ZKQ9eWljmv5Y8I5gT3pgNvNk7Jts8EKLO0U6lyqmw6e2IjIaSvuOBTBrywD40hkdEYTxcvZcw3lPOeeW+ypEliv+Vg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MvCMQq9P; arc=none smtp.client-ip=209.85.215.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MvCMQq9P" Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-b8f70154354so506a12.2 for ; Thu, 06 Nov 2025 11:57:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762459023; x=1763063823; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KKQZJes3dV7Wm13cikS86S+AarGtDoSVY0Ws8VEcad4=; b=MvCMQq9P+fdaBItBLpttqAkkMAGUxHZyWjehNhvKdS7QhLmlzt2IwJThfABM7PHhps DQu4OVTTN1V558Dkb5A1AQwM/ZcPWauatHr3A92cP83VQHrCjyp0K5GDFmUbWRp2nXMb GptZCT5NM5CI+ow8yIffV3WxStdl3CvL+8+e2gGUmUMlzhJb60zOy6W/r8yyM8E2aMb7 GHJi1FipqNfIWg02mNP2s7v6BIWj95YSoKtodt8DHXH8TLcnsSUDyAgJRLPqDDYcKc9e vf6S5bzLrSmTQJgm2qhoKlqunDRO7wo3NBCAfClPhbxbWhq8gnBg+UuHsyZ7v2F4Toho exBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762459023; x=1763063823; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=KKQZJes3dV7Wm13cikS86S+AarGtDoSVY0Ws8VEcad4=; b=CWHDzghwujNSzeri7v29U3qeWOor/UEh4wCLE44mXvH4jJewiIHpiV/UWfnJAIq+yG /2mV22p7E2WiB1bHxhsWvXUpOpKVOQ3E8JBMXmGCxYiX5iHoKEiVD0mCRkb4PB7x39zq LdJaQ+MTG0WAmUUx7yRd76CQxwIUKyc3+t1exsQQeDYKYZHEUsBMlCWj1/HoZYNPhVCb RTz9QPainjBsTALn1MaSZb6nWGqOQnN7S7+QVOeluZpQn9RV9ohXf+RAVg5BZ5zsxqvq gSySY1JehlV9FN+Q9K81MPlNo04pAPaCo/XYkM8BRAB5A0wh2B3CWTxh0Emm0SnJJz4q 2a3A== X-Forwarded-Encrypted: i=1; AJvYcCVP+2cy2KIVO2HC1sH6zx4D+6FzXTtIYVPV5VXnH0ZUklCdB4kqUg2v28DJdqIhHoV0YsZIX0HpBckY//M=@vger.kernel.org X-Gm-Message-State: AOJu0Yw4qnKWN1OspawT0NNOulUefM8UDM7azWrymfjwWI/rfY7E7E4I WYwQ4b/6ssh0p9IGkdTzwb2g7H72/rW1X/Zv+7uq/TiPq2oJ7WbjztGO X-Gm-Gg: ASbGnctRj86gk3K2aWcsKasi3jNqBvj6BB+MqtyTl6mx7H64RGgPPGkiRknRxDB/UVX dfDqxo7ozO4yl31/nxoq0KW/qSxNTrqyZO0a/ElMK20icDrUPoWdG/Nn5cvbkhirBXf2T8s1jl4 fvNXwDaWXbC2492U0xwAfYNBIfl1JDrJFJpEb3G/G/83ZSMkoGR+Rs1ddU6IOETZTAcRqdVaiXL 1zzmDO+41EhuNvTjKjr11ZggDnJpj2EzQW0Uxj1OqyUISSt/C2QC3nwAxoWDG9R3+X3hgVitLWU JCWm77Gr+LQnelTu42X8shvAW3qg0kEUVAzXUBBfaef+2bgCWaFUGfNnsrH+Ueu6e9QE1yhrSab VsBxufsYDBvEgr7V/QbBcP9/rG1HkvrEV/zWZqDh9hU5InvUjZnQK56wiIX8vpEUNgBAoH8eM/8 Ee/HI8xXM2iSSaj8zfJc5KH7QjIQq+a3MjcZXje/Mj/w== X-Google-Smtp-Source: AGHT+IH6zEmUN6vmiW4J1BiS6HaiwG/z1An2ceST2X7NQPzM5nnSYeV6WQ7jOJGjNnz59T3lA3K0MQ== X-Received: by 2002:aa7:88c2:0:b0:77f:1a6a:e72b with SMTP id d2e1a72fcca58-7b0bdb86450mr470949b3a.5.1762459022802; Thu, 06 Nov 2025 11:57:02 -0800 (PST) Received: from ranganath.. ([2406:7400:10c:53a0:e5b3:bd3b:a747:7dbb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7b0c953cf79sm391246b3a.3.2025.11.06.11.56.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Nov 2025 11:57:02 -0800 (PST) From: Ranganath V N To: davem@davemloft.net, edumazet@google.com, horms@kernel.org, jhs@mojatatu.com, jiri@resnulli.us, kuba@kernel.org, pabeni@redhat.com, xiyou.wangcong@gmail.com Cc: vnranganath.20@gmail.com, david.hunter.linux@gmail.com, khalid@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, skhan@linuxfoundation.org, syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com Subject: [PATCH v3 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak Date: Fri, 7 Nov 2025 01:26:33 +0530 Message-ID: <20251106195635.2438-2-vnranganath.20@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251106195635.2438-1-vnranganath.20@gmail.com> References: <20251106195635.2438-1-vnranganath.20@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. Signed-off-by: Ranganath V N --- net/sched/act_connmark.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c index 3e89927d7116..2aaaaee9b6bb 100644 --- a/net/sched/act_connmark.c +++ b/net/sched/act_connmark.c @@ -195,13 +195,15 @@ static inline int tcf_connmark_dump(struct sk_buff *s= kb, struct tc_action *a, const struct tcf_connmark_info *ci =3D to_connmark(a); unsigned char *b =3D skb_tail_pointer(skb); const struct tcf_connmark_parms *parms; - struct tc_connmark opt =3D { - .index =3D ci->tcf_index, - .refcnt =3D refcount_read(&ci->tcf_refcnt) - ref, - .bindcnt =3D atomic_read(&ci->tcf_bindcnt) - bind, - }; + struct tc_connmark opt; struct tcf_t t; =20 + memset(&opt, 0, sizeof(opt)); + + index =3D ci->tcf_index; + refcnt =3D refcount_read(&ci->tcf_refcnt) - ref; + bindcnt =3D atomic_read(&ci->tcf_bindcnt) - bind; + rcu_read_lock(); parms =3D rcu_dereference(ci->parms); =20 --=20 2.43.0 From nobody Fri Dec 19 17:14:33 2025 Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 61AC32DF700 for ; Thu, 6 Nov 2025 19:57:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762459032; cv=none; b=i3IHOZQxQruC/WVdb9WuXGmKCp9a284B3yyHT3rDbsFwAy4K9Hb49nP5eZuARo42xJey+Y/N5n9KQvUOEveGxG4cMnksZCoqcwwh55sEBDUHh8KRBd7/lxE7vzpl/fgrpTMX+klBcOd2HlCeW9NA7IlCFyRAGIUZbblbnehm6W0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762459032; c=relaxed/simple; bh=33RiZ+lmUOo9IF1bLc7UKXkQtQSvXLWe1ihfkm5czFc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oHUhS2rTGVv7v/WJVUZkpd5aFXj8yVQTcAXckuj8e5p7lrNvYpUjMtAgqvdCmRjwnGBkRB4ubVO7KmjInIl8mKUTJKQjikIv+KAxzRlMqnG6qE1Gb6HqQkvWI5tLD6DA7un+7boNqzWTzjEbxqI9Z/RUV3A65xwCkjVqTUlOkLw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LydIh4cr; arc=none smtp.client-ip=209.85.216.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LydIh4cr" Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-340762857c7so5555a91.3 for ; Thu, 06 Nov 2025 11:57:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762459030; x=1763063830; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7IxjclUpBPZIElGyruonSprItbngxm4TepkxAI566f8=; b=LydIh4crzOeBPpBCo/xDVMiBEjydXYF1khMrR0BbNhxJ1T2ZCDtNaT8rhIHjiIpL+m ekYxtB2bT8ye65Q2rCmPkQ0X4w5SK/Br1gfRNWrDvBymraLqQBlCvXoMAVoNu6YSiRMW 9v3kjo/4py0CIDKxY2SpF5MCycANFyiL5IW5qLIa67ifVOb/eBBYjcvEd0YvsPQd/W1E l+izrBX4UBodYv33gHRmNqV7YHI65qPxUfxda3IRutmKSSZKwjOthFMtW28gTwGHG3mf DULPW6Z7MivEdFpzcIElFUsqDSHljRYsSM7d4VtHJFTt50Q7Sm8ekFmD7NK02jQadzRr ErDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762459030; x=1763063830; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=7IxjclUpBPZIElGyruonSprItbngxm4TepkxAI566f8=; b=fTkSd1UzlCgLOGQ5UU/yS6Bsyec9AaKxKaC9NnTL+wO1CiM/Xk4AUijmDuSKwNMOzB s+kyj5Hx/S/DBmrr4oKLNKKXK0WtAa7vCR1TjRmBvUfGA7svOV9M3ThBh7K1nCgSm1+q B40lerhkbqMv4QUqq2GkQYdbFMP4cQBxSPaRekrLSraivpFZokyZ+wJMFxFlgpJMFovm 9rU6l/9uhlHkXkplaRyk9+j85UUF9EsShkxigCA1DQSeILcG1lTSKB81iUJl+hPhp4Zm SQpSBBn1kaYDY3vz66zN9QNXGoUa1DoBM2l28ivFcJwZe2Z6HR3BoIXBUtc8Wb6+9/23 YadQ== X-Forwarded-Encrypted: i=1; AJvYcCXI5u3IN6JRI1GBsqDtw2ETk0vANaewcAMtrgdADdeQGEDvtPQ4vi4D7TC3K8NKP7nTBcKsZ7jYcGOf/2k=@vger.kernel.org X-Gm-Message-State: AOJu0YxxLOiQ+stdBHJHGxqSqAO66/yOEE5KP3HhVXa34iMouOWbZDAc ANaHuzmfm+YL+0pEc8wBCiE24/COJ+evmqKsQWzkHfEP5foqYsQkaSjDkOfsILC2 X-Gm-Gg: ASbGncsfZVxXtKi2CrOX3EL9A6/MGN7wHAPUS4bpkID32kinI/3xFHHymL6UZVXbuoO pxpt7MI3EHz4rec5PggS9S36i3/ePoFckl8ELM46m6xje/ObV2Aeei4Dd4YXEPRVFcT8YNvGDVV /BtOC6/WQ2KSP0oGV27sMd4OhKXC8aafL8xuUc7lI9oa+DY1YVZOZcRvTyJNFeONacjUVw87+u4 0e7yDxW8HtPbyRh9XdT/X5I0zYJqpAXqo02KHosCWszN9qgfBhGeRqBGpoKR5NmDF19yYntZH+T Ino90VAzNRgPex7rx/xDZGWJh9LcUMSxIEzYOS5iwQg7b3An0AF8TkHjqmAhPePwcOqhXMDdRA8 lL42OGhG8njrtno/BJK2+O885QiFoiptHClGpEKVo/WqKQ8lt3Wrxk3tE2zRuXTh/BT5k2T50u5 VEXuykTY4UVKm7OsoGVBXpT70E0gHAuRXvtb7JaoqaTA== X-Google-Smtp-Source: AGHT+IH50ovknSWqiPRMYuC2sbKL36wJsRKwQ0PebemgICqOSP/IYHVcYCWSomzoCb/ABZrTRan3Jg== X-Received: by 2002:a17:90b:4f44:b0:340:b8f2:24f6 with SMTP id 98e67ed59e1d1-3434c4e6028mr258409a91.2.1762459030543; Thu, 06 Nov 2025 11:57:10 -0800 (PST) Received: from ranganath.. ([2406:7400:10c:53a0:e5b3:bd3b:a747:7dbb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7b0c953cf79sm391246b3a.3.2025.11.06.11.57.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Nov 2025 11:57:10 -0800 (PST) From: Ranganath V N To: davem@davemloft.net, edumazet@google.com, horms@kernel.org, jhs@mojatatu.com, jiri@resnulli.us, kuba@kernel.org, pabeni@redhat.com, xiyou.wangcong@gmail.com Cc: vnranganath.20@gmail.com, david.hunter.linux@gmail.com, khalid@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, skhan@linuxfoundation.org, syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com Subject: [PATCH v3 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Date: Fri, 7 Nov 2025 01:26:34 +0530 Message-ID: <20251106195635.2438-3-vnranganath.20@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251106195635.2438-1-vnranganath.20@gmail.com> References: <20251106195635.2438-1-vnranganath.20@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak. Reported-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D0c85cae3350b7d486aee Tested-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com Fixes: ef6980b6becb ("introduce IFE action") Signed-off-by: Ranganath V N --- net/sched/act_ife.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c index 107c6d83dc5c..ff1d9d6dcc0a 100644 --- a/net/sched/act_ife.c +++ b/net/sched/act_ife.c @@ -644,13 +644,15 @@ static int tcf_ife_dump(struct sk_buff *skb, struct t= c_action *a, int bind, unsigned char *b =3D skb_tail_pointer(skb); struct tcf_ife_info *ife =3D to_ife(a); struct tcf_ife_params *p; - struct tc_ife opt =3D { - .index =3D ife->tcf_index, - .refcnt =3D refcount_read(&ife->tcf_refcnt) - ref, - .bindcnt =3D atomic_read(&ife->tcf_bindcnt) - bind, - }; + struct tc_ife opt; struct tcf_t t; =20 + memset(&opt, 0, sizeof(opt)); + + index =3D ife->tcf_index; + refcnt =3D refcount_read(&ife->tcf_refcnt) - ref; + bindcnt =3D atomic_read(&ife->tcf_bindcnt) - bind; + spin_lock_bh(&ife->tcf_lock); opt.action =3D ife->tcf_action; p =3D rcu_dereference_protected(ife->params, --=20 2.43.0