drivers/infiniband/core/addr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
KMSAN reported a use of uninitialized memory in hex_byte_pack()
via ip6_string() when printing %pI6 from ib_nl_handle_ip_res_resp().
If the LS_NLA_TYPE_DGID attribute is missing, 'gid' remains
uninitialized before being used in pr_info(), leading to a
KMSAN uninit-value report.
Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=938fcd548c303fe33c1a
Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
Signed-off-by: Kriish Sharma <kriish.sharma2006@gmail.com>
---
drivers/infiniband/core/addr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
index 61596cda2b65..4c602fcae12f 100644
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -99,7 +99,7 @@ static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh)
static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh)
{
const struct nlattr *head, *curr;
- union ib_gid gid;
+ union ib_gid gid = {};
struct addr_req *req;
int len, rem;
int found = 0;
--
2.34.1On Fri, Nov 07, 2025 at 04:10:02AM +0000, Kriish Sharma wrote:
> KMSAN reported a use of uninitialized memory in hex_byte_pack()
> via ip6_string() when printing %pI6 from ib_nl_handle_ip_res_resp().
> If the LS_NLA_TYPE_DGID attribute is missing, 'gid' remains
> uninitialized before being used in pr_info(), leading to a
> KMSAN uninit-value report.
>
> Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=938fcd548c303fe33c1a
> Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
> Signed-off-by: Kriish Sharma <kriish.sharma2006@gmail.com>
> ---
> drivers/infiniband/core/addr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
> index 61596cda2b65..4c602fcae12f 100644
> --- a/drivers/infiniband/core/addr.c
> +++ b/drivers/infiniband/core/addr.c
> @@ -99,7 +99,7 @@ static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh)
> static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh)
> {
> const struct nlattr *head, *curr;
> - union ib_gid gid;
> + union ib_gid gid = {};
> struct addr_req *req;
> int len, rem;
> int found = 0;
This doesn't seem right.
We have this as the only caller:
if (ib_nl_is_good_ip_resp(nlh))
ib_nl_process_good_ip_rsep(nlh);
And ib_nl_is_good_ip_resp() does:
ret = nla_parse_deprecated(tb, LS_NLA_TYPE_MAX - 1, nlmsg_data(nlh),
nlmsg_len(nlh), ib_nl_addr_policy,
NULL);
static const struct nla_policy ib_nl_addr_policy[LS_NLA_TYPE_MAX] = {
[LS_NLA_TYPE_DGID] = {.type = NLA_BINARY,
.len = sizeof(struct rdma_nla_ls_gid),
.validation_type = NLA_VALIDATE_MIN,
.min = sizeof(struct rdma_nla_ls_gid)},
};
So I expect the nla_parse_deprecated() to fail if this:
nla_for_each_attr(curr, head, len, rem) {
if (curr->nla_type == LS_NLA_TYPE_DGID)
memcpy(&gid, nla_data(curr), nla_len(curr));
}
Doesn't find a DGID.
So how can gid be uninitialized?
The fix to whatever this is should be in ib_nl_is_good_ip_resp().
Jason
On 11/7/25 07:37, Jason Gunthorpe wrote: > The fix to whatever this is should be in ib_nl_is_good_ip_resp(). nla_parse_deprecated returns success if attrs are missing? Other callers also check for their expected attrs to be present in tb, after checking nla_parse_deprecated()'s return code.
On Fri, Nov 07, 2025 at 11:11:40AM -0800, Vlad Dumitrescu wrote: > On 11/7/25 07:37, Jason Gunthorpe wrote: > > The fix to whatever this is should be in ib_nl_is_good_ip_resp(). > > nla_parse_deprecated returns success if attrs are missing? > > Other callers also check for their expected attrs to be present in tb, > after checking nla_parse_deprecated()'s return code. That sounds like the trouble then, the check for tb presence should be added to the ib_nl_is_good_ip_resp.. Jason
Should I prepare and send a patch that adds the suggested check in ib_nl_is_good_ip_resp() as Vlad mentioned? On Sat, Nov 8, 2025 at 12:47 AM Jason Gunthorpe <jgg@ziepe.ca> wrote: > > On Fri, Nov 07, 2025 at 11:11:40AM -0800, Vlad Dumitrescu wrote: > > On 11/7/25 07:37, Jason Gunthorpe wrote: > > > The fix to whatever this is should be in ib_nl_is_good_ip_resp(). > > > > nla_parse_deprecated returns success if attrs are missing? > > > > Other callers also check for their expected attrs to be present in tb, > > after checking nla_parse_deprecated()'s return code. > > That sounds like the trouble then, the check for tb presence should be > added to the ib_nl_is_good_ip_resp.. > > Jason
On 11/7/25 11:58, Kriish Sharma wrote: > Should I prepare and send a patch that adds the suggested check in > ib_nl_is_good_ip_resp() as Vlad mentioned? From my p.o.v., feel free to send it. Can we have syzkaller test it? Thanks!
Hi Vlad, Jason, Thanks for the confirmation. I’ve sent a v2 patch incorporating the suggested check in ib_nl_is_good_ip_resp(). link to v2 : https://lore.kernel.org/all/20251108034336.2100529-1-kriish.sharma2006@gmail.com/ On Sat, Nov 8, 2025 at 2:36 AM Vlad Dumitrescu <vdumitrescu@nvidia.com> wrote: > Can we have syzkaller test it? It has been tested with syzbot, and no KMSAN or other alarms were raised. Best regards, Kriish
Hi Jason,
Thanks for the insight. I’ll dig deeper into the handling inside
ib_nl_is_good_ip_resp() and follow up with an updated analysis or
patch.
Regards,
Kriish
On Fri, Nov 7, 2025 at 9:07 PM Jason Gunthorpe <jgg@ziepe.ca> wrote:
>
> On Fri, Nov 07, 2025 at 04:10:02AM +0000, Kriish Sharma wrote:
> > KMSAN reported a use of uninitialized memory in hex_byte_pack()
> > via ip6_string() when printing %pI6 from ib_nl_handle_ip_res_resp().
> > If the LS_NLA_TYPE_DGID attribute is missing, 'gid' remains
> > uninitialized before being used in pr_info(), leading to a
> > KMSAN uninit-value report.
> >
> > Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=938fcd548c303fe33c1a
> > Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
> > Signed-off-by: Kriish Sharma <kriish.sharma2006@gmail.com>
> > ---
> > drivers/infiniband/core/addr.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
> > index 61596cda2b65..4c602fcae12f 100644
> > --- a/drivers/infiniband/core/addr.c
> > +++ b/drivers/infiniband/core/addr.c
> > @@ -99,7 +99,7 @@ static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh)
> > static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh)
> > {
> > const struct nlattr *head, *curr;
> > - union ib_gid gid;
> > + union ib_gid gid = {};
> > struct addr_req *req;
> > int len, rem;
> > int found = 0;
>
> This doesn't seem right.
>
> We have this as the only caller:
>
> if (ib_nl_is_good_ip_resp(nlh))
> ib_nl_process_good_ip_rsep(nlh);
>
> And ib_nl_is_good_ip_resp() does:
>
> ret = nla_parse_deprecated(tb, LS_NLA_TYPE_MAX - 1, nlmsg_data(nlh),
> nlmsg_len(nlh), ib_nl_addr_policy,
> NULL);
>
> static const struct nla_policy ib_nl_addr_policy[LS_NLA_TYPE_MAX] = {
> [LS_NLA_TYPE_DGID] = {.type = NLA_BINARY,
> .len = sizeof(struct rdma_nla_ls_gid),
> .validation_type = NLA_VALIDATE_MIN,
> .min = sizeof(struct rdma_nla_ls_gid)},
> };
>
> So I expect the nla_parse_deprecated() to fail if this:
>
> nla_for_each_attr(curr, head, len, rem) {
> if (curr->nla_type == LS_NLA_TYPE_DGID)
> memcpy(&gid, nla_data(curr), nla_len(curr));
> }
>
> Doesn't find a DGID.
>
> So how can gid be uninitialized?
>
> The fix to whatever this is should be in ib_nl_is_good_ip_resp().
>
> Jason
© 2016 - 2025 Red Hat, Inc.