From nobody Fri Dec 19 17:15:24 2025 Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 116E619F115 for ; Sun, 9 Nov 2025 09:13:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762679640; cv=none; b=aKLXq5ay0Rjb5c8tQ+bgNAKojYG1ly1jtriQq00g84VDrlcccPrgcHmZafDEm+c3aX1bg8+MYSGNv0RTnk3eOmglkBzuCgJzmeV86hHZBoTJqbgpfADBxInHAtCPzPCm/5LY6sakbbpT8EqSMDYirYj93C5SQKfQbjXLYu+dhHk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762679640; c=relaxed/simple; bh=URZZFh4LmiyKJd9P22L/fxBlRB2zK5Rd8wNGzhdrbjs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=QGxJUY06qPgrNAF/yoqvniIVidAUqUJNFC+9zEE/SUC5m6bA6aNqqObw8DS3McCe8fDGX5mzVjWsE9rflbeMihSvubL4nh2DA+yNHP2xjnk+qniELWbs7w6hlmDMWCkH1pPJtvlwze2U6/X8gpwcohM+779jW9NDWtmAGO8lkYY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gMsarZJL; arc=none smtp.client-ip=209.85.216.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gMsarZJL" Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-340c2dfc1daso290041a91.2 for ; Sun, 09 Nov 2025 01:13:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762679638; x=1763284438; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VQtbYnMyaKjUS6x8wAYDCyIdDRCSV64H/mG803zZXM8=; b=gMsarZJLmlb7KkjH6mFkutdgcdUmGYcVqX9+FLShANEVhjbHhPOiO7szWA7I5VU2Oe 1wEx3FoBkahY0D+FcGZjElTB0EVYqvU9X7PQvr1mqg/dprAGcWQ52wSxQWsa5cXwtq2K /l/is/bSoHO4Hm1a8L1zc9flkpX1OMdTRejFQz9FbRXQEfm6Y4FtZCpjg879boB/5czm aR2eakKQcSp2Kt5akeGCYEJpyEXbQcpg1ZSEEUXdc3GF18uW8Gg4ik2oWNA7DhCSYJ42 jvlBvJ+94UIHnRS+78BjzU99Ho5roxS5PQHt3MXTHj63Hf3Suzq31/6O4L3fwNWqnTHw /3ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762679638; x=1763284438; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=VQtbYnMyaKjUS6x8wAYDCyIdDRCSV64H/mG803zZXM8=; b=QH5Jz51X+CI9t8xSBooOwxB/5tFKA9bNYa8JUaC7iN+PYICS0t6n5/6bmH7VCLNEyN 5V5g5miTgEKn+0SDTXMoUTkrT2vua1XB4/yfK1RQ2CuEwvZc9A+8jfl7CrHzQZsO6yHN xw5Y3zgpGKQopCd2U8PCmi7arQu6AGiS3MD7ZOjMHFUsG6twR5x9FqCckuMB2j6iRsUy cY7g+D4SnSXt74OBgq+VuG5FoPHNzLzjxVyyHiantnbrCf1R6v2l2euXrdOTYIYz0W/O FOg0/mX8zXvOdv4fVVm6HuV3WQdSgsZUO5MF1Nl5/RkFz9dgAYDs9xKMwmRtfHRmzDEr IJ/w== X-Gm-Message-State: AOJu0YxXjUL6hRizD2YVHEJkMBHPQ1IjFOT9lREZ6DRYRBJIaaAR2c97 BIKq39EeCV9Ods3EmZOTA9louVlmr1YNMkeLpFr4bsdMrzC9it2rnRnM X-Gm-Gg: ASbGncvL4HdK2101CZCuJgEHFCDIZUqGykRW9cnZmCYG5UabgiwKuJyJboOnbBSJxhn ZhqueBYLlf27W8iA8yGmPWucfDtHIDmjwJP819F/MyNo9SFVBQQ/Z2NzioyL3asNeDLtCXdrv2v //PGhbHF/QF/1NSTsBDeLUhHa7k3ygcXzD4zhgRscELMh8VDYk/AKdF1fAOQ/UPeI55hT2PV0cK lQtsfQFU4voybTWliaQzLnC6OgNpaFH+iory3sBdbS0Wib+VBv0lDeRpMejR/8oIQ+TBooEuC7A PZK2cKM35UMWQROK27vhC4rc1GL+lpXZPEDUZDf6OW4S5NHSyznNHbY2yiEoOTEqxzKWj/IKeGn 5RorZbTkq1RSrIufqI/aTZ9fOi0vLsXOkaY/cnc+cACiwdCoOustopZ9bfgRnAw6TkRN/OGUHuv L35Iu0+/owARACi1fSRYh09kYj6nQs5tk9sHRBoOJTbw== X-Google-Smtp-Source: AGHT+IEb42thCOUIk/cUikiK6jjogrqhy3XDOYRehOuLLYyhrRMYSxR+lfadQOwWNezm2+NhEEQdPg== X-Received: by 2002:a17:902:dace:b0:290:af0d:9381 with SMTP id d9443c01a7336-297e56cf5d7mr33718225ad.7.1762679637760; Sun, 09 Nov 2025 01:13:57 -0800 (PST) Received: from ranganath.. ([2406:7400:10c:bc7a:cbdc:303c:21d1:e234]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29651c7409esm108974225ad.64.2025.11.09.01.13.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Nov 2025 01:13:57 -0800 (PST) From: Ranganath V N To: edumazet@google.com, davem@davemloft.net, david.hunter.linux@gmail.com, horms@kernel.org, jhs@mojatatu.com, jiri@resnulli.us, khalid@kernel.org, kuba@kernel.org, pabeni@redhat.com, vnranganath.20@gmail.com, xiyou.wangcong@gmail.com Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, skhan@linuxfoundation.org, syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com Subject: [PATCH net v4 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak Date: Sun, 9 Nov 2025 14:43:35 +0530 Message-ID: <20251109091336.9277-2-vnranganath.20@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251109091336.9277-1-vnranganath.20@gmail.com> References: <20251109091336.9277-1-vnranganath.20@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. Reported-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D0c85cae3350b7d486aee Tested-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com Fixes: 22a5dc0e5e3e ("net: sched: Introduce connmark action") Signed-off-by: Ranganath V N Acked-by: Cong Wang Reviewed-by: Eric Dumazet --- net/sched/act_connmark.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c index 3e89927d7116..26ba8c2d20ab 100644 --- a/net/sched/act_connmark.c +++ b/net/sched/act_connmark.c @@ -195,13 +195,15 @@ static inline int tcf_connmark_dump(struct sk_buff *s= kb, struct tc_action *a, const struct tcf_connmark_info *ci =3D to_connmark(a); unsigned char *b =3D skb_tail_pointer(skb); const struct tcf_connmark_parms *parms; - struct tc_connmark opt =3D { - .index =3D ci->tcf_index, - .refcnt =3D refcount_read(&ci->tcf_refcnt) - ref, - .bindcnt =3D atomic_read(&ci->tcf_bindcnt) - bind, - }; + struct tc_connmark opt; struct tcf_t t; =20 + memset(&opt, 0, sizeof(opt)); + + opt.index =3D ci->tcf_index; + opt.refcnt =3D refcount_read(&ci->tcf_refcnt) - ref; + opt.bindcnt =3D atomic_read(&ci->tcf_bindcnt) - bind; + rcu_read_lock(); parms =3D rcu_dereference(ci->parms); =20 --=20 2.43.0 From nobody Fri Dec 19 17:15:24 2025 Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8BC82C158F for ; Sun, 9 Nov 2025 09:14:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762679647; cv=none; b=fKtL1g3KzQxeBMEn/lTKGJT4vEjhKOa5eijNhhqXZ/p/L1QxmKF0jSmRCSx13inyVEeT5DLj8twv4AHadJYIMsHlCW+5VwESnqBBlvcl1YzC+WLDZbCfy0CXxvMfIfUbxbuNk6BP1kJNpVAlfcUPheQQrtQxAm5j0miRjOfEH8g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762679647; c=relaxed/simple; bh=HnQiRwzviFZfkE6loxr/BOANkRT7iJY6innAQLrusbk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LDenBs7/NBC5gBS3XuDTuLHKAx5UNggWNXR+mL3UVStatqckP7ONhoZdYNR+YEt5Q1QeJz+zWx02PY5YuxZAFVQSNpqnAaJGDMIm/dUnZ1VwvPE6mXR4/L3maqJ7dWv+oC6mEx1mN1vo+ya/ciFPdItvda/6wbgUqGNnjdv0nig= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LL04uAuz; arc=none smtp.client-ip=209.85.216.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LL04uAuz" Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-34368216f06so215380a91.3 for ; Sun, 09 Nov 2025 01:14:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762679645; x=1763284445; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4PMsTc2iEamsoaNNgA4bvlleTLsvEej8IKKb+6/VtSo=; b=LL04uAuzG1+SIqqnm04+LCVDI8h2vl+FSxIHjHND88ZIXrn8ZRHm2YRP3xvDl8OD7T 6QKZlK2Rf8HO2zNzeKIHv9nQV7mO5yVpMAE57mOV4hFDQozRe6q8hRv2ak5A4yQUEcKq 7fDduXL9Q1ROM+gHbt8GuJ/CJa9eEPi+chw7YIpHCNuEK/PeJv26mfU8pkmUcDiQGPij YHtoPIh52FOhsc2qc+TjRbUwY6PT4Av9CczTWYKlj4USIgHEvkG9IfSY+2jAj0Mo+nln Nf+wdhdMwnVOQQEMoaSWr/exHwL+rJuJJ3XHDUMcCsHtm1x3lQnNP2hJ3j+66BlibkK0 xRpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762679645; x=1763284445; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=4PMsTc2iEamsoaNNgA4bvlleTLsvEej8IKKb+6/VtSo=; b=g+hBr+qiA0bv+kkEqOx2nIaSbqiHDv1BWSolNMwaK+hYihnFomrxSIr3gJmLBaOoHM T8yJHHL5gh0V518Vg1FwVi2FGjlxPkDhqbfGQcP4PgK+gNdDzUHmrLoNOpXsmbPUbSmC WATBh8w4Wo+eHD+lYfpUZ1dbAG9msjpLerypXmqyZw7Qq6+bcQFRjavz+3nXM9UUaXBl 2qMbKD9sisFdsMXr1DaTvT5mAU6QJjn0LPfYoZeqkVVVnmY4Lj/FWxIsRfSkpu5XfZ3a VN8Qi6YNYitFPTGNSxdJ6LdYHJtzTQOe5TTTkzlAVeGlEMvY+LP39w4U+vMUG4//mE2h KuYw== X-Gm-Message-State: AOJu0YwPHlV4X1RfLSuskTxlH1M5LTUXvW+3Mc9Rj6XZ6HmnPb/D7nju 2EOuIs5L/xQ33dlYEdEtajlqLL0k2NocV/JF5XtE842kVaD7RkBHbDVV X-Gm-Gg: ASbGnctMIg4TFSIURC/EnLqnlYiMqLX/wAxIL0cSVvMau5T0hTXx9bTWPZO9GaItO98 qWBkg9e4UnIN5bx/iHnY5UPcCt8/7TL6YBJtSZrV8cfTwj+erWh1NvM6h4WZEF3rPmDf9Y7aCS6 1yY1Ye3ZHZ9SeRL258HJU8/qm26rxd/Q7F8rYpO6ETq6tGAbTDZAjhgRf907+UaBbaqfojqrlB8 xjP74sQdIrzQQew/pq3KZfmbZ/6+oYy3V8KRYJzsptk2XM2YDo+RpoO8/FzZBhRCL9ijfTx520d lwxMKd35jjPHtgm5hF4hhO1H5qmUHqN+PrmMFp7iL2e1UX8q1j2FEeBFrmkvxW4cqcqY0+bDoCg eesq12PfYIqiUAVWym4IoUw9jpC42HWYG0ofMayc5FJokpkr2ap84HMKh9jJMb8Bnbetz1S97mR 2c2mCKUNxo/KIhxLyzHLtNSL0AgMn3vk08UCEIh/GlwQ== X-Google-Smtp-Source: AGHT+IHjXNmhuS8efz6vClWXbs3pBS9HpVo6djl/mfWt5tPuH+GEG2YZZK7drOxtvdXymvEDjvlxIg== X-Received: by 2002:a17:903:2343:b0:277:c230:bfca with SMTP id d9443c01a7336-297e565283dmr32156275ad.4.1762679645191; Sun, 09 Nov 2025 01:14:05 -0800 (PST) Received: from ranganath.. ([2406:7400:10c:bc7a:cbdc:303c:21d1:e234]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29651c7409esm108974225ad.64.2025.11.09.01.14.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Nov 2025 01:14:04 -0800 (PST) From: Ranganath V N To: edumazet@google.com, davem@davemloft.net, david.hunter.linux@gmail.com, horms@kernel.org, jhs@mojatatu.com, jiri@resnulli.us, khalid@kernel.org, kuba@kernel.org, pabeni@redhat.com, vnranganath.20@gmail.com, xiyou.wangcong@gmail.com Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, skhan@linuxfoundation.org, syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com Subject: [PATCH net v4 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Date: Sun, 9 Nov 2025 14:43:36 +0530 Message-ID: <20251109091336.9277-3-vnranganath.20@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251109091336.9277-1-vnranganath.20@gmail.com> References: <20251109091336.9277-1-vnranganath.20@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak. Reported-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D0c85cae3350b7d486aee Tested-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com Fixes: ef6980b6becb ("introduce IFE action") Signed-off-by: Ranganath V N Acked-by: Cong Wang Reviewed-by: Eric Dumazet --- net/sched/act_ife.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c index 107c6d83dc5c..7c6975632fc2 100644 --- a/net/sched/act_ife.c +++ b/net/sched/act_ife.c @@ -644,13 +644,15 @@ static int tcf_ife_dump(struct sk_buff *skb, struct t= c_action *a, int bind, unsigned char *b =3D skb_tail_pointer(skb); struct tcf_ife_info *ife =3D to_ife(a); struct tcf_ife_params *p; - struct tc_ife opt =3D { - .index =3D ife->tcf_index, - .refcnt =3D refcount_read(&ife->tcf_refcnt) - ref, - .bindcnt =3D atomic_read(&ife->tcf_bindcnt) - bind, - }; + struct tc_ife opt; struct tcf_t t; =20 + memset(&opt, 0, sizeof(opt)); + + opt.index =3D ife->tcf_index, + opt.refcnt =3D refcount_read(&ife->tcf_refcnt) - ref, + opt.bindcnt =3D atomic_read(&ife->tcf_bindcnt) - bind, + spin_lock_bh(&ife->tcf_lock); opt.action =3D ife->tcf_action; p =3D rcu_dereference_protected(ife->params, --=20 2.43.0