net/atm/lec.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+)
syzbot reported a KMSAN uninitialized-value crash caused by reading
fields from struct atmlec_msg before validating that the skb contains
enough linear data. A malformed short skb can cause lec_arp_update()
and other handlers to access uninitialized memory.
Add a pre_send() validator that ensures the message header and optional
TLVs are fully present. This prevents all lec message types from reading
beyond initialized skb data.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+5dd615f890ddada54057@syzkaller.appspotmail.com
Tested-by: syzbot+5dd615f890ddada54057@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5dd615f890ddada54057
Signed-off-by: Dharanitharan R <dharanitharan725@gmail.com>
---
net/atm/lec.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/net/atm/lec.c b/net/atm/lec.c
index afb8d3eb2185..c893781a490a 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -489,8 +489,33 @@ static void lec_atm_close(struct atm_vcc *vcc)
module_put(THIS_MODULE);
}
+static int lec_atm_pre_send(struct atm_vcc *vcc, struct sk_buff *skb)
+{
+ struct atmlec_msg *mesg;
+ u32 sizeoftlvs;
+ unsigned int msg_size = sizeof(struct atmlec_msg);
+
+ /* Must contain the base message */
+ if (skb->len < msg_size)
+ return -EINVAL;
+
+ /* Must have at least msg_size bytes in linear data */
+ if (!pskb_may_pull(skb, msg_size))
+ return -EINVAL;
+
+ mesg = (struct atmlec_msg *)skb->data;
+ sizeoftlvs = mesg->sizeoftlvs;
+
+ /* Validate TLVs if present */
+ if (sizeoftlvs && !pskb_may_pull(skb, msg_size + sizeoftlvs))
+ return -EINVAL;
+
+ return 0;
+}
+
static const struct atmdev_ops lecdev_ops = {
.close = lec_atm_close,
+ .pre_send = lec_atm_pre_send,
.send = lec_atm_send
};
--
2.43.0Hi Dharanitharan,
kernel test robot noticed the following build warnings:
[auto build test WARNING on net/main]
[also build test WARNING on net-next/main linus/master v6.18 next-20251208]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Dharanitharan-R/net-atm-lec-add-pre_send-validation-to-avoid-uninitialized/20251207-121647
base: net/main
patch link: https://lore.kernel.org/r/20251207041453.8302-1-dharanitharan725%40gmail.com
patch subject: [PATCH] net: atm: lec: add pre_send validation to avoid uninitialized
config: x86_64-randconfig-r072-20251208 (https://download.01.org/0day-ci/archive/20251209/202512090202.P59kzmhm-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202512090202.P59kzmhm-lkp@intel.com/
New smatch warnings:
net/atm/lec.c:503 lec_atm_pre_send() warn: inconsistent indenting
net/atm/lec.c:506 lec_atm_pre_send() warn: curly braces intended?
Old smatch warnings:
net/atm/lec.c:507 lec_atm_pre_send() warn: inconsistent indenting
vim +503 net/atm/lec.c
491
492 static int lec_atm_pre_send(struct atm_vcc *vcc, struct sk_buff *skb)
493 {
494 struct atmlec_msg *mesg;
495 u32 sizeoftlvs;
496 unsigned int msg_size = sizeof(struct atmlec_msg);
497
498 /* Must contain the base message */
499 if (skb->len < msg_size)
500 return -EINVAL;
501
502 /* Must have at least msg_size bytes in linear data */
> 503 if (!pskb_may_pull(skb, msg_size))
504 return -EINVAL;
505
> 506 mesg = (struct atmlec_msg *)skb->data;
507 sizeoftlvs = mesg->sizeoftlvs;
508
509 /* Validate TLVs if present */
510 if (sizeoftlvs && !pskb_may_pull(skb, msg_size + sizeoftlvs))
511 return -EINVAL;
512
513 return 0;
514 }
515
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
+ Edward
On Sun, Dec 07, 2025 at 04:14:53AM +0000, Dharanitharan R wrote:
> syzbot reported a KMSAN uninitialized-value crash caused by reading
> fields from struct atmlec_msg before validating that the skb contains
> enough linear data. A malformed short skb can cause lec_arp_update()
> and other handlers to access uninitialized memory.
>
> Add a pre_send() validator that ensures the message header and optional
> TLVs are fully present. This prevents all lec message types from reading
> beyond initialized skb data.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: syzbot+5dd615f890ddada54057@syzkaller.appspotmail.com
> Tested-by: syzbot+5dd615f890ddada54057@syzkaller.appspotmail.com
No blank lines between tags please.
>
> Closes: https://syzkaller.appspot.com/bug?extid=5dd615f890ddada54057
Likewise here.
>
> Signed-off-by: Dharanitharan R <dharanitharan725@gmail.com>
But more importantly, this seems to duplicate another patch
that is under review:
* [PATCH net v3] net: atm: implement pre_send to check input before sending
https://lore.kernel.org/all/tencent_4312C2065549BCEEF0EECACCA467F446F406@qq.com/
Hi Dharanitharan,
kernel test robot noticed the following build warnings:
[auto build test WARNING on net/main]
[also build test WARNING on net-next/main linus/master horms-ipvs/master v6.18 next-20251205]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Dharanitharan-R/net-atm-lec-add-pre_send-validation-to-avoid-uninitialized/20251207-121647
base: net/main
patch link: https://lore.kernel.org/r/20251207041453.8302-1-dharanitharan725%40gmail.com
patch subject: [PATCH] net: atm: lec: add pre_send validation to avoid uninitialized
config: arm64-randconfig-002-20251208 (https://download.01.org/0day-ci/archive/20251208/202512081042.Zx4NasDJ-lkp@intel.com/config)
compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251208/202512081042.Zx4NasDJ-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202512081042.Zx4NasDJ-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> net/atm/lec.c:506:2: warning: misleading indentation; statement is not part of the previous 'if' [-Wmisleading-indentation]
506 | mesg = (struct atmlec_msg *)skb->data;
| ^
net/atm/lec.c:503:4: note: previous statement is here
503 | if (!pskb_may_pull(skb, msg_size))
| ^
1 warning generated.
vim +/if +506 net/atm/lec.c
491
492 static int lec_atm_pre_send(struct atm_vcc *vcc, struct sk_buff *skb)
493 {
494 struct atmlec_msg *mesg;
495 u32 sizeoftlvs;
496 unsigned int msg_size = sizeof(struct atmlec_msg);
497
498 /* Must contain the base message */
499 if (skb->len < msg_size)
500 return -EINVAL;
501
502 /* Must have at least msg_size bytes in linear data */
503 if (!pskb_may_pull(skb, msg_size))
504 return -EINVAL;
505
> 506 mesg = (struct atmlec_msg *)skb->data;
507 sizeoftlvs = mesg->sizeoftlvs;
508
509 /* Validate TLVs if present */
510 if (sizeoftlvs && !pskb_may_pull(skb, msg_size + sizeoftlvs))
511 return -EINVAL;
512
513 return 0;
514 }
515
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Dharanitharan,
kernel test robot noticed the following build warnings:
[auto build test WARNING on net/main]
[also build test WARNING on net-next/main linus/master horms-ipvs/master v6.18 next-20251205]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Dharanitharan-R/net-atm-lec-add-pre_send-validation-to-avoid-uninitialized/20251207-121647
base: net/main
patch link: https://lore.kernel.org/r/20251207041453.8302-1-dharanitharan725%40gmail.com
patch subject: [PATCH] net: atm: lec: add pre_send validation to avoid uninitialized
config: nios2-randconfig-002-20251208 (https://download.01.org/0day-ci/archive/20251208/202512080911.BLjFHfAd-lkp@intel.com/config)
compiler: nios2-linux-gcc (GCC) 11.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251208/202512080911.BLjFHfAd-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202512080911.BLjFHfAd-lkp@intel.com/
All warnings (new ones prefixed by >>):
net/atm/lec.c: In function 'lec_atm_pre_send':
>> net/atm/lec.c:503:4: warning: this 'if' clause does not guard... [-Wmisleading-indentation]
503 | if (!pskb_may_pull(skb, msg_size))
| ^~
net/atm/lec.c:506:9: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the 'if'
506 | mesg = (struct atmlec_msg *)skb->data;
| ^~~~
Kconfig warnings: (for reference only)
WARNING: unmet direct dependencies detected for CAN_DEV
Depends on [n]: NETDEVICES [=n] && CAN [=m]
Selected by [m]:
- CAN [=m] && NET [=y]
vim +/if +503 net/atm/lec.c
491
492 static int lec_atm_pre_send(struct atm_vcc *vcc, struct sk_buff *skb)
493 {
494 struct atmlec_msg *mesg;
495 u32 sizeoftlvs;
496 unsigned int msg_size = sizeof(struct atmlec_msg);
497
498 /* Must contain the base message */
499 if (skb->len < msg_size)
500 return -EINVAL;
501
502 /* Must have at least msg_size bytes in linear data */
> 503 if (!pskb_may_pull(skb, msg_size))
504 return -EINVAL;
505
506 mesg = (struct atmlec_msg *)skb->data;
507 sizeoftlvs = mesg->sizeoftlvs;
508
509 /* Validate TLVs if present */
510 if (sizeoftlvs && !pskb_may_pull(skb, msg_size + sizeoftlvs))
511 return -EINVAL;
512
513 return 0;
514 }
515
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
© 2016 - 2025 Red Hat, Inc.