From nobody Wed Apr 1 08:21:29 2026 Received: from smtp134-24.sina.com.cn (smtp134-24.sina.com.cn [180.149.134.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 647961A680B for ; Wed, 1 Apr 2026 00:45:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=180.149.134.24 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775004330; cv=none; b=OhSR+UdCxX/YPSlKim2ZUSidN+khh0waUf9HInstcYW8g8XEEUHRoll3yIoITTRE1CMwK6usIbr+kh54zVo4Q452M9ZCvhDL+nhFPXE7ELid2g4u8nz4qb9wQFh6Nf6JXmJ9JIIhfK8LiV+PAXVihcewFY25N9SBAVogZ8AoxsM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775004330; c=relaxed/simple; bh=mfVsPU2KaYdGU78yOA9MOerup3tdd4QHuKBumFu6460=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=txqqpp0aALyJGYsWhjDQz3e5svGQvY96+mpv93jLAT1rZOUe3AR8QDKacMYGluvXCBGBIm4Khmj7WbWcR+3YUu3pm3w5j+zLQYZcTm4qJiObqNl2wzA5+R9PloGPMqzlZfco8MM26Si1f/Z+JCHdFLJEoTSaEGI/qk+4EwrvNls= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b=rd9gkhSw; arc=none smtp.client-ip=180.149.134.24 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b="rd9gkhSw" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sina.com; s=201208; t=1775004325; bh=j6UEnK7coCyYu5WAGKM8DDkqKJIpGKfRXgUFV6o7BlY=; h=From:Subject:Date:Message-Id; b=rd9gkhSw80Y0yDFp8wPzb9oOwmgYUHLmBtpS/O80ubmc0ftzE3AqH4S5mjRep9CJW MaP8nGSTjQi4J/GcXw26FSWno+62W2Chv//K4Y+C1LZpOYQ57X0s/QGZYgD6ckY0AM 764kmMeezy0Qrir5BFywLXrsCscsa2qWXotS3Mww= X-SMAIL-HELO: pek-lpg-core6.wrs.com Received: from unknown (HELO pek-lpg-core6.wrs.com)([60.247.85.88]) by sina.com (10.185.250.21) with ESMTP id 69CC6A7C00002F3B; Wed, 1 Apr 2026 08:44:46 +0800 (CST) X-Sender: johnny_haocn@sina.com X-Auth-ID: johnny_haocn@sina.com Authentication-Results: sina.com; spf=none smtp.mailfrom=johnny_haocn@sina.com; dkim=none header.i=none; dmarc=none action=none header.from=johnny_haocn@sina.com X-SMAIL-MID: 5084753408296 X-SMAIL-UIID: 79060A47AE414EB29236CC80D3EE0CDC-20260401-084446-1 From: Johnny Hao To: gregkh@linuxfoundation.org, stable@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Matt Johnston , syzbot+e76d52dadc089b9d197f@syzkaller.appspotmail.com, syzbot+1065a199625a388fce60@syzkaller.appspotmail.com, Jakub Kicinski , Johnny Hao Subject: [PATCH 5.15.y] net: mctp: Don't access ifa_index when missing Date: Wed, 1 Apr 2026 08:44:41 +0800 Message-Id: <20260401004441.3928950-1-johnny_haocn@sina.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Matt Johnston [ Upstream commit f11cf946c0a92c560a890d68e4775723353599e1 ] In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but only when the struct ifaddrmsg is provided. Otherwise it will be comparing to uninitialised memory - reproducible in the syzkaller case from dhcpd, or busybox "ip addr show". The kernel MCTP implementation has always filtered by ifa_index, so existing userspace programs expecting to dump MCTP addresses must already be passing a valid ifa_index value (either 0 or a real index). BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.= c:128 mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309 Fixes: 583be982d934 ("mctp: Add device handling and netlink interface") Reported-by: syzbot+e76d52dadc089b9d197f@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68135815.050a0220.3a872c.000e.GAE@googl= e.com/ Reported-by: syzbot+1065a199625a388fce60@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/681357d6.050a0220.14dd7d.000d.GAE@googl= e.com/ Signed-off-by: Matt Johnston Link: https://patch.msgid.link/20250508-mctp-addr-dump-v2-1-c8a53fd2dd66@co= deconstruct.com.au Signed-off-by: Jakub Kicinski [ The context change is due to the commit 2d45eeb7d5d7 ("mctp: no longer rely on net->dev_index_head[]") in v6.14 which is irrelevant to the logic of this patch. ] Signed-off-by: Johnny Hao --- net/mctp/device.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/net/mctp/device.c b/net/mctp/device.c index c00a2550e2e0..aec7ffad2666 100644 --- a/net/mctp/device.c +++ b/net/mctp/device.c @@ -99,12 +99,19 @@ static int mctp_dump_addrinfo(struct sk_buff *skb, stru= ct netlink_callback *cb) struct net_device *dev; struct ifaddrmsg *hdr; struct mctp_dev *mdev; - int ifindex; - int idx, rc; - - hdr =3D nlmsg_data(cb->nlh); - // filter by ifindex if requested - ifindex =3D hdr->ifa_index; + int idx; + int ifindex =3D 0, rc; + + /* Filter by ifindex if a header is provided */ + if (cb->nlh->nlmsg_len >=3D nlmsg_msg_size(sizeof(*hdr))) { + hdr =3D nlmsg_data(cb->nlh); + ifindex =3D hdr->ifa_index; + } else { + if (cb->strict_check) { + NL_SET_ERR_MSG(cb->extack, "mctp: Invalid header for addr dump request"= ); + return -EINVAL; + } + } =20 rcu_read_lock(); for (; mcb->h < NETDEV_HASHENTRIES; mcb->h++, mcb->idx =3D 0) { --=20 2.34.1