From nobody Mon Jun 8 04:25:56 2026 Received: from n169-110.mail.139.com (n169-110.mail.139.com [120.232.169.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A241C37754D; Tue, 2 Jun 2026 07:36:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=120.232.169.110 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780385787; cv=none; b=QlIDjZXGDRTQIsmt2p0kGivPSnWnKUl/n9M1YmE06i5f0TeT5r7+BNXAgtxBQnvGyKxplJWde19IYxyqTEmXV5aUWogoGQ2NGFV2BXPJOWrZwbpPWFkxqJRBvPc/owUUFhOgwKpjTrRZTi+bE8IVWDRB7lv4r4k5j9YCzHSYu7s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780385787; c=relaxed/simple; bh=Sg2qPMeNeyuw/NqPm8wrriZb6ypvSn/sq+DRxgxDR8g=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=QVn7WtuL5QEG3/f/sB/AakzBbQUawFG3R4CVOjF4fsTozjjOOKfa2c2N8wQkR1AkfyYI9wuJwR/eJmTlCsjbwTncJRCKt0hdqI4RuQIfpv+/E14cGUFUges34BKiReGSkNw+uHiRo3TpHl5uSWDYGuuHIikO2hannlBmWPW2mR8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=139.com; spf=pass smtp.mailfrom=139.com; dkim=pass (1024-bit key) header.d=139.com header.i=@139.com header.b=C90EEA/W; arc=none smtp.client-ip=120.232.169.110 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=139.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=139.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=139.com header.i=@139.com header.b="C90EEA/W" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=139.com; s=dkim; l=0; h=from:subject:message-id:to:cc:mime-version; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=C90EEA/WmY5MswcMj5MyPoDvQ1N6XcA5ujsLSw2ZM3en1q9bZa0vEZVseFovEJRMoP1uB3Aj5NbV7 KisCpeqOeYCw/hIhTmbTR0xXXpD683apUGE5+Lmq4M9xCWzyzMsFeL0oxC2Z4hyXNVb+mmh2WNgc+L kGAfOa9UmvqmNK+k= X-RM-TagInfo: emlType=0 X-RM-SPAM: X-RM-SPAM-FLAG: 00000000 Received: from NTT-kernel-dev (unknown[60.247.85.88]) by rmsmtp-lg-appmail-07-12085 (RichMail) with SMTP id 2f356a1e87ee00a-0101c; Tue, 02 Jun 2026 15:36:18 +0800 (CST) X-RM-TRANSID: 2f356a1e87ee00a-0101c From: Li hongliang <1468888505@139.com> To: gregkh@linuxfoundation.org, stable@vger.kernel.org, jk@codeconstruct.com.au Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, matt@codeconstruct.com.au, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, netdev@vger.kernel.org Subject: [PATCH 6.6.y] net: mctp: ensure our nlmsg responses are initialised Date: Tue, 2 Jun 2026 15:36:17 +0800 Message-Id: <20260602073617.2922418-1-1468888505@139.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jeremy Kerr [ Upstream commit a6a9bc544b675d8b5180f2718ec985ad267b5cbf ] Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from DEVCORE Research Team working with Trend Micro Zero Day Initiative report that a RTM_GETNEIGH will return uninitalised data in the pad bytes of the ndmsg data. Ensure we're initialising the netlink data to zero, in the link, addr and neigh response messages. Fixes: 831119f88781 ("mctp: Add neighbour netlink interface") Fixes: 06d2f4c583a7 ("mctp: Add netlink route management") Fixes: 583be982d934 ("mctp: Add device handling and netlink interface") Signed-off-by: Jeremy Kerr Reviewed-by: Simon Horman Link: https://patch.msgid.link/20260209-dev-mctp-nlmsg-v1-1-f1e30c346a43@co= deconstruct.com.au Signed-off-by: Jakub Kicinski Signed-off-by: Li hongliang <1468888505@139.com> --- net/mctp/device.c | 1 + net/mctp/neigh.c | 1 + net/mctp/route.c | 1 + 3 files changed, 3 insertions(+) diff --git a/net/mctp/device.c b/net/mctp/device.c index 8d1386601bbe..67576cb2728e 100644 --- a/net/mctp/device.c +++ b/net/mctp/device.c @@ -70,6 +70,7 @@ static int mctp_fill_addrinfo(struct sk_buff *skb, return -EMSGSIZE; =20 hdr =3D nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ifa_family =3D AF_MCTP; hdr->ifa_prefixlen =3D 0; hdr->ifa_flags =3D 0; diff --git a/net/mctp/neigh.c b/net/mctp/neigh.c index 590f642413e4..c0151a69d2b7 100644 --- a/net/mctp/neigh.c +++ b/net/mctp/neigh.c @@ -218,6 +218,7 @@ static int mctp_fill_neigh(struct sk_buff *skb, u32 por= tid, u32 seq, int event, return -EMSGSIZE; =20 hdr =3D nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ndm_family =3D AF_MCTP; hdr->ndm_ifindex =3D dev->ifindex; hdr->ndm_state =3D 0; // TODO other state bits? diff --git a/net/mctp/route.c b/net/mctp/route.c index a565cf2bc733..6d6e19c04939 100644 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -1332,6 +1332,7 @@ static int mctp_fill_rtinfo(struct sk_buff *skb, stru= ct mctp_route *rt, return -EMSGSIZE; =20 hdr =3D nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->rtm_family =3D AF_MCTP; =20 /* we use the _len fields as a number of EIDs, rather than --=20 2.34.1