From nobody Mon Feb 9 05:53:25 2026 Received: from mail-oa1-f72.google.com (mail-oa1-f72.google.com [209.85.160.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C09BB1E832A for ; Fri, 2 Jan 2026 02:20:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767320407; cv=none; b=P1QR6ZawxUlDzewp10qwHONiZiFYJw0vaNPT1aE2d8Z8Ll8ypZ0ll9KN4kmR+pk9lwpKUqWReEBYzPX6rmLXhn2NScEC7CxyrW5eRsqsISVlcbaXRHmtbDJh1/aoSEKY0gYYSwjy06/m49TpN3RjcaclX4mcIW+pmZFTI+stie8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767320407; c=relaxed/simple; bh=rH6ov4DJMcrLss17RGjLGDfvHbx1eeXkYgJHy+ezqPA=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=BLHkr32yzh5cynt2HKvNSUqFLgDBWkC7at1TVuaSZuygpL6amYtqNC6pnUWzJXg6IBx7AhcjPYdB7iE2qFF3kl0vurPww1p9eM7VvvdStgA0VLv6ikxOdab3EhJR96gTFXlIPSBAFwq6kgGHWo57jTlX9f8YGavhtVsmLoFJYT8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.160.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oa1-f72.google.com with SMTP id 586e51a60fabf-3fef05d4d65so3566666fac.3 for ; Thu, 01 Jan 2026 18:20:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767320404; x=1767925204; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jyJvAYtXDEdaPstnfa6BuCT3pJlxNxCkEuqvHs0O8SA=; b=p5A6WOi0HVT9h1HV/4tfvPUcceKvz/BRAd8y1ZRpdt+U4IUjaPwvg1iTKSiMWTVgG7 vGPzCZsDSRg6Z/n4n3gxXTZzA9XDjkOUJCoE9g/4d+jNbO9ULXUAGVFHHjq32AwROYb9 Zi1NUzHmqcGlFvKkWMDqsu5XDd6bn5MfXdvhdVyUx6fEzRDa4qHOykRiROvmXB23V3AH b78q37gCewfLl8Ome2+KdzoOtBZtdG+w4TwzRMKNwOqK8iMtn3BQWkOOeBBSE9GRN5nU y2HYhpZpeGbj0I3an55X7rhz7HSUPr5b/6iCOjlJffSbZ+nK4heFPWD0Fjv/Y9APZe6d 2ihw== X-Gm-Message-State: AOJu0Yzkcqez1NBvd8XokpvuGjjybuuhp4rPte5Ubo9RS5/mutqNbcb9 z6PpSh/SBODkqQU1cOl4HLdmTJxR5w4gB1SSf33oqFM7dPifuvv2PCTITyB/oe9CgeY35uNbbJS u+qkpWP9RZO+3J92L2IVes0OqefnIDfeBJcfn9EqxEydNsZ+XQUK4hZXeV9A= X-Google-Smtp-Source: AGHT+IGmNPHwmlw0VxhHgbeS/7iWEUegZ2/SJ1f1D0BwXdR60oCj6flgGi4GUW+hC87BQs1Sc0vorNigHpmITP3MuptsAzw7R9Cz Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:6fd7:b0:659:9a49:9043 with SMTP id 006d021491bc7-65d0e94d50amr15464023eaf.14.1767320404709; Thu, 01 Jan 2026 18:20:04 -0800 (PST) Date: Thu, 01 Jan 2026 18:20:04 -0800 In-Reply-To: <6954bc70.050a0220.a1b6.0310.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69572b54.050a0220.a1b6.034a.GAE@google.com> Subject: Forwarded: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head() From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head() Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master When pskb_expand_head() allocates a new buffer with additional headroom (nhead), the newly allocated headroom region is not initialized. This uninitialized memory can later be accessed when BPF programs use bpf_skb_adjust_room() to push headers into this space. The call chain is: bpf_skb_adjust_room() -> bpf_skb_net_grow() -> skb_cow_head() -> pskb_expand_head() // allocates uninit headroom -> bpf_skb_net_hdr_push() -> bpf_skb_generic_push() -> skb_postpush_data_move() -> skb_data_move() // moves uninit memory Fix this by zeroing the new headroom region immediately after allocation in pskb_expand_head(). Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D619b9ef527f510a57cfc Signed-off-by: Deepanshu Kartikey --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index a00808f7be6a..875572a27e58 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2283,6 +2283,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, = int ntail, if (!data) goto nodata; size =3D SKB_WITH_OVERHEAD(size); + memset(data, 0, nhead); =20 /* Copy only real data... and, alas, header. This should be * optimized for the cases when header is void. --=20 2.43.0