From nobody Sat Feb 7 18:16:00 2026 Received: from mail-ot1-f71.google.com (mail-ot1-f71.google.com [209.85.210.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C0A331EA65 for ; Sun, 4 Jan 2026 02:01:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.71 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767492117; cv=none; b=r3o4M4+o6vJNN5ujtEwe74FFHtCed3+ixRolAActzN6kp7soE1Zl4FIU9DnZ5JjdT+LIfgMJioI/xa2j7OtYF1ksjt7cSuumeyb/f+MM14QxoojwKGQq3uogdsGZe7K8aBRqqC+iUkMRYcIr/C9KxOUmr1T9XTgw8LN4O40vFt8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767492117; c=relaxed/simple; bh=Y9Ccsyj3OdFQM6D3GR76K6bmePQqUdaBtHhMK/fwSTU=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=aN+Ptq2jDWsS1vBrcIOr2aJkv5AaujrYykN0wvYYhPpoaum5O7roWZkh+AI8cV89cFr4BHdeLB9WwndEzDw356FzfizFgtwPPHnZ6AaLRkl+8yxAp3gOIumH08BxzI8ban8lVF2yEUUd6pB0fWs85/k7us7xyB3QQOwVqCOJrjE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.71 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f71.google.com with SMTP id 46e09a7af769-7caf66b2866so33491645a34.3 for ; Sat, 03 Jan 2026 18:01:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767492115; x=1768096915; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=TXhvipg/IkFAdYfqKIR/Rcd06yBOQDy7SZd8T6MYDfo=; b=hdbqZHi6/l9TlQeNSMqtDQMrHqjPvBksbPh7Icc8PTzh08NFS+a+4sJRg1//8W2PPF HOwfDCI28zFV7Fy9+9wVXQ+fEQ5r9L7zLlkKKxStzFa5aA/0BR+wt6WAPPUzQQuhPIZN cXLrLBLvBzXP2Vy+2SFMH+kk7G+kD+mT2gM+n0Ep0Eq3N2npAZqYSP88kVLAsg8ja0tC Xb87qLfAiyOV2XpdqdLF9fKvCca5ekj/YKhr8NMA5aD81hk/bmy83NcpyD6MNBh25ywe F5BRfDMP12oul3RaPThNz40e1Mj2VpK78UgBIJK2iWmdy4ApXV/QlN3zFXDuFP/ZdHzO sMLw== X-Gm-Message-State: AOJu0YxqSPuJEZrXQaUlB0GRbI3HC1aQ1NIR09Vp90dUH3+LKlPGibLq LAxQRFti3WYRDgp277XCrMSY9hz2ykvl6xh+12z2nT0ceDoch7J/fiWs3zboSRMjOl8f88beMBZ frmone6WdyyXeYgi1vVuDapluCzq4uE0z9ddf11CmM7pr//tJRTUFAovQvHs= X-Google-Smtp-Source: AGHT+IHG8Cprpv6CQ6ZcF/Mo7hBsyo5jtEi7KY8tKsoQfeV3OtiO9zt1Ws29c84sPeQnobBs/F81psjE5Q6ZhH4cQvbLIaESeK7R Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:1519:b0:65d:1336:f669 with SMTP id 006d021491bc7-65d13371fd4mr21754952eaf.51.1767492114782; Sat, 03 Jan 2026 18:01:54 -0800 (PST) Date: Sat, 03 Jan 2026 18:01:54 -0800 In-Reply-To: <6954bc70.050a0220.a1b6.0310.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6959ca12.050a0220.a1b6.0380.GAE@google.com> Subject: Forwarded: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head() From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head() Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master When pskb_expand_head() allocates a new buffer with additional headroom, both the new headroom (nhead bytes) and the old headroom copied from the original buffer contain uninitialized memory. This can be accessed when BPF programs use bpf_skb_adjust_room() to push headers into this space. The call chain is: bpf_skb_adjust_room() -> bpf_skb_net_grow() -> skb_cow_head() -> pskb_expand_head() // allocates and copies uninit headroom -> bpf_skb_net_hdr_push() -> bpf_skb_generic_push() -> skb_postpush_data_move() -> skb_data_move() // moves uninit memory Fix this by zeroing both the new headroom and the copied old headroom after the memcpy in pskb_expand_head(). Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D619b9ef527f510a57cfc Signed-off-by: Deepanshu Kartikey --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index a00808f7be6a..4a41dccffc03 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2288,6 +2288,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, = int ntail, * optimized for the cases when header is void. */ memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head); + memset(data, 0, nhead + skb_headroom(skb)); =20 memcpy((struct skb_shared_info *)(data + size), skb_shinfo(skb), --=20 2.43.0