From nobody Sat Feb 7 18:15:40 2026 Received: from mail-oa1-f71.google.com (mail-oa1-f71.google.com [209.85.160.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CF9F018BC3B for ; Sun, 4 Jan 2026 03:58:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.71 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767499124; cv=none; b=DGRLkTtc2Z9wGUC7LUiU26hExTksX3qhEk2hN/UnLl+yVFHke1fmXRf2C6EqKBZoELwusaRbgwxMGM2CUXGNK1vYN+WH8iWlNoPIIE4YHFG4Kt7qldZeG1NUzl01p2zHh2MkalOoR9QK+W+2WLoKMtK0kQ85lx3c4jMnNwPlbTs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767499124; c=relaxed/simple; bh=9Y+VTKTVgLWeQopHuPDwMNH5ZFBUN8Bj2S+21rSDo2Y=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=cXg1uCCdhD5sW3Qxgc7G+0k/IPkKtERQo41bjWRkpt6zOrqn6cTaFi//EnfPunWh0x6RdLSNVqIgZ9XUs4KPLMC5AHQlgvTYCcba42btdqLbPJOlHtvliuysFuHA9J0q+3MtvuCECxX6vounvslDlx2tQp8xFEpqolVUXKZXt7o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.160.71 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oa1-f71.google.com with SMTP id 586e51a60fabf-3f9a5b4ae58so25586843fac.2 for ; Sat, 03 Jan 2026 19:58:42 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767499122; x=1768103922; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oE/c8To5EQ4nMj2P7pPKUtRNFSBuhmnI3G3jVAUEhlw=; b=xHoXPIScswvANUqVCshLScbLFLNmb+B0EKcPSJwcW0HDzYnIlAy53ImUL7yKVdXlxO y/f41Ra4VPj4mzkEhaJSIDRbvwfxsLMxxE31roPHuSKabM1AGwymya3oN+v7pQeeMUIl 9ZcSguh6IXMMydIwpp6n3JMf5BE7ZWyc1YuBC+O4z6KwfJVTL8lIpIzg+Iz0E6234rgZ K+G7rBPSEIICFX7XY3wxM6U+/pS/PBSHH/IfgnHfzZLoq7x99Hi9Of3Ofr/eG4y67AVB otxo5IUyzfIX0WIsIxP5WrtoX9yOUND74xLqiUao9x0PiCkGo9eNazCHCUwwYnxMXebh oAAg== X-Gm-Message-State: AOJu0YxMIXPCfZZ+fgbPwKBaU25heU1clZHhJMBG0/LzATXbBtTkeZ8P z0VKAkpAC1m1bpmuBfn6SfKS1MwS/8thHSwDjSS2A0MJUXtdtid8apDmKqDkCQdJ6i+TwosLvux A1Ycye66FnALkMsKOXcLJh/dCdHzRqfCJC0LFkwO8UzOVBnkmtJehW2yG2oU= X-Google-Smtp-Source: AGHT+IGL7cgqlcRRE0mUjPAYdgFDbaA1NX7j4C+WAYz7c+jt1bGzebFPnGNxyGSJplCWAJVSikz/ueYYAYcq5jnklI/X8xJoD9FZ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:827:b0:65d:1e6:d5ff with SMTP id 006d021491bc7-65d0eadbdf4mr21253320eaf.58.1767499121809; Sat, 03 Jan 2026 19:58:41 -0800 (PST) Date: Sat, 03 Jan 2026 19:58:41 -0800 In-Reply-To: <6954bc70.050a0220.a1b6.0310.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6959e571.050a0220.a1b6.0381.GAE@google.com> Subject: Forwarded: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head() From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head() Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master pskb_expand_head() copies the entire old buffer starting from skb->head, which includes the old headroom region that may contain uninitialized memory. KMSAN detects this during the copy and when the data is later moved by BPF's skb_data_move(). The call chain triggering the warning is: bpf_skb_adjust_room() -> bpf_skb_net_grow() -> skb_cow_head() -> pskb_expand_head() // copies uninit old headroom -> bpf_skb_net_hdr_push() -> bpf_skb_generic_push() -> skb_postpush_data_move() -> skb_data_move() // moves uninit memory Fix this by pre-initializing the entire new headroom region (nhead + old headroom) in the new buffer before copying. This ensures the destination bytes corresponding to headroom are defined and zero, while keeping the original linear layout intact. The memcpy still copies from skb->head to preserve the relative offset (skb->data - skb->head) and all header offsets (mac_header, network_header, transport_header) in the new buffer. Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D619b9ef527f510a57cfc Signed-off-by: Deepanshu Kartikey --- net/core/skbuff.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index a00808f7be6a..7e493904d47a 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2284,9 +2284,10 @@ int pskb_expand_head(struct sk_buff *skb, int nhead,= int ntail, goto nodata; size =3D SKB_WITH_OVERHEAD(size); =20 - /* Copy only real data... and, alas, header. This should be - * optimized for the cases when header is void. + /* Zero new and old headroom in the new buffer, then copy + * original contents to preserve layout and header offsets. */ + memset(data, 0, nhead + skb_headroom(skb)); memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head); =20 memcpy((struct skb_shared_info *)(data + size), --=20 2.43.0