From: Jakub Kicinski <kuba@kernel.org>
To: Prithvi Tambewagh <activprithvi@gmail.com>
Cc: davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
horms@kernel.org, alexanderduyck@fb.com, chuck.lever@oracle.com,
linyunsheng@huawei.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, skhan@linuxfoundation.org,
david.hunter.linux@gmail.com, khalid@kernel.org,
linux-kernel-mentees@lists.linux.dev,
syzbot+4b8a1e4690e64b018227@syzkaller.appspotmail.com
Subject: Re: [PATCH] net: core: Initialize new header to zero in pskb_expand_head
Date: Thu, 6 Nov 2025 16:57:32 -0800 [thread overview]
Message-ID: <20251106165732.6ea6bd87@kernel.org> (raw)
In-Reply-To: <20251106192423.412977-1-activprithvi@gmail.com>
On Fri, 7 Nov 2025 00:54:23 +0530 Prithvi Tambewagh wrote:
> KMSAN reports uninitialized value in can_receive(). The crash trace shows
> the uninitialized value was created in pskb_expand_head(). This function
> expands header of a socket buffer using kmalloc_reserve() which doesn't
> zero-initialize the memory. When old packet data is copied to the new
> buffer at an offset of data+nhead, new header area (first nhead bytes of
> the new buffer) are left uninitialized. This is fixed by using memset()
> to zero-initialize this header of the new buffer.
It's caller's responsibility to initialize the skb data, please leave
the core alone..
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index 6841e61a6bd0..3486271260ac 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -2282,6 +2282,8 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
> */
> memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
>
> + memset(data, 0, size);
We just copied the data in there, and now you're zeroing it.
> memcpy((struct skb_shared_info *)(data + size),
--
pw-bot: cr
next prev parent reply other threads:[~2025-11-07 0:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-06 19:24 [PATCH] net: core: Initialize new header to zero in pskb_expand_head Prithvi Tambewagh
2025-11-07 0:57 ` Jakub Kicinski [this message]
2025-11-07 17:54 ` Shuah Khan
2025-11-11 7:40 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251106165732.6ea6bd87@kernel.org \
--to=kuba@kernel.org \
--cc=activprithvi@gmail.com \
--cc=alexanderduyck@fb.com \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=david.hunter.linux@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=khalid@kernel.org \
--cc=linux-kernel-mentees@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linyunsheng@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+4b8a1e4690e64b018227@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.