From: Shuah Khan <skhan@linuxfoundation.org>
To: Jakub Kicinski <kuba@kernel.org>,
Prithvi Tambewagh <activprithvi@gmail.com>
Cc: davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
horms@kernel.org, alexanderduyck@fb.com, chuck.lever@oracle.com,
linyunsheng@huawei.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, david.hunter.linux@gmail.com,
khalid@kernel.org, linux-kernel-mentees@lists.linux.dev,
syzbot+4b8a1e4690e64b018227@syzkaller.appspotmail.com,
Shuah Khan <skhan@linuxfoundation.org>
Subject: Re: [PATCH] net: core: Initialize new header to zero in pskb_expand_head
Date: Fri, 7 Nov 2025 10:54:24 -0700 [thread overview]
Message-ID: <e45ac35b-8cb3-42c0-b5dc-d4c718ee0d9d@linuxfoundation.org> (raw)
In-Reply-To: <20251106165732.6ea6bd87@kernel.org>
On 11/6/25 17:57, Jakub Kicinski wrote:
> On Fri, 7 Nov 2025 00:54:23 +0530 Prithvi Tambewagh wrote:
>> KMSAN reports uninitialized value in can_receive(). The crash trace shows
>> the uninitialized value was created in pskb_expand_head(). This function
>> expands header of a socket buffer using kmalloc_reserve() which doesn't
>> zero-initialize the memory. When old packet data is copied to the new
>> buffer at an offset of data+nhead, new header area (first nhead bytes of
>> the new buffer) are left uninitialized. This is fixed by using memset()
>> to zero-initialize this header of the new buffer.
>
> It's caller's responsibility to initialize the skb data, please leave
> the core alone..
>
>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
>> index 6841e61a6bd0..3486271260ac 100644
>> --- a/net/core/skbuff.c
>> +++ b/net/core/skbuff.c
>> @@ -2282,6 +2282,8 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
>> */
>> memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
>>
>> + memset(data, 0, size);
>
> We just copied the data in there, and now you're zeroing it.
Prithvi,
This type of careless coding introduces serious problems. Don't
make changes to the code without understanding it. memcpy()
is right above where you added memset() which is hard to miss.
thanks,
-- Shuah
next prev parent reply other threads:[~2025-11-07 17:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-06 19:24 [PATCH] net: core: Initialize new header to zero in pskb_expand_head Prithvi Tambewagh
2025-11-07 0:57 ` Jakub Kicinski
2025-11-07 17:54 ` Shuah Khan [this message]
2025-11-11 7:40 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e45ac35b-8cb3-42c0-b5dc-d4c718ee0d9d@linuxfoundation.org \
--to=skhan@linuxfoundation.org \
--cc=activprithvi@gmail.com \
--cc=alexanderduyck@fb.com \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=david.hunter.linux@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=khalid@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel-mentees@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linyunsheng@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+4b8a1e4690e64b018227@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox