[syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb

[syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    3f0e9c8cefa9 Merge tag 'block-6.19-20251226' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d784fc580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b3903bdf68407a14
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=151f1b92580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=144f5022580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7f2d5650d243/disk-3f0e9c8c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/069034860f2d/vmlinux-3f0e9c8c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/90d1c240dc1b/bzImage-3f0e9c8c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
 bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 pskb_expand_head+0x310/0x15d0 net/core/skbuff.c:2290
 __skb_cow include/linux/skbuff.h:3853 [inline]
 skb_cow_head include/linux/skbuff.h:3887 [inline]
 bpf_skb_net_grow net/core/filter.c:3511 [inline]
 ____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
 bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
 ___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
 __bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
 bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run include/linux/filter.h:730 [inline]
 bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
 bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 skb_data_move+0x424/0x570 include/linux/skbuff.h:-1
 skb_postpush_data_move include/linux/skbuff.h:4639 [inline]
 bpf_skb_generic_push net/core/filter.c:3267 [inline]
 bpf_skb_net_hdr_push net/core/filter.c:3305 [inline]
 bpf_skb_net_grow net/core/filter.c:3542 [inline]
 ____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
 bpf_skb_adjust_room+0x116c/0x3310 net/core/filter.c:3699
 ___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
 __bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
 bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run include/linux/filter.h:730 [inline]
 bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
 bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4960 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
 pskb_expand_head+0x1fc/0x15d0 net/core/skbuff.c:2282
 __skb_cow include/linux/skbuff.h:3853 [inline]
 skb_cow_head include/linux/skbuff.h:3887 [inline]
 bpf_skb_net_grow net/core/filter.c:3511 [inline]
 ____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
 bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
 ___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
 __bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
 bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run include/linux/filter.h:730 [inline]
 bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
 bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 6072 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

When pskb_expand_head() allocates a new buffer with additional headroom
(nhead), the newly allocated headroom region is not initialized. This
uninitialized memory can later be accessed when BPF programs use
bpf_skb_adjust_room() to push headers into this space.

The call chain is:
  bpf_skb_adjust_room()
    -> bpf_skb_net_grow()
      -> skb_cow_head()
        -> pskb_expand_head()  // allocates uninit headroom
      -> bpf_skb_net_hdr_push()
        -> bpf_skb_generic_push()
          -> skb_postpush_data_move()
            -> skb_data_move()  // moves uninit memory

Fix this by zeroing the new headroom region immediately after allocation
in pskb_expand_head().

Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/core/skbuff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a00808f7be6a..875572a27e58 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2283,6 +2283,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 	if (!data)
 		goto nodata;
 	size = SKB_WITH_OVERHEAD(size);
+	memset(data, 0, nhead);
 
 	/* Copy only real data... and, alas, header. This should be
 	 * optimized for the cases when header is void.
-- 
2.43.0

Forwarded: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

When pskb_expand_head() allocates a new buffer with additional headroom,
both the new headroom (nhead bytes) and the old headroom copied from the
original buffer contain uninitialized memory. This can be accessed when
BPF programs use bpf_skb_adjust_room() to push headers into this space.

The call chain is:
  bpf_skb_adjust_room()
    -> bpf_skb_net_grow()
      -> skb_cow_head()
        -> pskb_expand_head()  // allocates and copies uninit headroom
      -> bpf_skb_net_hdr_push()
        -> bpf_skb_generic_push()
          -> skb_postpush_data_move()
            -> skb_data_move()  // moves uninit memory

Fix this by zeroing both the new headroom and the copied old headroom
after the memcpy in pskb_expand_head().

Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/core/skbuff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a00808f7be6a..4a41dccffc03 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2288,6 +2288,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 	 * optimized for the cases when header is void.
 	 */
 	memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
+	memset(data, 0, nhead + skb_headroom(skb));
 
 	memcpy((struct skb_shared_info *)(data + size),
 	       skb_shinfo(skb),
-- 
2.43.0

Forwarded: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

When pskb_expand_head() allocates a new buffer with additional headroom,
the memcpy copies the entire old buffer including the old headroom which
contains uninitialized memory. KMSAN detects this when the garbage data
is copied, triggering uninit-value warnings.

The call chain is:
  bpf_skb_adjust_room()
    -> bpf_skb_net_grow()
      -> skb_cow_head()
        -> pskb_expand_head()  // copies uninit old headroom
      -> bpf_skb_net_hdr_push()
        -> bpf_skb_generic_push()
          -> skb_postpush_data_move()
            -> skb_data_move()  // moves uninit memory

Fix this by:
1. Zeroing the entire headroom region (new nhead + old headroom)
2. Copying only the actual packet data (from skb->data to skb->tail)
   instead of copying from skb->head which includes garbage headroom

This ensures no uninitialized memory is ever copied while maintaining
the same buffer layout with packet data in the correct location.

Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/core/skbuff.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a00808f7be6a..ce3e335e4729 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2284,10 +2284,12 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 		goto nodata;
 	size = SKB_WITH_OVERHEAD(size);
 
-	/* Copy only real data... and, alas, header. This should be
-	 * optimized for the cases when header is void.
+	/* Zero the headroom to avoid copying uninit memory.
+	 * Then copy only the actual packet data.
 	 */
-	memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
+	memset(data, 0, nhead + skb_headroom(skb));
+	memcpy(data + nhead + skb_headroom(skb), skb->data,
+	       skb_tail_pointer(skb) - skb->data);
 
 	memcpy((struct skb_shared_info *)(data + size),
 	       skb_shinfo(skb),
-- 
2.43.0

Forwarded: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

pskb_expand_head() copies the entire old buffer starting from skb->head,
which includes the old headroom region that may contain uninitialized
memory. KMSAN detects this during the copy and when the data is later
moved by BPF's skb_data_move().

The call chain triggering the warning is:
  bpf_skb_adjust_room()
    -> bpf_skb_net_grow()
      -> skb_cow_head()
        -> pskb_expand_head()  // copies uninit old headroom
      -> bpf_skb_net_hdr_push()
        -> bpf_skb_generic_push()
          -> skb_postpush_data_move()
            -> skb_data_move()  // moves uninit memory

Fix this by pre-initializing the entire new headroom region (nhead +
old headroom) in the new buffer before copying. This ensures the
destination bytes corresponding to headroom are defined and zero,
while keeping the original linear layout intact. The memcpy still
copies from skb->head to preserve the relative offset (skb->data -
skb->head) and all header offsets (mac_header, network_header,
transport_header) in the new buffer.

Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/core/skbuff.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a00808f7be6a..7e493904d47a 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2284,9 +2284,10 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 		goto nodata;
 	size = SKB_WITH_OVERHEAD(size);
 
-	/* Copy only real data... and, alas, header. This should be
-	 * optimized for the cases when header is void.
+	/* Zero new and old headroom in the new buffer, then copy
+	 * original contents to preserve layout and header offsets.
 	 */
+	memset(data, 0, nhead + skb_headroom(skb));
 	memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
 
 	memcpy((struct skb_shared_info *)(data + size),
-- 
2.43.0

Forwarded: [PATCH] net: skbuff: fix uninitialized memory use in pskb_expand_head()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] net: skbuff: fix uninitialized memory use in pskb_expand_head()
Author: sohammetha01@gmail.com

pskb_expand_head() allocates a new skb data buffer using
kmalloc_reserve(), which does not initialize memory. skb helpers may
later copy or move padding bytes from the buffer.

Initialize the newly allocated skb buffer to avoid propagating
uninitialized memory.

Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Signed-off-by: Soham Metha <sohammetha01@gmail.com>
---
#syz test

 net/core/skbuff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a56133902c0d..b658dcbe0698 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2280,6 +2280,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 		gfp_mask |= __GFP_MEMALLOC;
 
 	data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
 	if (!data)
 		goto nodata;
+	memset(data, 0, size);
 	size = SKB_WITH_OVERHEAD(size);
-- 
2.34.1

Forwarded: [PATCH] net: skbuff: fix uninitialized memory use in pskb_expand_head()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] net: skbuff: fix uninitialized memory use in pskb_expand_head()
Author: sohammetha01@gmail.com

pskb_expand_head() allocates a new skb data buffer using
kmalloc_reserve(), which does not initialize memory. skb helpers may
later copy or move padding bytes from the buffer.

Initialize the newly allocated skb buffer to avoid propagating
uninitialized memory.

Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Signed-off-by: Soham Metha <sohammetha01@gmail.com>
---
#syz test

 net/core/skbuff.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a56133902c0d..b0f0d3a0310b 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2282,6 +2282,9 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 	data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
 	if (!data)
 		goto nodata;
+
+	memset(data, 0, size);
+
 	size = SKB_WITH_OVERHEAD(size);
 
 	/* Copy only real data... and, alas, header. This should be
-- 
2.34.1

[PATCH] net: skbuff: fix uninitialized memory use in pskb_expand_head()

[Soham Metha]

pskb_expand_head() allocates a new skb data buffer using
kmalloc_reserve(), which does not initialize memory. skb helpers may
later copy or move padding bytes from the buffer.

Initialize the newly allocated skb buffer to avoid propagating
uninitialized memory.

Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Signed-off-by: Soham Metha <sohammetha01@gmail.com>
---
#syz test

 net/core/skbuff.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a56133902c0d..b0f0d3a0310b 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2282,6 +2282,9 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 	data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
 	if (!data)
 		goto nodata;
+
+	memset(data, 0, size);
+
 	size = SKB_WITH_OVERHEAD(size);
 
 	/* Copy only real data... and, alas, header. This should be
-- 
2.34.1

Re: [syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Tested-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com

Tested on:

commit:         c537e12d Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12188522580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15f21d9a580000

Note: testing is done by a robot and is best-effort only.

[PATCH v2] net: skbuff: fix uninitialized memory use in pskb_expand_head()

[Soham Metha]

pskb_expand_head() allocates a new skb data buffer using
kmalloc_reserve(), which does not initialize memory. skb helpers may
later copy or move padding bytes from the buffer.

Initialize the newly allocated skb buffer to avoid propagating
uninitialized memory.

Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Tested-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Signed-off-by: Soham Metha <sohammetha01@gmail.com>
---

v2:
- No code changes
- Resent to netdev list
- Added Closes tag
- Added Tested-by tag

 net/core/skbuff.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a56133902c0d..b0f0d3a0310b 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2282,6 +2282,9 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 	data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
 	if (!data)
 		goto nodata;
+
+	memset(data, 0, size);
+
 	size = SKB_WITH_OVERHEAD(size);
 
 	/* Copy only real data... and, alas, header. This should be
-- 
2.34.1

Re: [PATCH v2] net: skbuff: fix uninitialized memory use in pskb_expand_head()

[Eric Dumazet]

On Mon, Jan 26, 2026 at 2:22 PM Soham Metha <sohammetha01@gmail.com> wrote:
>
> pskb_expand_head() allocates a new skb data buffer using
> kmalloc_reserve(), which does not initialize memory. skb helpers may
> later copy or move padding bytes from the buffer.
>
> Initialize the newly allocated skb buffer to avoid propagating
> uninitialized memory.
>
> Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
> Tested-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
> Signed-off-by: Soham Metha <sohammetha01@gmail.com>
> ---
>
> v2:
> - No code changes
> - Resent to netdev list
> - Added Closes tag
> - Added Tested-by tag
>
>  net/core/skbuff.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index a56133902c0d..b0f0d3a0310b 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -2282,6 +2282,9 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
>         data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
>         if (!data)
>                 goto nodata;
> +
> +       memset(data, 0, size);
> +
>


Certainly not.

You might wonder why we have GFP_ZERO ?

Answer : we do not generally want to pay the price of zeroing memory
_unless_ absolutely needed.

Fix the caller instead, ie root-cause the issue, thank you

Forwarded: Re: [syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb
Author: sun.jian.kdev@gmail.com

Hi syzbot,

Please test this patch.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

From 79039ad5c9cb7906225296c9a98d1c6616990fec Mon Sep 17 00:00:00 2001
From: Sun Jian <sun.jian.kdev@gmail.com>
Date: Sun, 29 Mar 2026 20:20:39 +0800
Subject: [PATCH v2] selftests/bpf: Reject malformed IPv4/IPv6 skb test input

bpf_prog_test_run_skb() derives skb->protocol from the Ethernet header
through eth_type_trans(), but it does not verify that the provided
linear input is long enough to contain the corresponding L3 base header.

This can result in an inconsistent skb being passed to test_run helpers
such as bpf_skb_adjust_room(), where inferred protocol offsets can lead
to operating on uninitialized memory, triggering KMSAN errors.

To reject such malformed test input, we check that the linear head is
sufficiently large to contain the corresponding L3 base header (IPv4
or IPv6) before running the program.

Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
---
v2:
 - Ensured that the linear head is large enough to accommodate the corresponding L3 base header (IPv4 or IPv6), before running the program.

Link: <https://lore.kernel.org/bpf/129d235b04aca276c0a57c7c3646ce48644458cdc85d9b92b25f405e2d58a9ae@mail.kernel.org/>

 net/bpf/test_run.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 178c4738e63b..4790bee535b9 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1118,6 +1118,25 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
 	skb->protocol = eth_type_trans(skb, dev);
 	skb_reset_network_header(skb);
 
+	switch (skb->protocol) {
+	case htons(ETH_P_IP):
+		if (skb_headlen(skb) < sizeof(struct iphdr)) {
+			ret = -EINVAL;
+			goto out;
+		}
+		break;
+#if IS_ENABLED(CONFIG_IPV6)
+	case htons(ETH_P_IPV6):
+		if (skb_headlen(skb) < sizeof(struct ipv6hdr)) {
+			ret = -EINVAL;
+			goto out;
+		}
+		break;
+#endif
+	default:
+		break;
+	}
+
 	switch (skb->protocol) {
 	case htons(ETH_P_IP):
 		sk->sk_family = AF_INET;

base-commit: cbfffcca2bf0622b601b7eaf477aa29035169184
-- 
2.43.0