[PATCH v3 0/2] net: sched: initialize struct tc_ife to fix kernel-infoleak

[PATCH v3 0/2] net: sched: initialize struct tc_ife to fix kernel-infoleak

[Ranganath V N]

This series addresses the uninitialization of the struct which has 
2 btes of padding. And copying this uninitialized data to userspace
can leak info from kernel memory.

This sereies ensure all members and padding are cleared prior to 
begin copied.

This change silences the KMSAN report and prevents potential information
leaks from the kernel memory.

Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
Changes in v3:
- updated the commit messages and subject.
- corrected the code misisng ";" in v2
- Link to v2: https://lore.kernel.org/r/20251101-infoleak-v2-0-01a501d41c09@gmail.com 

Changes in v2:
- removed memset(&t, 0, sizeof(t)) from previous patch.
- added the new patch series to address the issue.
- Link to v1: https://lore.kernel.org/r/20251031-infoleak-v1-1-9f7250ee33aa@gmail.com

Ranganath V N (2):
  net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
  net: sched: act_ife: initialize struct tc_ife to fix KMSAN
    kernel-infoleak

 net/sched/act_connmark.c | 12 +++++++-----
 net/sched/act_ife.c      | 12 +++++++-----
 2 files changed, 14 insertions(+), 10 deletions(-)

-- 
2.43.0

[PATCH v3 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak

[Ranganath V N]

In tcf_connmark_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.

Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.

Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
 net/sched/act_connmark.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
index 3e89927d7116..2aaaaee9b6bb 100644
--- a/net/sched/act_connmark.c
+++ b/net/sched/act_connmark.c
@@ -195,13 +195,15 @@ static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a,
 	const struct tcf_connmark_info *ci = to_connmark(a);
 	unsigned char *b = skb_tail_pointer(skb);
 	const struct tcf_connmark_parms *parms;
-	struct tc_connmark opt = {
-		.index   = ci->tcf_index,
-		.refcnt  = refcount_read(&ci->tcf_refcnt) - ref,
-		.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind,
-	};
+	struct tc_connmark opt;
 	struct tcf_t t;
 
+	memset(&opt, 0, sizeof(opt));
+
+	index   = ci->tcf_index;
+	refcnt  = refcount_read(&ci->tcf_refcnt) - ref;
+	bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;
+
 	rcu_read_lock();
 	parms = rcu_dereference(ci->parms);
 
-- 
2.43.0

Re: [PATCH v3 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak

[Simon Horman]

On Fri, Nov 07, 2025 at 01:26:33AM +0530, Ranganath V N wrote:
> In tcf_connmark_dump(), the variable 'opt' was partially initialized using a
> designatied initializer. While the padding bytes are reamined
> uninitialized. nla_put() copies the entire structure into a
> netlink message, these uninitialized bytes leaked to userspace.
> 
> Initialize the structure with memset before assigning its fields
> to ensure all members and padding are cleared prior to beign copied.
> 
> Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>

Hi Ranganath,

Sorry for not noticing in my review of v2, but as this series fixes bugs in
code present in net it should be targeted at net.  This is done by
including net in the subject of each email, like this:

Subject: [PATCh net v3 1/2] ...

And this patch should have a fixes tag (patch 2/2 already has one).

Fixes: 22a5dc0e5e3e ("net: sched: Introduce connmark action")

Also, when posting v4, please be sure to wait until 24h have
elapsed since the posting of v3.

For more information about the above please see
https://docs.kernel.org/process/maintainer-netdev.html

> ---
>  net/sched/act_connmark.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
> index 3e89927d7116..2aaaaee9b6bb 100644
> --- a/net/sched/act_connmark.c
> +++ b/net/sched/act_connmark.c
> @@ -195,13 +195,15 @@ static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a,
>  	const struct tcf_connmark_info *ci = to_connmark(a);
>  	unsigned char *b = skb_tail_pointer(skb);
>  	const struct tcf_connmark_parms *parms;
> -	struct tc_connmark opt = {
> -		.index   = ci->tcf_index,
> -		.refcnt  = refcount_read(&ci->tcf_refcnt) - ref,
> -		.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind,
> -	};
> +	struct tc_connmark opt;
>  	struct tcf_t t;
>  
> +	memset(&opt, 0, sizeof(opt));
> +
> +	index   = ci->tcf_index;
> +	refcnt  = refcount_read(&ci->tcf_refcnt) - ref;
> +	bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;

I think some editing errors have crept in here,
because the above does not compile: index should be opt.index, ...

> +
>  	rcu_read_lock();
>  	parms = rcu_dereference(ci->parms);

-- 
pw-bot: changes-requested

Re: [PATCH v3 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak

[kernel test robot]

Hi Ranganath,

kernel test robot noticed the following build errors:

[auto build test ERROR on net-next/main]
[also build test ERROR on net/main linus/master v6.18-rc4 next-20251107]
[cannot apply to horms-ipvs/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Ranganath-V-N/net-sched-act_connmark-initialize-struct-tc_ife-to-fix-kernel-leak/20251107-035911
base:   net-next/main
patch link:    https://lore.kernel.org/r/20251106195635.2438-2-vnranganath.20%40gmail.com
patch subject: [PATCH v3 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
config: x86_64-rhel-9.4-kselftests (https://download.01.org/0day-ci/archive/20251108/202511080914.Sb6puKZN-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251108/202511080914.Sb6puKZN-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511080914.Sb6puKZN-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/sched/act_connmark.c: In function 'tcf_connmark_dump':
>> net/sched/act_connmark.c:203:9: error: 'index' undeclared (first use in this function)
     203 |         index   = ci->tcf_index;
         |         ^~~~~
   net/sched/act_connmark.c:203:9: note: each undeclared identifier is reported only once for each function it appears in
>> net/sched/act_connmark.c:204:9: error: 'refcnt' undeclared (first use in this function)
     204 |         refcnt  = refcount_read(&ci->tcf_refcnt) - ref;
         |         ^~~~~~
>> net/sched/act_connmark.c:205:9: error: 'bindcnt' undeclared (first use in this function); did you mean 'bind'?
     205 |         bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;
         |         ^~~~~~~
         |         bind


vim +/index +203 net/sched/act_connmark.c

   191	
   192	static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a,
   193					    int bind, int ref)
   194	{
   195		const struct tcf_connmark_info *ci = to_connmark(a);
   196		unsigned char *b = skb_tail_pointer(skb);
   197		const struct tcf_connmark_parms *parms;
   198		struct tc_connmark opt;
   199		struct tcf_t t;
   200	
   201		memset(&opt, 0, sizeof(opt));
   202	
 > 203		index   = ci->tcf_index;
 > 204		refcnt  = refcount_read(&ci->tcf_refcnt) - ref;
 > 205		bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;
   206	
   207		rcu_read_lock();
   208		parms = rcu_dereference(ci->parms);
   209	
   210		opt.action = parms->action;
   211		opt.zone = parms->zone;
   212		if (nla_put(skb, TCA_CONNMARK_PARMS, sizeof(opt), &opt))
   213			goto nla_put_failure;
   214	
   215		tcf_tm_dump(&t, &ci->tcf_tm);
   216		if (nla_put_64bit(skb, TCA_CONNMARK_TM, sizeof(t), &t,
   217				  TCA_CONNMARK_PAD))
   218			goto nla_put_failure;
   219		rcu_read_unlock();
   220	
   221		return skb->len;
   222	
   223	nla_put_failure:
   224		rcu_read_unlock();
   225		nlmsg_trim(skb, b);
   226		return -1;
   227	}
   228	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

[PATCH v3 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak

[Ranganath V N]

Fix a KMSAN kernel-infoleak detected  by the syzbot .

[net?] KMSAN: kernel-infoleak in __skb_datagram_iter

In tcf_ife_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.

Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.

This change silences the KMSAN report and prevents potential information
leaks from the kernel memory.

This fix has been tested and validated by syzbot. This patch closes the
bug reported at the following syzkaller link and ensures no infoleak.

Reported-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0c85cae3350b7d486aee
Tested-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com
Fixes: ef6980b6becb ("introduce IFE action")
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
 net/sched/act_ife.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 107c6d83dc5c..ff1d9d6dcc0a 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -644,13 +644,15 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
 	unsigned char *b = skb_tail_pointer(skb);
 	struct tcf_ife_info *ife = to_ife(a);
 	struct tcf_ife_params *p;
-	struct tc_ife opt = {
-		.index = ife->tcf_index,
-		.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
-		.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
-	};
+	struct tc_ife opt;
 	struct tcf_t t;
 
+	memset(&opt, 0, sizeof(opt));
+
+	index = ife->tcf_index;
+	refcnt = refcount_read(&ife->tcf_refcnt) - ref;
+	bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
+
 	spin_lock_bh(&ife->tcf_lock);
 	opt.action = ife->tcf_action;
 	p = rcu_dereference_protected(ife->params,
-- 
2.43.0

Re: [PATCH v3 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak

[kernel test robot]

Hi Ranganath,

kernel test robot noticed the following build errors:

[auto build test ERROR on net-next/main]
[also build test ERROR on net/main linus/master v6.18-rc4 next-20251107]
[cannot apply to horms-ipvs/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Ranganath-V-N/net-sched-act_connmark-initialize-struct-tc_ife-to-fix-kernel-leak/20251107-035911
base:   net-next/main
patch link:    https://lore.kernel.org/r/20251106195635.2438-3-vnranganath.20%40gmail.com
patch subject: [PATCH v3 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
config: s390-randconfig-r073-20251108 (https://download.01.org/0day-ci/archive/20251108/202511080954.ZMCEd0sG-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project d78e0ded5215824a63ac04fb87effd9eacf875eb)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251108/202511080954.ZMCEd0sG-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511080954.ZMCEd0sG-lkp@intel.com/

All errors (new ones prefixed by >>):

>> net/sched/act_ife.c:652:2: error: call to undeclared library function 'index' with type 'char *(const char *, int)'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
     652 |         index = ife->tcf_index;
         |         ^
   net/sched/act_ife.c:652:2: note: include the header <strings.h> or explicitly provide a declaration for 'index'
>> net/sched/act_ife.c:652:8: error: non-object type 'char *(const char *, int)' is not assignable
     652 |         index = ife->tcf_index;
         |         ~~~~~ ^
>> net/sched/act_ife.c:653:2: error: use of undeclared identifier 'refcnt'
     653 |         refcnt = refcount_read(&ife->tcf_refcnt) - ref;
         |         ^~~~~~
>> net/sched/act_ife.c:654:2: error: use of undeclared identifier 'bindcnt'
     654 |         bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
         |         ^~~~~~~
   4 errors generated.


vim +652 net/sched/act_ife.c

   640	
   641	static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
   642				int ref)
   643	{
   644		unsigned char *b = skb_tail_pointer(skb);
   645		struct tcf_ife_info *ife = to_ife(a);
   646		struct tcf_ife_params *p;
   647		struct tc_ife opt;
   648		struct tcf_t t;
   649	
   650		memset(&opt, 0, sizeof(opt));
   651	
 > 652		index = ife->tcf_index;
 > 653		refcnt = refcount_read(&ife->tcf_refcnt) - ref;
 > 654		bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
   655	
   656		spin_lock_bh(&ife->tcf_lock);
   657		opt.action = ife->tcf_action;
   658		p = rcu_dereference_protected(ife->params,
   659					      lockdep_is_held(&ife->tcf_lock));
   660		opt.flags = p->flags;
   661	
   662		if (nla_put(skb, TCA_IFE_PARMS, sizeof(opt), &opt))
   663			goto nla_put_failure;
   664	
   665		tcf_tm_dump(&t, &ife->tcf_tm);
   666		if (nla_put_64bit(skb, TCA_IFE_TM, sizeof(t), &t, TCA_IFE_PAD))
   667			goto nla_put_failure;
   668	
   669		if (!is_zero_ether_addr(p->eth_dst)) {
   670			if (nla_put(skb, TCA_IFE_DMAC, ETH_ALEN, p->eth_dst))
   671				goto nla_put_failure;
   672		}
   673	
   674		if (!is_zero_ether_addr(p->eth_src)) {
   675			if (nla_put(skb, TCA_IFE_SMAC, ETH_ALEN, p->eth_src))
   676				goto nla_put_failure;
   677		}
   678	
   679		if (nla_put(skb, TCA_IFE_TYPE, 2, &p->eth_type))
   680			goto nla_put_failure;
   681	
   682		if (dump_metalist(skb, ife)) {
   683			/*ignore failure to dump metalist */
   684			pr_info("Failed to dump metalist\n");
   685		}
   686	
   687		spin_unlock_bh(&ife->tcf_lock);
   688		return skb->len;
   689	
   690	nla_put_failure:
   691		spin_unlock_bh(&ife->tcf_lock);
   692		nlmsg_trim(skb, b);
   693		return -1;
   694	}
   695	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v3 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak

[kernel test robot]

Hi Ranganath,

kernel test robot noticed the following build errors:

[auto build test ERROR on net-next/main]
[also build test ERROR on net/main linus/master v6.18-rc4 next-20251107]
[cannot apply to horms-ipvs/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Ranganath-V-N/net-sched-act_connmark-initialize-struct-tc_ife-to-fix-kernel-leak/20251107-035911
base:   net-next/main
patch link:    https://lore.kernel.org/r/20251106195635.2438-3-vnranganath.20%40gmail.com
patch subject: [PATCH v3 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
config: i386-buildonly-randconfig-003-20251108 (https://download.01.org/0day-ci/archive/20251108/202511080909.0OWvBSbY-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251108/202511080909.0OWvBSbY-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511080909.0OWvBSbY-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/sched/act_ife.c: In function 'tcf_ife_dump':
>> net/sched/act_ife.c:652:9: error: 'index' undeclared (first use in this function)
     652 |         index = ife->tcf_index;
         |         ^~~~~
   net/sched/act_ife.c:652:9: note: each undeclared identifier is reported only once for each function it appears in
>> net/sched/act_ife.c:653:9: error: 'refcnt' undeclared (first use in this function)
     653 |         refcnt = refcount_read(&ife->tcf_refcnt) - ref;
         |         ^~~~~~
>> net/sched/act_ife.c:654:9: error: 'bindcnt' undeclared (first use in this function); did you mean 'bind'?
     654 |         bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
         |         ^~~~~~~
         |         bind


vim +/index +652 net/sched/act_ife.c

   640	
   641	static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
   642				int ref)
   643	{
   644		unsigned char *b = skb_tail_pointer(skb);
   645		struct tcf_ife_info *ife = to_ife(a);
   646		struct tcf_ife_params *p;
   647		struct tc_ife opt;
   648		struct tcf_t t;
   649	
   650		memset(&opt, 0, sizeof(opt));
   651	
 > 652		index = ife->tcf_index;
 > 653		refcnt = refcount_read(&ife->tcf_refcnt) - ref;
 > 654		bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
   655	
   656		spin_lock_bh(&ife->tcf_lock);
   657		opt.action = ife->tcf_action;
   658		p = rcu_dereference_protected(ife->params,
   659					      lockdep_is_held(&ife->tcf_lock));
   660		opt.flags = p->flags;
   661	
   662		if (nla_put(skb, TCA_IFE_PARMS, sizeof(opt), &opt))
   663			goto nla_put_failure;
   664	
   665		tcf_tm_dump(&t, &ife->tcf_tm);
   666		if (nla_put_64bit(skb, TCA_IFE_TM, sizeof(t), &t, TCA_IFE_PAD))
   667			goto nla_put_failure;
   668	
   669		if (!is_zero_ether_addr(p->eth_dst)) {
   670			if (nla_put(skb, TCA_IFE_DMAC, ETH_ALEN, p->eth_dst))
   671				goto nla_put_failure;
   672		}
   673	
   674		if (!is_zero_ether_addr(p->eth_src)) {
   675			if (nla_put(skb, TCA_IFE_SMAC, ETH_ALEN, p->eth_src))
   676				goto nla_put_failure;
   677		}
   678	
   679		if (nla_put(skb, TCA_IFE_TYPE, 2, &p->eth_type))
   680			goto nla_put_failure;
   681	
   682		if (dump_metalist(skb, ife)) {
   683			/*ignore failure to dump metalist */
   684			pr_info("Failed to dump metalist\n");
   685		}
   686	
   687		spin_unlock_bh(&ife->tcf_lock);
   688		return skb->len;
   689	
   690	nla_put_failure:
   691		spin_unlock_bh(&ife->tcf_lock);
   692		nlmsg_trim(skb, b);
   693		return -1;
   694	}
   695	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki