From: HariKrishna Sagala hariconscious@gmail.com
Syzbot reported an uninit-value bug on at kmalloc_reserve for commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")'
Syzbot KMSAN reported use of uninitialized memory originating from functions "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or "kmalloc_node_track_caller()" was not explicitly initialized. This can lead to undefined behavior when the allocated buffer is later accessed.
Fix this by requesting the initialized memory using the gfp flag appended with the option "__GFP_ZERO".
Reported-by: syzbot+9a4fbb77c9d4aacd3388@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388 Fixes: 915d975b2ffa ("net: deal with integer overflows in kmalloc_reserve()") Tested-by: syzbot+9a4fbb77c9d4aacd3388@syzkaller.appspotmail.com Signed-off-by: HariKrishna Sagala hariconscious@gmail.com --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index ee0274417948..2308ebf99bbd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node, void *obj;
obj_size = SKB_HEAD_ALIGN(*size); + flags |= __GFP_ZERO; if (obj_size <= SKB_SMALL_HEAD_CACHE_SIZE && !(flags & KMALLOC_NOT_NORMAL_BITS)) { obj = kmem_cache_alloc_node(net_hotdata.skb_small_head_cache,
Hi,
Thanks for your patch.
FYI: kernel test robot notices the stable kernel rule is not satisfied.
The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#opti...
Rule: add the tag "Cc: stable@vger.kernel.org" in the sign-off area to have the patch automatically included in the stable tree. Subject: [PATCH net] net/core : fix KMSAN: uninit value in tipc_rcv Link: https://lore.kernel.org/stable/20250919180601.76152-1-hariconscious%40gmail....
On Fri, Sep 19, 2025 at 11:06 AM hariconscious@gmail.com wrote:
From: HariKrishna Sagala hariconscious@gmail.com
Syzbot reported an uninit-value bug on at kmalloc_reserve for commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")'
Syzbot KMSAN reported use of uninitialized memory originating from functions "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or "kmalloc_node_track_caller()" was not explicitly initialized. This can lead to undefined behavior when the allocated buffer is later accessed.
Fix this by requesting the initialized memory using the gfp flag appended with the option "__GFP_ZERO".
Reported-by: syzbot+9a4fbb77c9d4aacd3388@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388 Fixes: 915d975b2ffa ("net: deal with integer overflows in kmalloc_reserve()") Tested-by: syzbot+9a4fbb77c9d4aacd3388@syzkaller.appspotmail.com Signed-off-by: HariKrishna Sagala hariconscious@gmail.com
net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index ee0274417948..2308ebf99bbd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node, void *obj;
obj_size = SKB_HEAD_ALIGN(*size);
flags |= __GFP_ZERO;
Certainly not.
Some of us care about performance.
Moreover, the bug will be still there for non linear skbs.
So please fix tipc.
linux-stable-mirror@lists.linaro.org
-
Eric Dumazet -
hariconscious@gmail.com -
kernel test robot