Re: [PATCH] net: core: Initialize new header to zero in pskb_expand_head

Next message: Hrishabh Rajput via B4 Relay: "[PATCH v5 1/2] firmware: qcom: scm: Register gunyah watchdog device"
Previous message: Namhyung Kim: "Re: [PATCH] perf stat: Add ScaleUnit to {cpu,task}-clock JSON description"
In reply to: Jakub Kicinski: "Re: [PATCH] net: core: Initialize new header to zero in pskb_expand_head"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Shuah Khan

Date: Fri Nov 07 2025 - 12:54:27 EST

On 11/6/25 17:57, Jakub Kicinski wrote:

On Fri, 7 Nov 2025 00:54:23 +0530 Prithvi Tambewagh wrote:

KMSAN reports uninitialized value in can_receive(). The crash trace shows
the uninitialized value was created in pskb_expand_head(). This function
expands header of a socket buffer using kmalloc_reserve() which doesn't
zero-initialize the memory. When old packet data is copied to the new
buffer at an offset of data+nhead, new header area (first nhead bytes of
the new buffer) are left uninitialized. This is fixed by using memset()
to zero-initialize this header of the new buffer.

It's caller's responsibility to initialize the skb data, please leave
the core alone..

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 6841e61a6bd0..3486271260ac 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2282,6 +2282,8 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
*/
memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
+ memset(data, 0, size);

We just copied the data in there, and now you're zeroing it.

Prithvi,

This type of careless coding introduces serious problems. Don't
make changes to the code without understanding it. memcpy()
is right above where you added memset() which is hard to miss.

thanks,
-- Shuah