Re: [PATCH net v4 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak

[Jamal Hadi Salim]

On Sun, Dec 14, 2025 at 4:38 PM Vitaly Chikunov <vt@xxxxxxxxxxxx> wrote:
>
> Jamal, and linux-rt-devel,
>
> On Fri, Dec 12, 2025 at 11:29:24AM -0500, Jamal Hadi Salim wrote:
> > On Fri, Dec 12, 2025 at 11:26 AM Jamal Hadi Salim <jhs@xxxxxxxxxxxx> wrote:
> > >
> > > On Thu, Dec 11, 2025 at 7:54 PM Vitaly Chikunov <vt@xxxxxxxxxxxx> wrote:
> > > >
> > > > On Sun, Nov 09, 2025 at 02:43:36PM +0530, Ranganath V N wrote:
> > > > > Fix a KMSAN kernel-infoleak detected  by the syzbot .
> > > > >
> > > > > [net?] KMSAN: kernel-infoleak in __skb_datagram_iter
> > > > >
> > > > > In tcf_ife_dump(), the variable 'opt' was partially initialized using a
> > > > > designatied initializer. While the padding bytes are reamined
> > > > > uninitialized. nla_put() copies the entire structure into a
> > > > > netlink message, these uninitialized bytes leaked to userspace.
> > > > >
> > > > > Initialize the structure with memset before assigning its fields
> > > > > to ensure all members and padding are cleared prior to beign copied.
> > > > >
> > > > > This change silences the KMSAN report and prevents potential information
> > > > > leaks from the kernel memory.
> > > > >
> > > > > This fix has been tested and validated by syzbot. This patch closes the
> > > > > bug reported at the following syzkaller link and ensures no infoleak.
> > > > >
> > > > > Reported-by: syzbot+0c85cae3350b7d486aee@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > > > Closes: https://syzkaller.appspot.com/bug?extid=0c85cae3350b7d486aee
> > > > > Tested-by: syzbot+0c85cae3350b7d486aee@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > > > Fixes: ef6980b6becb ("introduce IFE action")
> > > > > Signed-off-by: Ranganath V N <vnranganath.20@xxxxxxxxx>
> > > > > ---
> > > > >  net/sched/act_ife.c | 12 +++++++-----
> > > > >  1 file changed, 7 insertions(+), 5 deletions(-)
> > > > >
> > > > > diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
> > > > > index 107c6d83dc5c..7c6975632fc2 100644
> > > > > --- a/net/sched/act_ife.c
> > > > > +++ b/net/sched/act_ife.c
> > > > > @@ -644,13 +644,15 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
> > > > >       unsigned char *b = skb_tail_pointer(skb);
> > > > >       struct tcf_ife_info *ife = to_ife(a);
> > > > >       struct tcf_ife_params *p;
> > > > > -     struct tc_ife opt = {
> > > > > -             .index = ife->tcf_index,
> > > > > -             .refcnt = refcount_read(&ife->tcf_refcnt) - ref,
> > > > > -             .bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
> > > > > -     };
> > > > > +     struct tc_ife opt;
> > > > >       struct tcf_t t;
> > > > >
> > > > > +     memset(&opt, 0, sizeof(opt));
> > > > > +
> > > > > +     opt.index = ife->tcf_index,
> > > > > +     opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
> > > > > +     opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
> > > >
> > > > Are you sure this is correct to delimit with commas instead of
> > > > semicolons?
> > > >
> > > > This already causes build failures of 5.10.247-rt141 kernel, because
> > > > their spin_lock_bh unrolls into do { .. } while (0):
> > > >
> > >
> > > Do you have access to this?
> > > commit 205305c028ad986d0649b8b100bab6032dcd1bb5
> > > Author: Chen Ni <nichen@xxxxxxxxxxx>
> > > Date:   Wed Nov 12 15:27:09 2025 +0800
> > >
> > >     net/sched: act_ife: convert comma to semicolon
> > >
> >
> > Sigh. I see the problem: that patch did not have a Fixes tag;
> > otherwise, it would have been backported.
>
> Thanks! I will pick this for the local builds. But, perhaps, someone
> should send it to stable@xxxxxxxxxx to fix the older -rt kernels too.
>

+ @stable
Not sure if this is enough. Let me know if @stable needs something more formal.

cheers,
jamal