Re: [PATCH v2] net: skbuff: fix uninitialized memory use in pskb_expand_head()

Next message: Alexandre Courbot: "[PATCH FOR REFERENCE v3 6/6] gpu: nova-core: use the kernel `register!` macro"
Previous message: Jiebing Chen: "Re: [PATCH v6 3/5] ASoC: meson: g12a-toacodec: Add S4 tocodec driver"
In reply to: Soham Metha: "[PATCH v2] net: skbuff: fix uninitialized memory use in pskb_expand_head()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Mon Jan 26 2026 - 08:29:21 EST

On Mon, Jan 26, 2026 at 2:22 PM Soham Metha <sohammetha01@xxxxxxxxx> wrote:
>
> pskb_expand_head() allocates a new skb data buffer using
> kmalloc_reserve(), which does not initialize memory. skb helpers may
> later copy or move padding bytes from the buffer.
>
> Initialize the newly allocated skb buffer to avoid propagating
> uninitialized memory.
>
> Reported-by: syzbot+619b9ef527f510a57cfc@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
> Tested-by: syzbot+619b9ef527f510a57cfc@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Soham Metha <sohammetha01@xxxxxxxxx>
> ---
>
> v2:
> - No code changes
> - Resent to netdev list
> - Added Closes tag
> - Added Tested-by tag
>
> net/core/skbuff.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index a56133902c0d..b0f0d3a0310b 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -2282,6 +2282,9 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
> data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
> if (!data)
> goto nodata;
> +
> + memset(data, 0, size);
> +
>

Certainly not.

You might wonder why we have GFP_ZERO ?

Answer : we do not generally want to pay the price of zeroing memory
_unless_ absolutely needed.

Fix the caller instead, ie root-cause the issue, thank you