Re: [PATCH net v2] rds: tcp: fix uninit-value in __inet_bind

Next message: James Clark: "Re: [PATCH v4 linux-next] perf parse-events: Fix big-endian 'overwrite' by writing correct union member"
Previous message: Victor Duicu: "[PATCH v10 2/2] hwmon: add support for MCP998X"
In reply to: Tabrez Ahmed: "[PATCH net v2] rds: tcp: fix uninit-value in __inet_bind"
Next in thread: Allison Henderson: "Re: [PATCH net v2] rds: tcp: fix uninit-value in __inet_bind"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Charalampos Mitrodimas

Date: Tue Feb 17 2026 - 09:09:45 EST

Tabrez Ahmed <tabreztalks@xxxxxxxxx> writes:

> KMSAN reported an uninit-value access in __inet_bind() when binding
> an RDS TCP socket.
>
> The uninitialized memory originates from rds_tcp_conn_alloc(),
> which uses kmem_cache_alloc() to allocate the rds_tcp_connection structure.
>
> Specifically, the field 't_client_port_group' is incremented in
> rds_tcp_conn_path_connect() without being initialized first:
>
> if (++tc->t_client_port_group >= port_groups)
>
> Since kmem_cache_alloc() does not zero the memory, this field contains
> garbage, leading to the KMSAN report.
>
> Fix this by using kmem_cache_zalloc() to ensure the structure is
> zero-initialized upon allocation.
>
> Reported-by: syzbot+aae646f09192f72a68dc@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=aae646f09192f72a68dc
> Tested-by: syzbot+aae646f09192f72a68dc@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: a20a6992558f ("net/rds: Encode cp_index in TCP source port")
>
> Signed-off-by: Tabrez Ahmed <tabreztalks@xxxxxxxxx>
> ---

Reviewed-by: Charalampos Mitrodimas <charmitro@xxxxxxxxxx>

--
C. Mitrodimas