Merge branch 'net-sched-initialize-struct-tc_ife-to-fix-kernel-infoleak'

Paolo Abeni · Paolo Abeni · commit 02e9578c3e47 · 2025-11-11T15:00:11.000+01:00
Ranganath says: ==================== net: sched: initialize struct tc_ife to fix kernel-infoleak This series addresses the uninitialization of the struct which has 2 bytes of padding. And copying this uninitialized data to userspace can leak info from kernel memory. This series ensures all members and padding are cleared prior to begin copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. v3: https://lore.kernel.org/lkml/20251106195635.2438-1-vnranganath.20@gmail.com/#t v2: https://lore.kernel.org/r/20251101-infoleak-v2-0-01a501d41c09@gmail.com v1: https://lore.kernel.org/r/20251031-infoleak-v1-1-9f7250ee33aa@gmail.com Signed-off-by: Ranganath V N <vnranganath.20@gmail.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> ==================== Link: https://patch.msgid.link/20251109091336.9277-1-vnranganath.20@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
@@ -195,13 +195,15 @@ static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a,
 	const struct tcf_connmark_info *ci = to_connmark(a);
 	unsigned char *b = skb_tail_pointer(skb);
 	const struct tcf_connmark_parms *parms;
-	struct tc_connmark opt = {
-		.index   = ci->tcf_index,
-		.refcnt  = refcount_read(&ci->tcf_refcnt) - ref,
-		.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind,
-	};
+	struct tc_connmark opt;
 	struct tcf_t t;
 
+	memset(&opt, 0, sizeof(opt));
+
+	opt.index   = ci->tcf_index;
+	opt.refcnt  = refcount_read(&ci->tcf_refcnt) - ref;
+	opt.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;
+
 	rcu_read_lock();
 	parms = rcu_dereference(ci->parms);
 
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
@@ -644,13 +644,15 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
 	unsigned char *b = skb_tail_pointer(skb);
 	struct tcf_ife_info *ife = to_ife(a);
 	struct tcf_ife_params *p;
-	struct tc_ife opt = {
-		.index = ife->tcf_index,
-		.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
-		.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
-	};
+	struct tc_ife opt;
 	struct tcf_t t;
 
+	memset(&opt, 0, sizeof(opt));
+
+	opt.index = ife->tcf_index,
+	opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
+	opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
+
 	spin_lock_bh(&ife->tcf_lock);
 	opt.action = ife->tcf_action;
 	p = rcu_dereference_protected(ife->params,
