From 8bd556f451dc7ec994447b648b60af4604cc0124 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 22 Aug 2018 13:48:35 +0200 Subject: [PATCH] 4.17-stable patches added patches: net-smc-no-shutdown-in-state-smc_listen.patch netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch parisc-remove-ordered-stores-from-syscall.s.patch parisc-remove-unnecessary-barriers-from-spinlock.h.patch xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch --- ...-smc-no-shutdown-in-state-smc_listen.patch | 35 ++++++ ...syncack-as-invalid-if-no-prior-state.patch | 61 ++++++++++ ...v3-block-size-test-to-hold-one-frame.patch | 66 ++++++++++ ...remove-ordered-stores-from-syscall.s.patch | 105 ++++++++++++++++ ...unnecessary-barriers-from-spinlock.h.patch | 72 +++++++++++ queue-4.17/series | 6 + ...ent-leaking-2-bytes-of-kernel-memory.patch | 115 ++++++++++++++++++ 7 files changed, 460 insertions(+) create mode 100644 queue-4.17/net-smc-no-shutdown-in-state-smc_listen.patch create mode 100644 queue-4.17/netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch create mode 100644 queue-4.17/packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch create mode 100644 queue-4.17/parisc-remove-ordered-stores-from-syscall.s.patch create mode 100644 queue-4.17/parisc-remove-unnecessary-barriers-from-spinlock.h.patch create mode 100644 queue-4.17/xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch diff --git a/queue-4.17/net-smc-no-shutdown-in-state-smc_listen.patch b/queue-4.17/net-smc-no-shutdown-in-state-smc_listen.patch new file mode 100644 index 00000000000..e2f80d0a889 --- /dev/null +++ b/queue-4.17/net-smc-no-shutdown-in-state-smc_listen.patch @@ -0,0 +1,35 @@ +From caa21e19e08d7a1445116a93f7ab4e187ebbbadb Mon Sep 17 00:00:00 2001 +From: Ursula Braun +Date: Wed, 8 Aug 2018 14:13:19 +0200 +Subject: net/smc: no shutdown in state SMC_LISTEN + +From: Ursula Braun + +commit caa21e19e08d7a1445116a93f7ab4e187ebbbadb upstream. + +Invoking shutdown for a socket in state SMC_LISTEN does not make +sense. Nevertheless programs like syzbot fuzzing the kernel may +try to do this. For SMC this means a socket refcounting problem. +This patch makes sure a shutdown call for an SMC socket in state +SMC_LISTEN simply returns with -ENOTCONN. + +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/smc/af_smc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1231,8 +1231,7 @@ static int smc_shutdown(struct socket *s + lock_sock(sk); + + rc = -ENOTCONN; +- if ((sk->sk_state != SMC_LISTEN) && +- (sk->sk_state != SMC_ACTIVE) && ++ if ((sk->sk_state != SMC_ACTIVE) && + (sk->sk_state != SMC_PEERCLOSEWAIT1) && + (sk->sk_state != SMC_PEERCLOSEWAIT2) && + (sk->sk_state != SMC_APPCLOSEWAIT1) && diff --git a/queue-4.17/netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch b/queue-4.17/netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch new file mode 100644 index 00000000000..9ecd7a8d313 --- /dev/null +++ b/queue-4.17/netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch @@ -0,0 +1,61 @@ +From 6613b6173dee098997229caf1f3b961c49da75e6 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 17 Jul 2018 21:03:15 +0200 +Subject: netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state + +From: Florian Westphal + +commit 6613b6173dee098997229caf1f3b961c49da75e6 upstream. + +When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack +that has an un-initialized timeout value, i.e. such entry could be +reaped at any time. + +Mark them as INVALID and only ignore SYNC/SYNCACK when connection had +an old state. + +Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_proto_dccp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/netfilter/nf_conntrack_proto_dccp.c ++++ b/net/netfilter/nf_conntrack_proto_dccp.c +@@ -243,14 +243,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][D + * We currently ignore Sync packets + * + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ +- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, ++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, + }, + [DCCP_PKT_SYNCACK] = { + /* + * We currently ignore SyncAck packets + * + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ +- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, ++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, + }, + }, + [CT_DCCP_ROLE_SERVER] = { +@@ -371,14 +371,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][D + * We currently ignore Sync packets + * + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ +- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, ++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, + }, + [DCCP_PKT_SYNCACK] = { + /* + * We currently ignore SyncAck packets + * + * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ +- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, ++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, + }, + }, + }; diff --git a/queue-4.17/packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch b/queue-4.17/packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch new file mode 100644 index 00000000000..b5e1b8d87e3 --- /dev/null +++ b/queue-4.17/packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch @@ -0,0 +1,66 @@ +From 4576cd469d980317c4edd9173f8b694aa71ea3a3 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Mon, 6 Aug 2018 10:38:34 -0400 +Subject: packet: refine ring v3 block size test to hold one frame + +From: Willem de Bruijn + +commit 4576cd469d980317c4edd9173f8b694aa71ea3a3 upstream. + +TPACKET_V3 stores variable length frames in fixed length blocks. +Blocks must be able to store a block header, optional private space +and at least one minimum sized frame. + +Frames, even for a zero snaplen packet, store metadata headers and +optional reserved space. + +In the block size bounds check, ensure that the frame of the +chosen configuration fits. This includes sockaddr_ll and optional +tp_reserve. + +Syzbot was able to construct a ring with insuffient room for the +sockaddr_ll in the header of a zero-length frame, triggering an +out-of-bounds write in dev_parse_header. + +Convert the comparison to less than, as zero is a valid snap len. +This matches the test for minimum tp_frame_size immediately below. + +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Fixes: eb73190f4fbe ("net/packet: refine check for priv area size") +Reported-by: syzbot +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/packet/af_packet.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4258,6 +4258,8 @@ static int packet_set_ring(struct sock * + } + + if (req->tp_block_nr) { ++ unsigned int min_frame_size; ++ + /* Sanity tests and some calculations */ + err = -EBUSY; + if (unlikely(rb->pg_vec)) +@@ -4280,12 +4282,12 @@ static int packet_set_ring(struct sock * + goto out; + if (unlikely(!PAGE_ALIGNED(req->tp_block_size))) + goto out; ++ min_frame_size = po->tp_hdrlen + po->tp_reserve; + if (po->tp_version >= TPACKET_V3 && +- req->tp_block_size <= +- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr)) ++ req->tp_block_size < ++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + min_frame_size) + goto out; +- if (unlikely(req->tp_frame_size < po->tp_hdrlen + +- po->tp_reserve)) ++ if (unlikely(req->tp_frame_size < min_frame_size)) + goto out; + if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1))) + goto out; diff --git a/queue-4.17/parisc-remove-ordered-stores-from-syscall.s.patch b/queue-4.17/parisc-remove-ordered-stores-from-syscall.s.patch new file mode 100644 index 00000000000..95134d15b9f --- /dev/null +++ b/queue-4.17/parisc-remove-ordered-stores-from-syscall.s.patch @@ -0,0 +1,105 @@ +From 7797167ffde1f00446301cb22b37b7c03194cfaf Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Sun, 12 Aug 2018 16:38:03 -0400 +Subject: parisc: Remove ordered stores from syscall.S +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John David Anglin + +commit 7797167ffde1f00446301cb22b37b7c03194cfaf upstream. + +Now that we use a sync prior to releasing the locks in syscall.S, we don't need +the PA 2.0 ordered stores used to release some locks.  Using an ordered store, +potentially slows the release and subsequent code. + +There are a number of other ordered stores and loads that serve no purpose.  I +have converted these to normal stores. + +Signed-off-by: John David Anglin +Cc: stable@vger.kernel.org # 4.0+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/syscall.S | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -629,12 +629,12 @@ cas_action: + stw %r1, 4(%sr2,%r20) + #endif + /* The load and store could fail */ +-1: ldw,ma 0(%r26), %r28 ++1: ldw 0(%r26), %r28 + sub,<> %r28, %r25, %r0 +-2: stw,ma %r24, 0(%r26) ++2: stw %r24, 0(%r26) + /* Free lock */ + sync +- stw,ma %r20, 0(%sr2,%r20) ++ stw %r20, 0(%sr2,%r20) + #if ENABLE_LWS_DEBUG + /* Clear thread register indicator */ + stw %r0, 4(%sr2,%r20) +@@ -798,30 +798,30 @@ cas2_action: + ldo 1(%r0),%r28 + + /* 8bit CAS */ +-13: ldb,ma 0(%r26), %r29 ++13: ldb 0(%r26), %r29 + sub,= %r29, %r25, %r0 + b,n cas2_end +-14: stb,ma %r24, 0(%r26) ++14: stb %r24, 0(%r26) + b cas2_end + copy %r0, %r28 + nop + nop + + /* 16bit CAS */ +-15: ldh,ma 0(%r26), %r29 ++15: ldh 0(%r26), %r29 + sub,= %r29, %r25, %r0 + b,n cas2_end +-16: sth,ma %r24, 0(%r26) ++16: sth %r24, 0(%r26) + b cas2_end + copy %r0, %r28 + nop + nop + + /* 32bit CAS */ +-17: ldw,ma 0(%r26), %r29 ++17: ldw 0(%r26), %r29 + sub,= %r29, %r25, %r0 + b,n cas2_end +-18: stw,ma %r24, 0(%r26) ++18: stw %r24, 0(%r26) + b cas2_end + copy %r0, %r28 + nop +@@ -829,10 +829,10 @@ cas2_action: + + /* 64bit CAS */ + #ifdef CONFIG_64BIT +-19: ldd,ma 0(%r26), %r29 ++19: ldd 0(%r26), %r29 + sub,*= %r29, %r25, %r0 + b,n cas2_end +-20: std,ma %r24, 0(%r26) ++20: std %r24, 0(%r26) + copy %r0, %r28 + #else + /* Compare first word */ +@@ -851,7 +851,7 @@ cas2_action: + cas2_end: + /* Free lock */ + sync +- stw,ma %r20, 0(%sr2,%r20) ++ stw %r20, 0(%sr2,%r20) + /* Enable interrupts */ + ssm PSW_SM_I, %r0 + /* Return to userspace, set no error */ diff --git a/queue-4.17/parisc-remove-unnecessary-barriers-from-spinlock.h.patch b/queue-4.17/parisc-remove-unnecessary-barriers-from-spinlock.h.patch new file mode 100644 index 00000000000..41c87f87bcf --- /dev/null +++ b/queue-4.17/parisc-remove-unnecessary-barriers-from-spinlock.h.patch @@ -0,0 +1,72 @@ +From 3b885ac1dc35b87a39ee176a6c7e2af9c789d8b8 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Sun, 12 Aug 2018 16:31:17 -0400 +Subject: parisc: Remove unnecessary barriers from spinlock.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John David Anglin + +commit 3b885ac1dc35b87a39ee176a6c7e2af9c789d8b8 upstream. + +Now that mb() is an instruction barrier, it will slow performance if we issue +unnecessary barriers. + +The spinlock defines have a number of unnecessary barriers.  The __ldcw() +define is both a hardware and compiler barrier.  The mb() barriers in the +routines using __ldcw() serve no purpose. + +The only barrier needed is the one in arch_spin_unlock().  We need to ensure +all accesses are complete prior to releasing the lock. + +Signed-off-by: John David Anglin +Cc: stable@vger.kernel.org # 4.0+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/spinlock.h | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/arch/parisc/include/asm/spinlock.h ++++ b/arch/parisc/include/asm/spinlock.h +@@ -20,7 +20,6 @@ static inline void arch_spin_lock_flags( + { + volatile unsigned int *a; + +- mb(); + a = __ldcw_align(x); + while (__ldcw(a) == 0) + while (*a == 0) +@@ -30,17 +29,16 @@ static inline void arch_spin_lock_flags( + local_irq_disable(); + } else + cpu_relax(); +- mb(); + } + #define arch_spin_lock_flags arch_spin_lock_flags + + static inline void arch_spin_unlock(arch_spinlock_t *x) + { + volatile unsigned int *a; +- mb(); ++ + a = __ldcw_align(x); +- *a = 1; + mb(); ++ *a = 1; + } + + static inline int arch_spin_trylock(arch_spinlock_t *x) +@@ -48,10 +46,8 @@ static inline int arch_spin_trylock(arch + volatile unsigned int *a; + int ret; + +- mb(); + a = __ldcw_align(x); + ret = __ldcw(a) != 0; +- mb(); + + return ret; + } diff --git a/queue-4.17/series b/queue-4.17/series index a186a4ba582..93eec85dea7 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -308,3 +308,9 @@ x86-mm-init-remove-freed-kernel-image-areas-from-alias-mapping.patch ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch drm-i915-kvmgt-fix-potential-spectre-v1.patch drm-amdgpu-pm-fix-potential-spectre-v1.patch +parisc-remove-unnecessary-barriers-from-spinlock.h.patch +parisc-remove-ordered-stores-from-syscall.s.patch +xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch +netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch +packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch +net-smc-no-shutdown-in-state-smc_listen.patch diff --git a/queue-4.17/xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch b/queue-4.17/xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch new file mode 100644 index 00000000000..e242de6e07b --- /dev/null +++ b/queue-4.17/xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch @@ -0,0 +1,115 @@ +From 45c180bc29babbedd6b8c01b975780ef44d9d09c Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 18 Jun 2018 21:35:07 -0700 +Subject: xfrm_user: prevent leaking 2 bytes of kernel memory + +From: Eric Dumazet + +commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream. + +struct xfrm_userpolicy_type has two holes, so we should not +use C99 style initializer. + +KMSAN report: + +BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571 +CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117 + kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211 + kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253 + copyout lib/iov_iter.c:140 [inline] + _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571 + copy_to_iter include/linux/uio.h:106 [inline] + skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431 + skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline] + netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959 + sock_recvmsg_nosec net/socket.c:802 [inline] + sock_recvmsg+0x1d6/0x230 net/socket.c:809 + ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279 + __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391 + do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472 + __do_sys_recvmmsg net/socket.c:2485 [inline] + __se_sys_recvmmsg net/socket.c:2481 [inline] + __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481 + do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x446ce9 +RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9 +RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003 +RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000 +R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000 +R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001 + +Uninit was stored to memory at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline] + kmsan_save_stack mm/kmsan/kmsan.c:294 [inline] + kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685 + kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527 + __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413 + __nla_put lib/nlattr.c:569 [inline] + nla_put+0x276/0x340 lib/nlattr.c:627 + copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline] + dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708 + xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013 + xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749 + netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226 + __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323 + netlink_dump_start include/linux/netlink.h:214 [inline] + xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577 + netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448 + xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg net/socket.c:639 [inline] + ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117 + __sys_sendmsg net/socket.c:2155 [inline] + __do_sys_sendmsg net/socket.c:2164 [inline] + __se_sys_sendmsg net/socket.c:2162 [inline] + __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 + do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +Local variable description: ----upt.i@dump_one_policy +Variable was created at: + dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689 + xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013 + +Byte 130 of 137 is uninitialized +Memory access starts at ffff88019550407f + +Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Steffen Klassert +Cc: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_user.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1671,9 +1671,11 @@ static inline unsigned int userpolicy_ty + #ifdef CONFIG_XFRM_SUB_POLICY + static int copy_to_user_policy_type(u8 type, struct sk_buff *skb) + { +- struct xfrm_userpolicy_type upt = { +- .type = type, +- }; ++ struct xfrm_userpolicy_type upt; ++ ++ /* Sadly there are two holes in struct xfrm_userpolicy_type */ ++ memset(&upt, 0, sizeof(upt)); ++ upt.type = type; + + return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt); + } -- 2.47.3