This is a note to let you know that I've just added the patch titled selinux: initialize proto variable in selinux_ip_postroute_compat() to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: selinux-initialize-proto-variable-in-selinux_ip_postroute_compat.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 732bc2ff080c447f8524f40c970c481f5da6eed3 Mon Sep 17 00:00:00 2001 From: Tom Rix <trix@xxxxxxxxxx> Date: Fri, 24 Dec 2021 07:07:39 -0800 Subject: selinux: initialize proto variable in selinux_ip_postroute_compat() From: Tom Rix <trix@xxxxxxxxxx> commit 732bc2ff080c447f8524f40c970c481f5da6eed3 upstream. Clang static analysis reports this warning hooks.c:5765:6: warning: 4th function call argument is an uninitialized value if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ selinux_parse_skb() can return ok without setting proto. The later call to selinux_xfrm_postroute_last() does an early check of proto and can return ok if the garbage proto value matches. So initialize proto. Cc: stable@xxxxxxxxxxxxxxx Fixes: eef9b41622f2 ("selinux: cleanup selinux_xfrm_sock_rcv_skb() and selinux_xfrm_postroute_last()") Signed-off-by: Tom Rix <trix@xxxxxxxxxx> [PM: typo/spelling and checkpatch.pl description fixes] Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5321,7 +5321,7 @@ static unsigned int selinux_ip_postroute struct common_audit_data ad; struct lsm_network_audit net = {0,}; char *addrp; - u8 proto; + u8 proto = 0; if (sk == NULL) return NF_ACCEPT; Patches currently in stable-queue which might be from trix@xxxxxxxxxx are queue-4.14/selinux-initialize-proto-variable-in-selinux_ip_postroute_compat.patch