[PATCH mptcp-net] mptcp: fix uninit-value in mptcp_established_options

[PATCH mptcp-net] mptcp: fix uninit-value in mptcp_established_options

[Paolo Abeni]

syzbot reported the following uninit splat:

=====================================================
BUG: KMSAN: uninit-value in mptcp_write_data_fin net/mptcp/options.c:542 [inline]
BUG: KMSAN: uninit-value in mptcp_established_options_dss net/mptcp/options.c:590 [inline]
BUG: KMSAN: uninit-value in mptcp_established_options+0x112f/0x3530 net/mptcp/options.c:874
 mptcp_write_data_fin net/mptcp/options.c:542 [inline]
 mptcp_established_options_dss net/mptcp/options.c:590 [inline]
 mptcp_established_options+0x112f/0x3530 net/mptcp/options.c:874
 tcp_established_options+0x312/0xcc0 net/ipv4/tcp_output.c:1192
 __tcp_transmit_skb+0x5dc/0x5fe0 net/ipv4/tcp_output.c:1575
 __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499
 tcp_send_ack+0x3d/0x60 net/ipv4/tcp_output.c:4505
 mptcp_subflow_shutdown+0x164/0x690 net/mptcp/protocol.c:3137
 mptcp_check_send_data_fin+0x31b/0x3d0 net/mptcp/protocol.c:3218
 __mptcp_wr_shutdown net/mptcp/protocol.c:3234 [inline]
 __mptcp_close+0x860/0x1360 net/mptcp/protocol.c:3313
 mptcp_close+0x42/0x260 net/mptcp/protocol.c:3367
 inet_release+0x1ee/0x2a0 net/ipv4/af_inet.c:442
 __sock_release net/socket.c:722 [inline]
 sock_close+0xd6/0x2f0 net/socket.c:1514
 __fput+0x60e/0x1010 fs/file_table.c:510
 ____fput+0x25/0x30 fs/file_table.c:538
 task_work_run+0x208/0x2b0 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
 exit_to_user_mode_loop+0x306/0x1b60 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
 __do_fast_syscall_32+0x2c7/0x460 arch/x86/entry/syscall_32.c:310
 do_fast_syscall_32+0x37/0x80 arch/x86/entry/syscall_32.c:332
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:370
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

Local variable opts created at:
 __tcp_transmit_skb+0x4d/0x5fe0 net/ipv4/tcp_output.c:1536
 __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499
=====================================================

The output path currently omit initializing the mptcp extension `use_map`
flag in a few corner cases.
Address the issue always zeroing all the extensions flags before
eventually initializing the individual bits. To that extent, introduce
and use a struct_group to avoid multiple bitwise operations.

Reported-by: syzbot+ff020673c5e3d94d9478@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ff020673c5e3d94d9478
Fixes: 6d0060f600ad ("mptcp: Write MPTCP DSS headers to outgoing data packets")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
Note that this patch intentionally omit removing the now unneeded
		opts->ext_copy.ack64 = 0;
assignment later on in mptcp_established_options_dss(), to avoid
conflict with pending next patches.
---
 include/net/mptcp.h | 7 +++++--
 net/mptcp/options.c | 6 +++++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/include/net/mptcp.h b/include/net/mptcp.h
index aef2dbeb847b..8e666347b56d 100644
--- a/include/net/mptcp.h
+++ b/include/net/mptcp.h
@@ -23,7 +23,9 @@ struct mptcp_ext {
 	u32		subflow_seq;
 	u16		data_len;
 	__sum16		csum;
-	u8		use_map:1,
+
+	struct_group(flags,
+		u8	use_map:1,
 			dsn64:1,
 			data_fin:1,
 			use_ack:1,
@@ -31,9 +33,10 @@ struct mptcp_ext {
 			mpc_map:1,
 			frozen:1,
 			reset_transient:1;
-	u8		reset_reason:4,
+		u8	reset_reason:4,
 			csum_reqd:1,
 			infinite_map:1;
+	); /* end of flags group */
 };
 
 #define MPTCPOPT_HMAC_LEN	20
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 2b35bdc113a5..7301225bac98 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -572,6 +572,11 @@ static bool mptcp_established_options_dss(struct sock *sk, struct sk_buff *skb,
 	unsigned int ack_size;
 	bool ret = false;
 
+	/* Zero `use_ack` and `use_map` flags with one shot. */
+	BUILD_BUG_ON(sizeof_field(struct mptcp_ext, flags) != sizeof(u16));
+	BUILD_BUG_ON(!IS_ALIGNED(offsetof(struct mptcp_ext, flags),
+				 sizeof(u16)));
+	*(u16 *)&opts->ext_copy.flags = 0;
 	opts->csum_reqd = READ_ONCE(msk->csum_enabled);
 	mpext = skb ? mptcp_get_ext(skb) : NULL;
 
@@ -595,7 +600,6 @@ static bool mptcp_established_options_dss(struct sock *sk, struct sk_buff *skb,
 	/* passive sockets msk will set the 'can_ack' after accept(), even
 	 * if the first subflow may have the already the remote key handy
 	 */
-	opts->ext_copy.use_ack = 0;
 	if (!READ_ONCE(msk->can_ack)) {
 		*size = ALIGN(dss_size, 4);
 		return ret;
-- 
2.54.0

Re: [PATCH mptcp-net] mptcp: fix uninit-value in mptcp_established_options

[MPTCP CI]

Hi Paolo,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal (except selftest_mptcp_join): Unstable: 1 failed test(s): selftest_simult_flows ⚠️ 
- KVM Validation: normal (only selftest_mptcp_join): Success! ✅
- KVM Validation: debug (except selftest_mptcp_join): Unstable: 1 failed test(s): selftest_mptcp_connect ⚠️ 
- KVM Validation: debug (only selftest_mptcp_join): Success! ✅
- KVM Validation: btf-normal (only bpftest_all): Success! ✅
- KVM Validation: btf-debug (only bpftest_all): Success! ✅
- Task: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/26630171516

Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/e2df8b37ca5b
Patchwork: https://patchwork.kernel.org/project/mptcp/list/?series=1102751


If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:

    $ cd [kernel source code]
    $ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
        --pull always mptcp/mptcp-upstream-virtme-docker:latest \
        auto-normal

For more details:

    https://github.com/multipath-tcp/mptcp-upstream-virtme-docker


Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (NGI0 Core)

Re: [PATCH mptcp-net] mptcp: fix uninit-value in mptcp_established_options

[Matthieu Baerts]

Hi Paolo,

On 29/05/2026 19:13, Paolo Abeni wrote:
> syzbot reported the following uninit splat:

(...)

> The output path currently omit initializing the mptcp extension `use_map`
> flag in a few corner cases.
> Address the issue always zeroing all the extensions flags before
> eventually initializing the individual bits. To that extent, introduce
> and use a struct_group to avoid multiple bitwise operations.

Thank you for the fix!

Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>

Now in our tree:

New patches for t/upstream-net and t/upstream:
- e1e4ec894331: mptcp: fix uninit-value in mptcp_established_options
- Results: b744d5cbf545..8baa4a3c8611 (export-net)
- Results: 294e9da8a098..cfc728a98c10 (export)

Tests are now in progress:

- export-net:
https://github.com/multipath-tcp/mptcp_net-next/commit/857a3caa698c8e16b1dbc6d61976bbf17a8d864c/checks
- export:
https://github.com/multipath-tcp/mptcp_net-next/commit/05677a4add692ad12b601c1e0b9e5f9299c2a1f1/checks

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

Re: [PATCH mptcp-net] mptcp: fix uninit-value in mptcp_established_options

[Matthieu Baerts]

Hi Paolo,

On 29/05/2026 19:13, Paolo Abeni wrote:
> syzbot reported the following uninit splat:
> 
> =====================================================

(...)

> =====================================================
> 
> The output path currently omit initializing the mptcp extension `use_map`
> flag in a few corner cases.
> Address the issue always zeroing all the extensions flags before
> eventually initializing the individual bits. To that extent, introduce
> and use a struct_group to avoid multiple bitwise operations.
> 
> Reported-by: syzbot+ff020673c5e3d94d9478@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=ff020673c5e3d94d9478
> Fixes: 6d0060f600ad ("mptcp: Write MPTCP DSS headers to outgoing data packets")

Small detail: I hope that's OK to use this one instead:

  cfcceb7a39fc ("tcp: shrink per-packet memset in __tcp_transmit_skb()")

Before this commit, the whole "opts" was set to 0. So no need to
backport this "too far".

Also, because of the issue reported by the 0day bot, I will wait a few
more days before sending this patch upstream.

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

Re: [PATCH mptcp-net] mptcp: fix uninit-value in mptcp_established_options

[Paolo Abeni]

On 6/1/26 4:42 AM, Matthieu Baerts wrote:
> Hi Paolo,
> 
> On 29/05/2026 19:13, Paolo Abeni wrote:
>> syzbot reported the following uninit splat:
>>
>> =====================================================
> 
> (...)
> 
>> =====================================================
>>
>> The output path currently omit initializing the mptcp extension `use_map`
>> flag in a few corner cases.
>> Address the issue always zeroing all the extensions flags before
>> eventually initializing the individual bits. To that extent, introduce
>> and use a struct_group to avoid multiple bitwise operations.
>>
>> Reported-by: syzbot+ff020673c5e3d94d9478@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=ff020673c5e3d94d9478
>> Fixes: 6d0060f600ad ("mptcp: Write MPTCP DSS headers to outgoing data packets")
> 
> Small detail: I hope that's OK to use this one instead:
> 
>   cfcceb7a39fc ("tcp: shrink per-packet memset in __tcp_transmit_skb()")
> 
> Before this commit, the whole "opts" was set to 0. So no need to
> backport this "too far".

Sure, thanks for doing the right archeology!

/P