* [syzbot] [iommu?] KMSAN: uninit-value in pfn_reader_next
@ 2026-01-24 6:45 syzbot
2026-01-24 9:07 ` Forwarded: [PATCH] iommufd: Initialize pfn_reader in iopt_area_fill_domains() syzbot
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: syzbot @ 2026-01-24 6:45 UTC (permalink / raw)
To: iommu, jgg, joro, kevin.tian, linux-kernel, robin.murphy,
syzkaller-bugs, will
Hello,
syzbot found the following issue on:
HEAD commit: c072629f05d7 Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1716005a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8bf02b9e495b9fcd
dashboard link: https://syzkaller.appspot.com/bug?extid=df28076a30d726933015
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1436b79a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15a63d22580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b6b938ba4a72/disk-c072629f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bb1384b011b2/vmlinux-c072629f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1dd4bb2f206e/bzImage-c072629f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+df28076a30d726933015@syzkaller.appspotmail.com
iommufd_mock iommufd_mock0: Adding to iommu group 0
=====================================================
BUG: KMSAN: uninit-value in batch_add_pfn_num drivers/iommu/iommufd/pages.c:365 [inline]
BUG: KMSAN: uninit-value in batch_add_pfn drivers/iommu/iommufd/pages.c:398 [inline]
BUG: KMSAN: uninit-value in batch_from_pages drivers/iommu/iommufd/pages.c:658 [inline]
BUG: KMSAN: uninit-value in pfn_reader_fill_span drivers/iommu/iommufd/pages.c:1220 [inline]
BUG: KMSAN: uninit-value in pfn_reader_next+0x1d5a/0x3e50 drivers/iommu/iommufd/pages.c:1247
batch_add_pfn_num drivers/iommu/iommufd/pages.c:365 [inline]
batch_add_pfn drivers/iommu/iommufd/pages.c:398 [inline]
batch_from_pages drivers/iommu/iommufd/pages.c:658 [inline]
pfn_reader_fill_span drivers/iommu/iommufd/pages.c:1220 [inline]
pfn_reader_next+0x1d5a/0x3e50 drivers/iommu/iommufd/pages.c:1247
pfn_reader_first+0xbcf/0xee0 drivers/iommu/iommufd/pages.c:1354
iopt_area_fill_domains+0x202/0x1590 drivers/iommu/iommufd/pages.c:1917
iopt_fill_domains_pages drivers/iommu/iommufd/io_pagetable.c:359 [inline]
iopt_map_pages+0x1ba5/0x2130 drivers/iommu/iommufd/io_pagetable.c:387
iopt_map_common+0x224/0x610 drivers/iommu/iommufd/io_pagetable.c:425
iopt_map_user_pages+0x148/0x1c0 drivers/iommu/iommufd/io_pagetable.c:466
iommufd_ioas_map+0x6a2/0x9b0 drivers/iommu/iommufd/ioas.c:270
iommufd_fops_ioctl+0x82a/0x9e0 drivers/iommu/iommufd/main.c:533
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x23c/0x400 fs/ioctl.c:583
__x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:583
x64_sys_call+0x18a7/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable pfns created at:
iopt_area_fill_domains+0x5c/0x1590 drivers/iommu/iommufd/pages.c:1900
iopt_fill_domains_pages drivers/iommu/iommufd/io_pagetable.c:359 [inline]
iopt_map_pages+0x1ba5/0x2130 drivers/iommu/iommufd/io_pagetable.c:387
CPU: 0 UID: 0 PID: 6065 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 7+ messages in thread* Forwarded: [PATCH] iommufd: Initialize pfn_reader in iopt_area_fill_domains()
2026-01-24 6:45 [syzbot] [iommu?] KMSAN: uninit-value in pfn_reader_next syzbot
@ 2026-01-24 9:07 ` syzbot
2026-01-24 11:24 ` Forwarded: [PATCH] iommufd: Initialize batch structures in map/unmap paths syzbot
2026-01-24 12:46 ` Forwarded: [PATCH] iommufd: Initialize batch->kind in batch_clear() syzbot
2 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2026-01-24 9:07 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] iommufd: Initialize pfn_reader in iopt_area_fill_domains()
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
KMSAN reported an uninitialized value in batch_add_pfn_num() when
accessing batch->npfns[] and batch->pfns[] arrays. This occurs because
struct pfn_reader pfns was declared without initialization, leaving
the embedded pfn_batch structure and its arrays uninitialized.
Initialize pfns to zero to ensure all fields and embedded structures
start in a known state.
Reported-by: syzbot+df28076a30d726933015@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
drivers/iommu/iommufd/pages.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/iommufd/pages.c b/drivers/iommu/iommufd/pages.c
index dbe51ecb9a20..a07373cf013c 100644
--- a/drivers/iommu/iommufd/pages.c
+++ b/drivers/iommu/iommufd/pages.c
@@ -1897,7 +1897,7 @@ int iopt_area_fill_domains(struct iopt_area *area, struct iopt_pages *pages)
unsigned long done_all_end_index;
struct iommu_domain *domain;
unsigned long unmap_index;
- struct pfn_reader pfns;
+ struct pfn_reader pfns = {};
unsigned long index;
int rc;
--
2.43.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* Forwarded: [PATCH] iommufd: Initialize batch structures in map/unmap paths
2026-01-24 6:45 [syzbot] [iommu?] KMSAN: uninit-value in pfn_reader_next syzbot
2026-01-24 9:07 ` Forwarded: [PATCH] iommufd: Initialize pfn_reader in iopt_area_fill_domains() syzbot
@ 2026-01-24 11:24 ` syzbot
2026-01-24 12:46 ` Forwarded: [PATCH] iommufd: Initialize batch->kind in batch_clear() syzbot
2 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2026-01-24 11:24 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] iommufd: Initialize batch structures in map/unmap paths
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
KMSAN reported uninitialized values in batch processing for both the
map and unmap paths:
1. In iopt_area_fill_domains(), struct pfn_reader pfns was used
uninitialized, causing warnings in batch_add_pfn_num() when
accessing batch->npfns[] and batch->pfns[] arrays.
2. In __iopt_area_unfill_domain(), struct pfn_batch batch was used
uninitialized, causing warnings in batch_from_domain() when
accessing the same arrays.
Although some initialization functions are called on these structures,
they do not initialize all fields, leaving arrays and padding bytes
uninitialized.
Initialize both structures to zero to ensure all fields start in a
known state.
Reported-by: syzbot+df28076a30d726933015@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
drivers/iommu/iommufd/pages.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/iommufd/pages.c b/drivers/iommu/iommufd/pages.c
index dbe51ecb9a20..8c7681192a07 100644
--- a/drivers/iommu/iommufd/pages.c
+++ b/drivers/iommu/iommufd/pages.c
@@ -1735,7 +1735,7 @@ static void __iopt_area_unfill_domain(struct iopt_area *area,
unsigned long start_index = iopt_area_index(area);
unsigned long unmapped_end_index = start_index;
u64 backup[BATCH_BACKUP_SIZE];
- struct pfn_batch batch;
+ struct pfn_batch batch = {};
lockdep_assert_held(&pages->mutex);
@@ -1897,7 +1897,7 @@ int iopt_area_fill_domains(struct iopt_area *area, struct iopt_pages *pages)
unsigned long done_all_end_index;
struct iommu_domain *domain;
unsigned long unmap_index;
- struct pfn_reader pfns;
+ struct pfn_reader pfns = {};
unsigned long index;
int rc;
--
2.43.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* Forwarded: [PATCH] iommufd: Initialize batch->kind in batch_clear()
2026-01-24 6:45 [syzbot] [iommu?] KMSAN: uninit-value in pfn_reader_next syzbot
2026-01-24 9:07 ` Forwarded: [PATCH] iommufd: Initialize pfn_reader in iopt_area_fill_domains() syzbot
2026-01-24 11:24 ` Forwarded: [PATCH] iommufd: Initialize batch structures in map/unmap paths syzbot
@ 2026-01-24 12:46 ` syzbot
2 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2026-01-24 12:46 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] iommufd: Initialize batch->kind in batch_clear()
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
KMSAN reported an uninitialized value when batch_add_pfn_num() reads
batch->kind. This occurs because batch_clear() does not initialize
the kind field, leaving it with garbage data when a struct pfn_batch
is declared on the stack.
When batch_add_pfn_num() checks "if (batch->kind != kind)", it reads
this uninitialized value, triggering KMSAN warnings.
Initialize batch->kind to zero in batch_clear() to ensure the field
always starts in a known state.
Reported-by: syzbot+df28076a30d726933015@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
drivers/iommu/iommufd/pages.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/iommu/iommufd/pages.c b/drivers/iommu/iommufd/pages.c
index dbe51ecb9a20..f606148920fa 100644
--- a/drivers/iommu/iommufd/pages.c
+++ b/drivers/iommu/iommufd/pages.c
@@ -289,6 +289,7 @@ static void batch_clear(struct pfn_batch *batch)
batch->end = 0;
batch->pfns[0] = 0;
batch->npfns[0] = 0;
+ batch->kind = 0;
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
[parent not found: <20260124090709.617302-1-kartikey406@gmail.com>]
* Re: [syzbot] [iommu?] KMSAN: uninit-value in pfn_reader_next
[not found] <20260124090709.617302-1-kartikey406@gmail.com>
@ 2026-01-24 10:25 ` syzbot
0 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2026-01-24 10:25 UTC (permalink / raw)
To: kartikey406, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in batch_from_domain
=====================================================
BUG: KMSAN: uninit-value in batch_add_pfn_num drivers/iommu/iommufd/pages.c:365 [inline]
BUG: KMSAN: uninit-value in batch_add_pfn drivers/iommu/iommufd/pages.c:398 [inline]
BUG: KMSAN: uninit-value in batch_from_domain+0xe8c/0x1010 drivers/iommu/iommufd/pages.c:425
batch_add_pfn_num drivers/iommu/iommufd/pages.c:365 [inline]
batch_add_pfn drivers/iommu/iommufd/pages.c:398 [inline]
batch_from_domain+0xe8c/0x1010 drivers/iommu/iommufd/pages.c:425
iopt_area_unpin_domain drivers/iommu/iommufd/pages.c:1687 [inline]
__iopt_area_unfill_domain+0xccf/0x1b90 drivers/iommu/iommufd/pages.c:1773
iopt_area_unfill_domain+0x100/0x140 drivers/iommu/iommufd/pages.c:1828
iopt_unfill_domain drivers/iommu/iommufd/io_pagetable.c:1025 [inline]
iopt_table_remove_domain+0xada/0x1010 drivers/iommu/iommufd/io_pagetable.c:1269
iommufd_hwpt_paging_destroy+0x21e/0x540 drivers/iommu/iommufd/hw_pagetable.c:30
iommufd_object_remove+0x4c8/0x6c0 drivers/iommu/iommufd/main.c:273
iommufd_object_put_and_try_destroy drivers/iommu/iommufd/iommufd_private.h:268 [inline]
iommufd_hw_pagetable_put drivers/iommu/iommufd/iommufd_private.h:461 [inline]
iommufd_hw_pagetable_detach+0x6e3/0xa10 drivers/iommu/iommufd/device.c:714
iommufd_device_detach+0x38/0xe0 drivers/iommu/iommufd/device.c:1059
iommufd_selftest_destroy+0x9e/0x100 drivers/iommu/iommufd/selftest.c:1951
iommufd_fops_release+0x1e0/0x5f0 drivers/iommu/iommufd/main.c:361
__fput+0x60e/0x1050 fs/file_table.c:468
____fput+0x25/0x30 fs/file_table.c:496
task_work_run+0x208/0x2b0 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0x2ff/0x1b20 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x1d7/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable batch created at:
__iopt_area_unfill_domain+0xa8/0x1b90 drivers/iommu/iommufd/pages.c:1738
iopt_area_unfill_domain+0x100/0x140 drivers/iommu/iommufd/pages.c:1828
CPU: 0 UID: 0 PID: 6581 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
=====================================================
Tested on:
commit: 62085877 Merge tag 'kbuild-fixes-6.19-2' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1642c452580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8bf02b9e495b9fcd
dashboard link: https://syzkaller.appspot.com/bug?extid=df28076a30d726933015
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=158cc452580000
^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <20260124112446.618792-1-kartikey406@gmail.com>]
[parent not found: <20260124124617.623091-1-kartikey406@gmail.com>]
end of thread, other threads:[~2026-01-24 13:18 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-24 6:45 [syzbot] [iommu?] KMSAN: uninit-value in pfn_reader_next syzbot
2026-01-24 9:07 ` Forwarded: [PATCH] iommufd: Initialize pfn_reader in iopt_area_fill_domains() syzbot
2026-01-24 11:24 ` Forwarded: [PATCH] iommufd: Initialize batch structures in map/unmap paths syzbot
2026-01-24 12:46 ` Forwarded: [PATCH] iommufd: Initialize batch->kind in batch_clear() syzbot
[not found] <20260124090709.617302-1-kartikey406@gmail.com>
2026-01-24 10:25 ` [syzbot] [iommu?] KMSAN: uninit-value in pfn_reader_next syzbot
[not found] <20260124112446.618792-1-kartikey406@gmail.com>
2026-01-24 12:20 ` syzbot
[not found] <20260124124617.623091-1-kartikey406@gmail.com>
2026-01-24 13:18 ` syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.