Re: [syzbot] [mptcp?] KMSAN: uninit-value in mptcp_established_options

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+ff020673c5e3d94d9478@syzkaller.appspotmail.com>
To: kuniyu@google.com, linux-kernel@vger.kernel.org,
	matttbe@kernel.org,  mptcp@lists.linux.dev, pabeni@redhat.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [mptcp?] KMSAN: uninit-value in mptcp_established_options
Date: Mon, 04 May 2026 04:14:01 -0700	[thread overview]
Message-ID: <69f87f79.050a0220.3460d5.0002.GAE@google.com> (raw)
In-Reply-To: <67030b5e-0435-49fc-8adb-8dd8536ad853@kernel.org>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in mptcp_write_options

=====================================================
BUG: KMSAN: uninit-value in mptcp_write_options+0x410/0x32e0 net/mptcp/options.c:1462
 mptcp_write_options+0x410/0x32e0 net/mptcp/options.c:1462
 mptcp_options_write net/ipv4/tcp_output.c:457 [inline]
 tcp_options_write+0x1399/0x1920 net/ipv4/tcp_output.c:833
 __tcp_transmit_skb+0x36fe/0x5fe0 net/ipv4/tcp_output.c:1656
 __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499
 tcp_send_ack+0x3d/0x60 net/ipv4/tcp_output.c:4505
 __mptcp_subflow_send_ack net/mptcp/protocol.c:538 [inline]
 mptcp_subflow_send_ack net/mptcp/protocol.c:546 [inline]
 mptcp_send_ack net/mptcp/protocol.c:555 [inline]
 mptcp_check_data_fin+0xa61/0xf00 net/mptcp/protocol.c:643
 mptcp_worker+0xde4/0x1ea0 net/mptcp/protocol.c:2980
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385
 worker_thread+0xee4/0x1590 kernel/workqueue.c:3466
 kthread+0x53f/0x600 kernel/kthread.c:436
 ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was stored to memory at:
 mptcp_established_options_dss net/mptcp/options.c:616 [inline]
 mptcp_established_options+0x2265/0x3580 net/mptcp/options.c:876
 tcp_established_options+0x312/0xcc0 net/ipv4/tcp_output.c:1192
 __tcp_transmit_skb+0x5dc/0x5fe0 net/ipv4/tcp_output.c:1575
 __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499
 tcp_send_ack+0x3d/0x60 net/ipv4/tcp_output.c:4505
 __mptcp_subflow_send_ack net/mptcp/protocol.c:538 [inline]
 mptcp_subflow_send_ack net/mptcp/protocol.c:546 [inline]
 mptcp_send_ack net/mptcp/protocol.c:555 [inline]
 mptcp_check_data_fin+0xa61/0xf00 net/mptcp/protocol.c:643
 mptcp_worker+0xde4/0x1ea0 net/mptcp/protocol.c:2980
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385
 worker_thread+0xee4/0x1590 kernel/workqueue.c:3466
 kthread+0x53f/0x600 kernel/kthread.c:436
 ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Local variable opts created at:
 __tcp_transmit_skb+0x4d/0x5fe0 net/ipv4/tcp_output.c:1536
 __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499

CPU: 0 UID: 0 PID: 4890 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: events mptcp_worker
=====================================================


Tested on:

commit:         6d35786d Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=123d6696580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1c3f61154f3bb7e5
dashboard link: https://syzkaller.appspot.com/bug?extid=ff020673c5e3d94d9478
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1663f21f980000

next prev parent reply	other threads:[~2026-05-04 11:14 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-01  6:15 [syzbot] [mptcp?] KMSAN: uninit-value in mptcp_established_options syzbot
2026-05-03 13:01 ` syzbot
2026-05-04  9:51 ` [PATCH] mptcp: fix " Matthieu Baerts (NGI0)
2026-05-04  9:59   ` Matthieu Baerts
2026-05-04 11:14     ` syzbot [this message]
2026-05-04 16:22     ` Paolo Abeni
2026-05-04 17:14       ` [syzbot] [mptcp?] " syzbot
2026-05-04 17:31       ` [PATCH] mptcp: fix " Paolo Abeni
2026-05-04 18:20         ` [syzbot] [mptcp?] " syzbot
2026-05-07  7:44           ` Matthieu Baerts
2026-05-08  9:27             ` Paolo Abeni
2026-05-08 10:11               ` Alexander Potapenko
2026-05-08 10:46                 ` Matthieu Baerts
2026-05-12  8:55                   ` Matthieu Baerts
2026-05-12  9:31                     ` Alexander Potapenko
2026-05-12 13:22                       ` Matthieu Baerts
2026-05-12 10:08                     ` syzbot
2026-05-04 11:02   ` [PATCH] mptcp: fix " MPTCP CI

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69f87f79.050a0220.3460d5.0002.GAE@google.com \
    --to=syzbot+ff020673c5e3d94d9478@syzkaller.appspotmail.com \
    --cc=kuniyu@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=matttbe@kernel.org \
    --cc=mptcp@lists.linux.dev \
    --cc=pabeni@redhat.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.