From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB95D3E317A for ; Mon, 4 May 2026 16:22:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777911781; cv=none; b=leWPOn3nn98zCV7RTdKWbAjBxhi4+Exi+2RQMqzjgeWxjobtO8TG9YAvuv/EH7HFMxSw7mRB3X+h50tHT37J6HAGWjNBpk4fQBnYcFu5at89Ey0rmgR06aHWyWvy9+JKxu3J0UCru1snng5sf4hEhalyFWaM9OxLeyR8eW9bUwM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777911781; c=relaxed/simple; bh=qT+Ees0rjCkEKOzWbdSyB0zF8UysDUeMHzydR8Wg6L8=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=rgPZ50MKu3UVryqP8JH27kJhts0cjSSM39iR0rGBOKtDKsR+1Z6clZPpbBnPP+deM6HWcBM0Zpdd2NE/PvCh0vhuDMAKOwlqYV/itJW4h6UEYQZwf/UPTD3VHHUuLRzJ21Ps+5YSvXeIdWKMpCTBvx+TdkdkNMc1nBViE5shkXQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=c/asoQMa; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=jVi+HvUc; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="c/asoQMa"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="jVi+HvUc" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1777911779; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GbA7+8QpDGxjOj6n2LhHl4EyIokUrPpu6BYjMXA7qrk=; b=c/asoQMaGiYcOm2FAjIjK2u1+yv0EKHX+M7ulIMV5NsLC20mUizeABFWuPo7vFFeoqnrE7 FVtKvu86OEPQmN3j+jyO5CC/9fwxfJwXEBirV2Dny3waLBU3cYMK/2J1Z/xI4CSaD3Mi67 jsiY9bJgnrrSnLr5Ise041tOi8I0o/0= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-439-bn4_VGhfOuK4eCDc86Yucg-1; Mon, 04 May 2026 12:22:57 -0400 X-MC-Unique: bn4_VGhfOuK4eCDc86Yucg-1 X-Mimecast-MFC-AGG-ID: bn4_VGhfOuK4eCDc86Yucg_1777911777 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-4837bfcfe0dso54305895e9.1 for ; Mon, 04 May 2026 09:22:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1777911776; x=1778516576; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=GbA7+8QpDGxjOj6n2LhHl4EyIokUrPpu6BYjMXA7qrk=; b=jVi+HvUcK4VyOgpY5HftGjTljfZ13C7Kec4N5LaDXLE2VHL/HQk3p300G3r//2q7kU dVuDgZFY55+4JMiGtUVuZ4qENO8+QhUHc6kJVTtIRV4BspNj/RUWojfNbr65JnznK6e1 6p7YX/C4+sWEIHHdXyX9m5hsHvy2VNu6Y7Wlc88cUtCG3bDUWzs/Vb2qmFewlXAKWieG irnETN7PP28k4VI0MEDm2T2HId7jv6nt6kMyfUmKfqvpvnS9t2cajpTUTO9FY3pWlwM4 aApKtFt1mIjGfujnaf3j2i4wS8QZomyBRfDrg7w7KPX+ZbcHbeNuEjsoJxJx2kxXfEfb E20A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777911776; x=1778516576; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GbA7+8QpDGxjOj6n2LhHl4EyIokUrPpu6BYjMXA7qrk=; b=NxzhxbImu7UfARm3G1c+PHDSdlaf0s0NjS/z5yHSiKG1DBdmp7284feKk0xvuuv9D3 TJgVfPbkpp26VE1/q8Gt2cYz7WhE95Vf8EFSU7/hZqWZNFcgQ44DigcW7CcT/7JQXKyo maqj8WwYt3R1jaUMPISpC/AYbwLJpd/+UKUWWbctYUA8GO2OnLfV4hHEU72xVsycIdu9 F6+RdxL3ObkwsfhoP+Ik2iDOX5OuwMnFNbDtmC23YpV88ScEUlS/kAuQ9/xfwAO4rLwD PN8mxBhInix4LOGnm07LaN78lgAxcov2UG4ESTuWVSFCgC23b85yhdUYLpe5r9SWkRVb rjqg== X-Forwarded-Encrypted: i=1; AFNElJ/hLe9cNjXKHsQO6ne/YjHfyFmLXa5epyWzVT3uYlWaZ8CjnsdciHpYYp6BOgFM6NRalJyIJujn3W4sDeM=@vger.kernel.org X-Gm-Message-State: AOJu0YzvtpZDdbS7ZsHxVKB+U3+b2Ub/gKdqOWKw2kixK6rb4XeUoOxY Bn+vGIgXJ6z2aul7x9nIkZftvdquUi13IZZzmqdO/7eQ1RpPq7lThpVsSvHXKUAetMSvBcW7mHD aDxx/44QSKqM+G4RZ1UuZ4KKulNwgBiyA9SZbyU+bwcVSzSycVnTgKE8jIIPFKgjjkFasmDYFGA == X-Gm-Gg: AeBDiesRu/z5A3Vjb1atQzzpOQ3rfYB5BXGyqpvCzzVExO6ZbTbLkq5UpiQmipq2YW6 0/LxkVYf/HoFoJOMBCM37pFun/6i3Gu650LvuLsjtubkWnsW5pVVAFVs1wc+/cqz9ixHaxGHpNF Rn0MdwKlKpjMSLP6u2N5kuXuyM0tL5vZuAC57MICLUPApdRZo0RSXNzqqNxC6AuRu4xum7qRw5r Sc8C6E8GJjmjzPuV86CvYvVJmVDEo+82QkVpuH/O5EUpXmuVXbA0evNYwUiqTkC7QJ+uJfFWAuW EWslAbYNYDtN9L61XF4CIsczWjP2GDqsjAVQshIiZ0emk6CbNdi0BS8ltwG6fTy4qt1j58pDglQ re1b18tFX3LsflKya8XDMPJiPxTjNftWdgPRxUWvPM5arg1nIQ6dA0B+pTS/DfWWIrw== X-Received: by 2002:a05:600c:1604:b0:48a:66a8:9981 with SMTP id 5b1f17b1804b1-48d0562f7efmr58636205e9.27.1777911776282; Mon, 04 May 2026 09:22:56 -0700 (PDT) X-Received: by 2002:a05:600c:1604:b0:48a:66a8:9981 with SMTP id 5b1f17b1804b1-48d0562f7efmr58635895e9.27.1777911775894; Mon, 04 May 2026 09:22:55 -0700 (PDT) Received: from [192.168.88.32] ([150.228.93.27]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a81ed6bafsm598766715e9.2.2026.05.04.09.22.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 May 2026 09:22:55 -0700 (PDT) Message-ID: <5841afcc-13ea-4bee-8645-634a02e76c4f@redhat.com> Date: Mon, 4 May 2026 18:22:54 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] mptcp: fix KMSAN: uninit-value in mptcp_established_options To: mptcp@lists.linux.dev Cc: syzbot+ff020673c5e3d94d9478@syzkaller.appspotmail.com, Kuniyuki Iwashima , syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org, Matthieu Baerts References: <69f44505.050a0220.3cbe47.0008.GAE@google.com> <20260504095101.852039-2-matttbe@kernel.org> <67030b5e-0435-49fc-8adb-8dd8536ad853@kernel.org> Content-Language: en-US From: Paolo Abeni In-Reply-To: <67030b5e-0435-49fc-8adb-8dd8536ad853@kernel.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 5/4/26 11:59 AM, Matthieu Baerts wrote: > > Sorry for the noise: I forgot to add the syzbot instruction... (and I > forgot to remove the MPTCP ML from the sendmail.to option). I did not take in account all the possible corner cases. Let's be a little more conservative. #syz test --- diff --git a/include/net/mptcp.h b/include/net/mptcp.h index f7263fe2a2e4..0763fd6f7758 100644 --- a/include/net/mptcp.h +++ b/include/net/mptcp.h @@ -27,6 +27,9 @@ struct mptcp_ext { u32 subflow_seq; u16 data_len; __sum16 csum; + + struct_group(flags, + u8 use_map:1, dsn64:1, data_fin:1, @@ -38,6 +41,8 @@ struct mptcp_ext { u8 reset_reason:4, csum_reqd:1, infinite_map:1; + + ); /* end of flags group */ }; #define MPTCPOPT_HMAC_LEN 20 diff --git a/net/mptcp/options.c b/net/mptcp/options.c index 8a1c5698983c..3fd40dbff82b 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c @@ -572,6 +572,11 @@ static bool mptcp_established_options_dss(struct sock *sk, struct sk_buff *skb, bool ret = false; u64 ack_seq; + /* Zero `can_ack` and `use_map` flags with one shot. */ + BUILD_BUG_ON(sizeof_field(struct mptcp_ext, flags) != sizeof(u16)); + BUILD_BUG_ON(!IS_ALIGNED(offsetof(struct mptcp_ext, flags), + sizeof(u16))); + *(u16 *)&opts->ext_copy.flags = 0; opts->csum_reqd = READ_ONCE(msk->csum_enabled); mpext = skb ? mptcp_get_ext(skb) : NULL; @@ -595,7 +600,6 @@ static bool mptcp_established_options_dss(struct sock *sk, struct sk_buff *skb, /* passive sockets msk will set the 'can_ack' after accept(), even * if the first subflow may have the already the remote key handy */ - opts->ext_copy.use_ack = 0; if (!READ_ONCE(msk->can_ack)) { *size = ALIGN(dss_size, 4); return ret;