From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BEBB3203B6 for ; Fri, 8 May 2026 09:27:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778232427; cv=none; b=dm5d8Zq8rl64/0xCfTDq82bjMHqqdiIGhZcZN6Nc//VnGsb+fAeUdARo6Mo2xPjP7f31Ou5skpU0p360ZJtL0GRWiwh/ZVaKaK77JhBHa4SCAQVldEZjlTewSr2KBX/H+MiHuboRTf+rqc3UnFlGsF7wujNO/CA1ATu8TnzfWf4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778232427; c=relaxed/simple; bh=V4kDeJTuxMV4wGE+j3yJ9xkVPECPgWQ/zKTceHzP+MM=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=B4EOdTkq4g+FICPtUmC8pWkE9poFmVVD0Itc7X4jGZ58rTeEyf80XG2lRqgRZKURLFslv7ITwAvPkIojHKMEH+KGEml+EPmeeLyWSzzofR0W0xuKeOnFUpj0d7bObLuX2PqwnwDcmF04pL/raM1TCQ4qvuOxHugsYXEuySMDvgM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=SU6bblZ8; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=EDiEtWFT; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="SU6bblZ8"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="EDiEtWFT" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1778232425; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yqFCirjwaNXC71lfQpg3WCqBJm972r3MEu/J87DEZaU=; b=SU6bblZ8MBHDj4PBFD9OCaTpTUbCZsz+MpjI3lGfcXgD6prPrPwRAX2blfACb9XQ5SO0TI 207JILWvRPr/h2xILU6Ztx7cCMuh8AKa7BVzafjYOiqQZ2NzaqGLH3B59EftZck3MSwxel fYEKaui5oGx8xCyBcLJqKEZi80qy078= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-345-69cmY5MtNQqAaIBUuylvcw-1; Fri, 08 May 2026 05:27:04 -0400 X-MC-Unique: 69cmY5MtNQqAaIBUuylvcw-1 X-Mimecast-MFC-AGG-ID: 69cmY5MtNQqAaIBUuylvcw_1778232423 Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-449b2a183d3so1160488f8f.0 for ; Fri, 08 May 2026 02:27:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1778232423; x=1778837223; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:content-language:from :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=yqFCirjwaNXC71lfQpg3WCqBJm972r3MEu/J87DEZaU=; b=EDiEtWFTb70Ps2cocBwrJGkmlSEFm/ORp9J1vyZ5XZy1YWMbKcemoYs7/6e0iJcGAl lKgObCHMqL75ZWejvdtic4CojKv1CneKf2Rj/P+AgSzTB8Ul0UuWNusDeIL69zoXoT6e MucOBRJU/CHSi6rXPzWyphcaKvgK/UIT0BHE22ave4rWghRH4OFNHU+WOnUYcOAWIpNm p4hveEtcH9Vlpy7RuRpkUqW41npY5ap4FdWp0DXcOhXDs7Ww5Hszkzw9y3R+l0ovEcOe 4b1Knli1czn7xYINKl9BaBNrWg74R9uXHY2s5E3YYjiKuYicho3bOB/mvQcGmT2eZFjs k6rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778232423; x=1778837223; h=content-transfer-encoding:in-reply-to:content-language:from :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yqFCirjwaNXC71lfQpg3WCqBJm972r3MEu/J87DEZaU=; b=ZDWMPRANUODJQdAQRAJh8Ayzq3RfkL9acjyIOXFdv/ONw6sQti+ePOvZ8w5izQsG23 0fZstttDjJY5a2r3NZ4Lnik3OXHOr3pMF3b7J75yUUxEAMv7ZQpyS7NMynw2sP3ZGNUG hq+6HmglcHGXJaUqTPcQasxvnk/3YoVeRbrAmrrU6iY0HnnWwFQ8KjsmBoKoktf9/bsw TgUUeoJeLX8B4XCAE8JQvxE45nRC63pAKTcW09f9xqe7mAc+D/r5sZvtRUTUt/YtEUwE 1DHQnXKRzGN3RHfH7dFNyOzw3CPDKkSYTu41AtUxoVFF2snoIj92X3IcVBDNDtvffWKX 77vw== X-Forwarded-Encrypted: i=1; AFNElJ/j+RL1TmPLDpy/smgAvb1uCyPQWustTaU14LvGaqy8xR3Ikca7Yq8azWmzkWlRcwQi6Wisbw1BLQ9KzNc=@vger.kernel.org X-Gm-Message-State: AOJu0YyWhvoeug2shFGDSmHK8vnpJGlcDGpaaZI7oAJmZsuKZ9dxvoYq C7eNbwVfh0RAb4OABt/QpggGHKZaw3vUiH4XMQy74sXZrMXqaecV+6HrtVwLHkBAkLqAuRGrHx5 4mE1cSqfJqQhQhGNYzk2jUHmRMLsj7QBpbn/jfu1+e9S7b9LYA6Q0iegBQd07+3LN3A== X-Gm-Gg: Acq92OGQ+lQFEA3DWsE/8KdkwhthBt2z+chkt2xAsUoHxQYO/xLzsn7k5hMj7/jxmAk 9V/DqNnVWTe7sAkBgMNWCaToDnMch8oOKr9n6UdPP0bpE56HkCI+RsmqeFvmSY1efivgmpGm79K fcZzmwqev87V/XWj19XY10pVV22aL5QC3z+xPnUuooXxh8qn5yqZT9kqGaNjoFO/HpbvJQQ4J7O 7wf+IZREb76+r0ArBgMF0HMFtXpnxlKfxBfNimux/6SxofZQ0s4CVxWmEyhGVqtkQjlUo2Js9jP HVkxGuwudF4SSUfe9PuW/4Ov03M2HgqNiTmviqkeqCjd3HG0TMeTZcIQUZYmdjZ2qRUsKsEzDbK xzjj5WhM0rtKXChxKlMh4vH4iBwKNi/XcS3gtL07K4W+fsV1ZjSQ6OsSm28au/mFjAsWW X-Received: by 2002:a05:6000:280c:b0:454:353e:3f4b with SMTP id ffacd0b85a97d-454353e3f91mr2777767f8f.3.1778232422825; Fri, 08 May 2026 02:27:02 -0700 (PDT) X-Received: by 2002:a05:6000:280c:b0:454:353e:3f4b with SMTP id ffacd0b85a97d-454353e3f91mr2777732f8f.3.1778232422229; Fri, 08 May 2026 02:27:02 -0700 (PDT) Received: from [192.168.88.32] ([169.155.232.187]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45491f8d4c3sm2853992f8f.34.2026.05.08.02.27.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 08 May 2026 02:27:01 -0700 (PDT) Message-ID: <672f5b7d-6fa0-41c5-a950-2890028c8572@redhat.com> Date: Fri, 8 May 2026 11:27:00 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mptcp?] KMSAN: uninit-value in mptcp_established_options To: Matthieu Baerts , kuniyu@google.com Cc: syzbot , linux-kernel@vger.kernel.org, mptcp@lists.linux.dev, syzkaller-bugs@googlegroups.com References: <69f8e352.170a0220.bb392.0005.GAE@google.com> <2a9bde65-d2de-44cc-9192-e7aa8a0935a7@kernel.org> From: Paolo Abeni Content-Language: en-US In-Reply-To: <2a9bde65-d2de-44cc-9192-e7aa8a0935a7@kernel.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 5/7/26 9:44 AM, Matthieu Baerts wrote: > Hi Paolo, Kuniyuki, > > On 04/05/2026 20:20, syzbot wrote: >> Hello, >> >> syzbot has tested the proposed patch but the reproducer is still triggering an issue: >> KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt > > It looks like the issue is different now: > >> ===================================================== >> BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 >> irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 >> irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline] >> irqentry_exit+0x7b/0x760 kernel/entry/common.c:164 >> sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061 >> asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697 >> kmsan_get_metadata+0x17/0x160 mm/kmsan/shadow.c:125 >> kmsan_get_shadow_origin_ptr+0x4a/0xb0 mm/kmsan/shadow.c:102 >> get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline] >> __msan_metadata_ptr_for_load_4+0x24/0x40 mm/kmsan/instrumentation.c:93 >> tcp_data_queue+0xdc/0x7c90 net/ipv4/tcp_input.c:5589 >> tcp_rcv_established+0x19bb/0x3200 net/ipv4/tcp_input.c:6656 >> tcp_v4_do_rcv+0xc4b/0x1b10 net/ipv4/tcp_ipv4.c:1852 >> sk_backlog_rcv include/net/sock.h:1190 [inline] > > That's the input side. > >> __release_sock+0x360/0x7d0 net/core/sock.c:3216 >> release_sock+0x22d/0x300 net/core/sock.c:3815 >> mptcp_subflow_shutdown+0x358/0x690 net/mptcp/protocol.c:3144 >> mptcp_check_send_data_fin+0x31b/0x3d0 net/mptcp/protocol.c:3218 >> __mptcp_wr_shutdown net/mptcp/protocol.c:3234 [inline] >> __mptcp_close+0x860/0x1360 net/mptcp/protocol.c:3313 >> mptcp_close+0x42/0x260 net/mptcp/protocol.c:3367 >> inet_release+0x1ee/0x2a0 net/ipv4/af_inet.c:442 >> __sock_release net/socket.c:722 [inline] >> sock_close+0xd6/0x2f0 net/socket.c:1514 >> __fput+0x60e/0x1010 fs/file_table.c:510 >> ____fput+0x25/0x30 fs/file_table.c:538 >> task_work_run+0x208/0x2b0 kernel/task_work.c:233 >> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] >> __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] >> exit_to_user_mode_loop+0x306/0x1b60 kernel/entry/common.c:98 >> __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] >> syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] >> syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] >> do_syscall_64+0x236/0xf80 arch/x86/entry/syscall_64.c:100 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> >> Local variable mp_opt created at: >> mptcp_incoming_options+0x11d/0x43b0 net/mptcp/options.c:1171 > > Confirmed here. With "struct mptcp_options_received" while the original > issue was with "struct mptcp_out_options". > > Plus I'm not exactly sure to understand the issue here: mp_opt is > defined and used only in mptcp_incoming_options(), and I don't see > anything using it after the end of this function. Or did I miss something? I also had hard time understanding the backtrace, I think some frames are omitted/missing (it happens sometime, IDK why), specifically the one related to mptcp_options_received() - which would be useful to understand the issue. /P