[syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)

[syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d9043c79ba68 Merge tag 'sched_urgent_for_v6.18_rc2' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11168de2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bbd3e7f3c2e28265
dashboard link: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14098d42580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=118a9734580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/57a87b0986c0/disk-d9043c79.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/019c87e1df0a/vmlinux-d9043c79.xz
kernel image: https://storage.googleapis.com/syzbot-assets/54f8a8b0734b/bzImage-d9043c79.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in sctp_inq_pop+0x14dc/0x19e0 net/sctp/inqueue.c:211
 sctp_inq_pop+0x14dc/0x19e0 net/sctp/inqueue.c:211
 sctp_assoc_bh_rcv+0x1a0/0xbc0 net/sctp/associola.c:980
 sctp_inq_push+0x2a6/0x350 net/sctp/inqueue.c:88
 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1158
 __release_sock+0x1ef/0x380 net/core/sock.c:3180
 release_sock+0x6b/0x270 net/core/sock.c:3735
 sctp_sendmsg+0x3a2b/0x49f0 net/sctp/socket.c:2036
 inet_sendmsg+0x26c/0x2a0 net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x278/0x3d0 net/socket.c:742
 sock_sendmsg+0x170/0x280 net/socket.c:765
 splice_to_socket+0x10e6/0x1a60 fs/splice.c:886
 do_splice_from fs/splice.c:938 [inline]
 do_splice+0x1fd2/0x30d0 fs/splice.c:1351
 __do_splice fs/splice.c:1433 [inline]
 __do_sys_splice fs/splice.c:1636 [inline]
 __se_sys_splice+0x549/0x8c0 fs/splice.c:1618
 __x64_sys_splice+0x114/0x1a0 fs/splice.c:1618
 x64_sys_call+0x3140/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:276
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 sctp_inq_pop+0x144a/0x19e0 net/sctp/inqueue.c:207
 sctp_assoc_bh_rcv+0x1a0/0xbc0 net/sctp/associola.c:980
 sctp_inq_push+0x2a6/0x350 net/sctp/inqueue.c:88
 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1158
 __release_sock+0x1ef/0x380 net/core/sock.c:3180
 release_sock+0x6b/0x270 net/core/sock.c:3735
 sctp_sendmsg+0x3a2b/0x49f0 net/sctp/socket.c:2036
 inet_sendmsg+0x26c/0x2a0 net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x278/0x3d0 net/socket.c:742
 sock_sendmsg+0x170/0x280 net/socket.c:765
 splice_to_socket+0x10e6/0x1a60 fs/splice.c:886
 do_splice_from fs/splice.c:938 [inline]
 do_splice+0x1fd2/0x30d0 fs/splice.c:1351
 __do_splice fs/splice.c:1433 [inline]
 __do_sys_splice fs/splice.c:1636 [inline]
 __se_sys_splice+0x549/0x8c0 fs/splice.c:1618
 __x64_sys_splice+0x114/0x1a0 fs/splice.c:1618
 x64_sys_call+0x3140/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:276
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4969 [inline]
 slab_alloc_node mm/slub.c:5272 [inline]
 kmem_cache_alloc_node_noprof+0x989/0x16b0 mm/slub.c:5324
 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579
 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670
 alloc_skb include/linux/skbuff.h:1383 [inline]
 sctp_packet_transmit+0x44b/0x46d0 net/sctp/output.c:598
 sctp_outq_flush_transports net/sctp/outqueue.c:1173 [inline]
 sctp_outq_flush+0x1c7d/0x67c0 net/sctp/outqueue.c:1221
 sctp_outq_uncork+0x9e/0xc0 net/sctp/outqueue.c:764
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:-1 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1204 [inline]
 sctp_do_sm+0x8c8e/0x9720 net/sctp/sm_sideeffect.c:1175
 sctp_primitive_SEND+0xd7/0x110 net/sctp/primitive.c:163
 sctp_sendmsg_to_asoc+0x1db8/0x2250 net/sctp/socket.c:1873
 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2031
 inet_sendmsg+0x26c/0x2a0 net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x278/0x3d0 net/socket.c:742
 sock_sendmsg+0x170/0x280 net/socket.c:765
 splice_to_socket+0x10e6/0x1a60 fs/splice.c:886
 do_splice_from fs/splice.c:938 [inline]
 do_splice+0x1fd2/0x30d0 fs/splice.c:1351
 __do_splice fs/splice.c:1433 [inline]
 __do_sys_splice fs/splice.c:1636 [inline]
 __se_sys_splice+0x549/0x8c0 fs/splice.c:1618
 __x64_sys_splice+0x114/0x1a0 fs/splice.c:1618
 x64_sys_call+0x3140/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:276
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 6071 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: Test patch for KMSAN: uninit-value in sctp_inq_pop

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Test patch for KMSAN: uninit-value in sctp_inq_pop
Author: vnranganath.20@gmail.com

#syz test

diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 5c1652181805..8c0a5e23bbb9 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -120,7 +120,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
  /* The assumption is that we are safe to process the chunks
  * at this time.
  */
-
+ chunk = kzalloc(sizeof(*chunk), gfp);
+ if (!chunk)
+ return NULL;
  chunk = queue->in_progress;
  if (chunk) {
  /* There is a packet that we have been working on.

Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

net/sctp/inqueue.c:123:34: error: use of undeclared identifier 'gfp'


Tested on:

commit:         552c5071 Merge tag 'vfio-v6.18-rc3' of https://github...
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=bbd3e7f3c2e28265
dashboard link: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1044ce7c580000

Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)

[Ranganath V N]

[-- Attachment #1.1: Type: text/plain, Size: 779 bytes --]

#syz test


On Wed, Oct 22, 2025 at 4:24 PM syzbot <
syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com> wrote:

> Hello,
>
> syzbot tried to test the proposed patch but the build/boot failed:
>
> net/sctp/inqueue.c:123:34: error: use of undeclared identifier 'gfp'
>
>
> Tested on:
>
> commit:         552c5071 Merge tag 'vfio-v6.18-rc3' of https://github...
> git tree:       upstream
> kernel config:  https://syzkaller.appspot.com/x/.config?x=bbd3e7f3c2e28265
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
> compiler:       Debian clang version 20.1.8
> (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> patch:
> https://syzkaller.appspot.com/x/patch.diff?x=1044ce7c580000
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 1580 bytes --]

[-- Attachment #2: 0001-sctp-initalize-the-chunk-variable.patch --]
[-- Type: text/x-patch, Size: 843 bytes --]

From ddc2d90daba14fba7235b4d8daa945005048889b Mon Sep 17 00:00:00 2001
From: Ranganath V N <vnranganath.20@gmail.com>
Date: Wed, 22 Oct 2025 14:31:16 +0530
Subject: [PATCH] sctp: initalize the chunk variable

Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
 net/sctp/inqueue.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 5c1652181805..7f13d13f1796 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -120,7 +120,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
 	/* The assumption is that we are safe to process the chunks
 	 * at this time.
 	 */
-
+	chunk = kzalloc(sizeof(*chunk), GFP_ATOMIC);
+	if (!chunk)
+		return NULL;
 	chunk = queue->in_progress;
 	if (chunk) {
 		/* There is a packet that we have been working on.
-- 
2.43.0

Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in sctp_inq_pop

=====================================================
BUG: KMSAN: uninit-value in sctp_inq_pop+0x159c/0x1aa0 net/sctp/inqueue.c:213
 sctp_inq_pop+0x159c/0x1aa0 net/sctp/inqueue.c:213
 sctp_assoc_bh_rcv+0x1a0/0xbc0 net/sctp/associola.c:980
 sctp_inq_push+0x2a6/0x350 net/sctp/inqueue.c:88
 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1158
 __release_sock+0x1ef/0x380 net/core/sock.c:3180
 release_sock+0x6b/0x270 net/core/sock.c:3735
 sctp_sendmsg+0x3a2b/0x49f0 net/sctp/socket.c:2036
 inet_sendmsg+0x26c/0x2a0 net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x278/0x3d0 net/socket.c:742
 sock_sendmsg+0x170/0x280 net/socket.c:765
 splice_to_socket+0x10e6/0x1a60 fs/splice.c:886
 do_splice_from fs/splice.c:938 [inline]
 do_splice+0x1fd2/0x30d0 fs/splice.c:1351
 __do_splice fs/splice.c:1433 [inline]
 __do_sys_splice fs/splice.c:1636 [inline]
 __se_sys_splice+0x549/0x8c0 fs/splice.c:1618
 __x64_sys_splice+0x114/0x1a0 fs/splice.c:1618
 x64_sys_call+0x3140/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:276
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 sctp_inq_pop+0x150b/0x1aa0 net/sctp/inqueue.c:209
 sctp_assoc_bh_rcv+0x1a0/0xbc0 net/sctp/associola.c:980
 sctp_inq_push+0x2a6/0x350 net/sctp/inqueue.c:88
 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1158
 __release_sock+0x1ef/0x380 net/core/sock.c:3180
 release_sock+0x6b/0x270 net/core/sock.c:3735
 sctp_sendmsg+0x3a2b/0x49f0 net/sctp/socket.c:2036
 inet_sendmsg+0x26c/0x2a0 net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x278/0x3d0 net/socket.c:742
 sock_sendmsg+0x170/0x280 net/socket.c:765
 splice_to_socket+0x10e6/0x1a60 fs/splice.c:886
 do_splice_from fs/splice.c:938 [inline]
 do_splice+0x1fd2/0x30d0 fs/splice.c:1351
 __do_splice fs/splice.c:1433 [inline]
 __do_sys_splice fs/splice.c:1636 [inline]
 __se_sys_splice+0x549/0x8c0 fs/splice.c:1618
 __x64_sys_splice+0x114/0x1a0 fs/splice.c:1618
 x64_sys_call+0x3140/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:276
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4969 [inline]
 slab_alloc_node mm/slub.c:5272 [inline]
 kmem_cache_alloc_node_noprof+0x989/0x16b0 mm/slub.c:5324
 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579
 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670
 alloc_skb include/linux/skbuff.h:1383 [inline]
 sctp_packet_transmit+0x44b/0x46d0 net/sctp/output.c:598
 sctp_outq_flush_transports net/sctp/outqueue.c:1173 [inline]
 sctp_outq_flush+0x1c7d/0x67c0 net/sctp/outqueue.c:1221
 sctp_outq_uncork+0x9e/0xc0 net/sctp/outqueue.c:764
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:-1 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1204 [inline]
 sctp_do_sm+0x8c8e/0x9720 net/sctp/sm_sideeffect.c:1175
 sctp_primitive_SEND+0xd7/0x110 net/sctp/primitive.c:163
 sctp_sendmsg_to_asoc+0x1db8/0x2250 net/sctp/socket.c:1873
 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2031
 inet_sendmsg+0x26c/0x2a0 net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x278/0x3d0 net/socket.c:742
 sock_sendmsg+0x170/0x280 net/socket.c:765
 splice_to_socket+0x10e6/0x1a60 fs/splice.c:886
 do_splice_from fs/splice.c:938 [inline]
 do_splice+0x1fd2/0x30d0 fs/splice.c:1351
 __do_splice fs/splice.c:1433 [inline]
 __do_sys_splice fs/splice.c:1636 [inline]
 __se_sys_splice+0x549/0x8c0 fs/splice.c:1618
 __x64_sys_splice+0x114/0x1a0 fs/splice.c:1618
 x64_sys_call+0x3140/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:276
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 6609 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
=====================================================


Tested on:

commit:         552c5071 Merge tag 'vfio-v6.18-rc3' of https://github...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=145e2d42580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bbd3e7f3c2e28265
dashboard link: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=165fd734580000

Forwarded: Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)
Author: vnranganath.20@gmail.com

#syz test

On Wed, Oct 22, 2025 at 5:23 PM syzbot <
syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com> wrote:

> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still
> triggering an issue:
> KMSAN: uninit-value in sctp_inq_pop
>
> =====================================================
> BUG: KMSAN: uninit-value in sctp_inq_pop+0x159c/0x1aa0
> net/sctp/inqueue.c:213
>  sctp_inq_pop+0x159c/0x1aa0 net/sctp/inqueue.c:213
>  sctp_assoc_bh_rcv+0x1a0/0xbc0 net/sctp/associola.c:980
>  sctp_inq_push+0x2a6/0x350 net/sctp/inqueue.c:88
>  sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
>  sk_backlog_rcv+0x142/0x420 include/net/sock.h:1158
>  __release_sock+0x1ef/0x380 net/core/sock.c:3180
>  release_sock+0x6b/0x270 net/core/sock.c:3735
>  sctp_sendmsg+0x3a2b/0x49f0 net/sctp/socket.c:2036
>  inet_sendmsg+0x26c/0x2a0 net/ipv4/af_inet.c:853
>  sock_sendmsg_nosec net/socket.c:727 [inline]
>  __sock_sendmsg+0x278/0x3d0 net/socket.c:742
>  sock_sendmsg+0x170/0x280 net/socket.c:765
>  splice_to_socket+0x10e6/0x1a60 fs/splice.c:886
>  do_splice_from fs/splice.c:938 [inline]
>  do_splice+0x1fd2/0x30d0 fs/splice.c:1351
>  __do_splice fs/splice.c:1433 [inline]
>  __do_sys_splice fs/splice.c:1636 [inline]
>  __se_sys_splice+0x549/0x8c0 fs/splice.c:1618
>  __x64_sys_splice+0x114/0x1a0 fs/splice.c:1618
>  x64_sys_call+0x3140/0x3e30
> arch/x86/include/generated/asm/syscalls_64.h:276
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Uninit was stored to memory at:
>  sctp_inq_pop+0x150b/0x1aa0 net/sctp/inqueue.c:209
>  sctp_assoc_bh_rcv+0x1a0/0xbc0 net/sctp/associola.c:980
>  sctp_inq_push+0x2a6/0x350 net/sctp/inqueue.c:88
>  sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
>  sk_backlog_rcv+0x142/0x420 include/net/sock.h:1158
>  __release_sock+0x1ef/0x380 net/core/sock.c:3180
>  release_sock+0x6b/0x270 net/core/sock.c:3735
>  sctp_sendmsg+0x3a2b/0x49f0 net/sctp/socket.c:2036
>  inet_sendmsg+0x26c/0x2a0 net/ipv4/af_inet.c:853
>  sock_sendmsg_nosec net/socket.c:727 [inline]
>  __sock_sendmsg+0x278/0x3d0 net/socket.c:742
>  sock_sendmsg+0x170/0x280 net/socket.c:765
>  splice_to_socket+0x10e6/0x1a60 fs/splice.c:886
>  do_splice_from fs/splice.c:938 [inline]
>  do_splice+0x1fd2/0x30d0 fs/splice.c:1351
>  __do_splice fs/splice.c:1433 [inline]
>  __do_sys_splice fs/splice.c:1636 [inline]
>  __se_sys_splice+0x549/0x8c0 fs/splice.c:1618
>  __x64_sys_splice+0x114/0x1a0 fs/splice.c:1618
>  x64_sys_call+0x3140/0x3e30
> arch/x86/include/generated/asm/syscalls_64.h:276
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Uninit was created at:
>  slab_post_alloc_hook mm/slub.c:4969 [inline]
>  slab_alloc_node mm/slub.c:5272 [inline]
>  kmem_cache_alloc_node_noprof+0x989/0x16b0 mm/slub.c:5324
>  kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579
>  __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670
>  alloc_skb include/linux/skbuff.h:1383 [inline]
>  sctp_packet_transmit+0x44b/0x46d0 net/sctp/output.c:598
>  sctp_outq_flush_transports net/sctp/outqueue.c:1173 [inline]
>  sctp_outq_flush+0x1c7d/0x67c0 net/sctp/outqueue.c:1221
>  sctp_outq_uncork+0x9e/0xc0 net/sctp/outqueue.c:764
>  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:-1 [inline]
>  sctp_side_effects net/sctp/sm_sideeffect.c:1204 [inline]
>  sctp_do_sm+0x8c8e/0x9720 net/sctp/sm_sideeffect.c:1175
>  sctp_primitive_SEND+0xd7/0x110 net/sctp/primitive.c:163
>  sctp_sendmsg_to_asoc+0x1db8/0x2250 net/sctp/socket.c:1873
>  sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2031
>  inet_sendmsg+0x26c/0x2a0 net/ipv4/af_inet.c:853
>  sock_sendmsg_nosec net/socket.c:727 [inline]
>  __sock_sendmsg+0x278/0x3d0 net/socket.c:742
>  sock_sendmsg+0x170/0x280 net/socket.c:765
>  splice_to_socket+0x10e6/0x1a60 fs/splice.c:886
>  do_splice_from fs/splice.c:938 [inline]
>  do_splice+0x1fd2/0x30d0 fs/splice.c:1351
>  __do_splice fs/splice.c:1433 [inline]
>  __do_sys_splice fs/splice.c:1636 [inline]
>  __se_sys_splice+0x549/0x8c0 fs/splice.c:1618
>  __x64_sys_splice+0x114/0x1a0 fs/splice.c:1618
>  x64_sys_call+0x3140/0x3e30
> arch/x86/include/generated/asm/syscalls_64.h:276
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> CPU: 1 UID: 0 PID: 6609 Comm: syz.0.18 Not tainted syzkaller #0
> PREEMPT(none)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/02/2025
> =====================================================
>
>
> Tested on:
>
> commit:         552c5071 Merge tag 'vfio-v6.18-rc3' of https://github...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=145e2d42580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=bbd3e7f3c2e28265
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
> compiler:       Debian clang version 20.1.8
> (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> patch:
> https://syzkaller.appspot.com/x/patch.diff?x=165fd734580000
>
>

Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Tested-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com

Tested on:

commit:         dd72c8fc Merge tag 'platform-drivers-x86-v6.18-2' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10aed3e2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bbd3e7f3c2e28265
dashboard link: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10bee3e2580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file net/sctp/input.c
patch: **** unexpected end of file in patch



Tested on:

commit:         ab431bc3 Merge tag 'net-6.18-rc3' of git://git.kernel...
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=bbd3e7f3c2e28265
dashboard link: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12cec3e2580000

Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)

[Ranganath V N]

[-- Attachment #1.1: Type: text/plain, Size: 1080 bytes --]

#syz test

On Thu, Oct 23, 2025 at 11:30 PM syzbot <
syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com> wrote:

> Hello,
>
> syzbot tried to test the proposed patch but the build/boot failed:
>
> failed to apply patch:
> checking file net/sctp/input.c
> patch: **** unexpected end of file in patch
>
>
>
> Tested on:
>
> commit:         ab431bc3 Merge tag 'net-6.18-rc3' of git://git.kernel...
> git tree:       upstream
> kernel config:  https://syzkaller.appspot.com/x/.config?x=bbd3e7f3c2e28265
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
> compiler:
> patch:
> https://syzkaller.appspot.com/x/patch.diff?x=12cec3e2580000
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/68fa6d24.a70a0220.3bf6c6.007f.GAE%40google.com
> .
>

[-- Attachment #1.2: Type: text/html, Size: 2043 bytes --]

[-- Attachment #2: 0001-net-sctp-fix-KMSAN-uninit-value-in-sctp_inq_pop.patch --]
[-- Type: text/x-patch, Size: 1552 bytes --]

From b1298215f873c1e98850ee13a312f422f15f13ff Mon Sep 17 00:00:00 2001
From: Ranganath V N <vnranganath.20@gmail.com>
Date: Thu, 23 Oct 2025 15:14:20 +0530
Subject: [PATCH] net: sctp: fix KMSAN uninit-value in sctp_inq_pop

Fix an issue detected by syzbot:

KMSAN reported an uninitialized-value access in sctp_inq_pop
while parsing an SCTP chunk header received frma a locally transmitted packet.

BUG: KMSAN: uninit-value in sctp_inq_pop

skb allocated in sctp_packet_transmit() contain uninitialized bytes.
sctp transmit path writes only the necessary header and chunk data,
the receive path read from uinitialized parts of the skb, triggering KMSAN.

Fix this by explicitly zeroing the skb payload area after allocation
and reservation, ensuring all future reads from this region are fully
initialized.

Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Tested-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
 net/sctp/input.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/input.c b/net/sctp/input.c
index 7e99894778d4..e119e460ccde 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -190,7 +190,7 @@ int sctp_rcv(struct sk_buff *skb)
 		goto discard_release;
 	nf_reset_ct(skb);
 
-	if (sk_filter(sk, skb))
+	if (sk_filter(sk, skb) || skb->len < sizeof(struct sctp_chunkhdr))
 		goto discard_release;
 
 	/* Create an SCTP packet structure. */
-- 
2.43.0

Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Tested-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com

Tested on:

commit:         6fab32bb MAINTAINERS: add Mark Brown as a linux-next m..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10eeae7c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bbd3e7f3c2e28265
dashboard link: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=141dc614580000

Note: testing is done by a robot and is best-effort only.