[syzbot] [iommu?] KMSAN: uninit-value in pfn_reader_next

[syzbot] [iommu?] KMSAN: uninit-value in pfn_reader_next

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c072629f05d7 Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1716005a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8bf02b9e495b9fcd
dashboard link: https://syzkaller.appspot.com/bug?extid=df28076a30d726933015
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1436b79a580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15a63d22580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b6b938ba4a72/disk-c072629f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bb1384b011b2/vmlinux-c072629f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1dd4bb2f206e/bzImage-c072629f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+df28076a30d726933015@syzkaller.appspotmail.com

iommufd_mock iommufd_mock0: Adding to iommu group 0
=====================================================
BUG: KMSAN: uninit-value in batch_add_pfn_num drivers/iommu/iommufd/pages.c:365 [inline]
BUG: KMSAN: uninit-value in batch_add_pfn drivers/iommu/iommufd/pages.c:398 [inline]
BUG: KMSAN: uninit-value in batch_from_pages drivers/iommu/iommufd/pages.c:658 [inline]
BUG: KMSAN: uninit-value in pfn_reader_fill_span drivers/iommu/iommufd/pages.c:1220 [inline]
BUG: KMSAN: uninit-value in pfn_reader_next+0x1d5a/0x3e50 drivers/iommu/iommufd/pages.c:1247
 batch_add_pfn_num drivers/iommu/iommufd/pages.c:365 [inline]
 batch_add_pfn drivers/iommu/iommufd/pages.c:398 [inline]
 batch_from_pages drivers/iommu/iommufd/pages.c:658 [inline]
 pfn_reader_fill_span drivers/iommu/iommufd/pages.c:1220 [inline]
 pfn_reader_next+0x1d5a/0x3e50 drivers/iommu/iommufd/pages.c:1247
 pfn_reader_first+0xbcf/0xee0 drivers/iommu/iommufd/pages.c:1354
 iopt_area_fill_domains+0x202/0x1590 drivers/iommu/iommufd/pages.c:1917
 iopt_fill_domains_pages drivers/iommu/iommufd/io_pagetable.c:359 [inline]
 iopt_map_pages+0x1ba5/0x2130 drivers/iommu/iommufd/io_pagetable.c:387
 iopt_map_common+0x224/0x610 drivers/iommu/iommufd/io_pagetable.c:425
 iopt_map_user_pages+0x148/0x1c0 drivers/iommu/iommufd/io_pagetable.c:466
 iommufd_ioas_map+0x6a2/0x9b0 drivers/iommu/iommufd/ioas.c:270
 iommufd_fops_ioctl+0x82a/0x9e0 drivers/iommu/iommufd/main.c:533
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0x23c/0x400 fs/ioctl.c:583
 __x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:583
 x64_sys_call+0x18a7/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:17
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable pfns created at:
 iopt_area_fill_domains+0x5c/0x1590 drivers/iommu/iommufd/pages.c:1900
 iopt_fill_domains_pages drivers/iommu/iommufd/io_pagetable.c:359 [inline]
 iopt_map_pages+0x1ba5/0x2130 drivers/iommu/iommufd/io_pagetable.c:387

CPU: 0 UID: 0 PID: 6065 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] iommufd: Initialize pfn_reader in iopt_area_fill_domains()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] iommufd: Initialize pfn_reader in iopt_area_fill_domains()
Author: kartikey406@gmail.com


#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

KMSAN reported an uninitialized value in batch_add_pfn_num() when
accessing batch->npfns[] and batch->pfns[] arrays. This occurs because
struct pfn_reader pfns was declared without initialization, leaving
the embedded pfn_batch structure and its arrays uninitialized.

Initialize pfns to zero to ensure all fields and embedded structures
start in a known state.

Reported-by: syzbot+df28076a30d726933015@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/iommu/iommufd/pages.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/iommufd/pages.c b/drivers/iommu/iommufd/pages.c
index dbe51ecb9a20..a07373cf013c 100644
--- a/drivers/iommu/iommufd/pages.c
+++ b/drivers/iommu/iommufd/pages.c
@@ -1897,7 +1897,7 @@ int iopt_area_fill_domains(struct iopt_area *area, struct iopt_pages *pages)
 	unsigned long done_all_end_index;
 	struct iommu_domain *domain;
 	unsigned long unmap_index;
-	struct pfn_reader pfns;
+	struct pfn_reader pfns = {};
 	unsigned long index;
 	int rc;
 
-- 
2.43.0

Forwarded: [PATCH] iommufd: Initialize batch structures in map/unmap paths

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] iommufd: Initialize batch structures in map/unmap paths
Author: kartikey406@gmail.com


#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

KMSAN reported uninitialized values in batch processing for both the
map and unmap paths:

1. In iopt_area_fill_domains(), struct pfn_reader pfns was used
   uninitialized, causing warnings in batch_add_pfn_num() when
   accessing batch->npfns[] and batch->pfns[] arrays.

2. In __iopt_area_unfill_domain(), struct pfn_batch batch was used
   uninitialized, causing warnings in batch_from_domain() when
   accessing the same arrays.

Although some initialization functions are called on these structures,
they do not initialize all fields, leaving arrays and padding bytes
uninitialized.

Initialize both structures to zero to ensure all fields start in a
known state.

Reported-by: syzbot+df28076a30d726933015@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/iommu/iommufd/pages.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/iommu/iommufd/pages.c b/drivers/iommu/iommufd/pages.c
index dbe51ecb9a20..8c7681192a07 100644
--- a/drivers/iommu/iommufd/pages.c
+++ b/drivers/iommu/iommufd/pages.c
@@ -1735,7 +1735,7 @@ static void __iopt_area_unfill_domain(struct iopt_area *area,
 	unsigned long start_index = iopt_area_index(area);
 	unsigned long unmapped_end_index = start_index;
 	u64 backup[BATCH_BACKUP_SIZE];
-	struct pfn_batch batch;
+	struct pfn_batch batch = {};
 
 	lockdep_assert_held(&pages->mutex);
 
@@ -1897,7 +1897,7 @@ int iopt_area_fill_domains(struct iopt_area *area, struct iopt_pages *pages)
 	unsigned long done_all_end_index;
 	struct iommu_domain *domain;
 	unsigned long unmap_index;
-	struct pfn_reader pfns;
+	struct pfn_reader pfns = {};
 	unsigned long index;
 	int rc;
 
-- 
2.43.0

Forwarded: [PATCH] iommufd: Initialize batch->kind in batch_clear()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] iommufd: Initialize batch->kind in batch_clear()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

KMSAN reported an uninitialized value when batch_add_pfn_num() reads
batch->kind. This occurs because batch_clear() does not initialize
the kind field, leaving it with garbage data when a struct pfn_batch
is declared on the stack.

When batch_add_pfn_num() checks "if (batch->kind != kind)", it reads
this uninitialized value, triggering KMSAN warnings.

Initialize batch->kind to zero in batch_clear() to ensure the field
always starts in a known state.

Reported-by: syzbot+df28076a30d726933015@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/iommu/iommufd/pages.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/iommu/iommufd/pages.c b/drivers/iommu/iommufd/pages.c
index dbe51ecb9a20..f606148920fa 100644
--- a/drivers/iommu/iommufd/pages.c
+++ b/drivers/iommu/iommufd/pages.c
@@ -289,6 +289,7 @@ static void batch_clear(struct pfn_batch *batch)
 	batch->end = 0;
 	batch->pfns[0] = 0;
 	batch->npfns[0] = 0;
+	batch->kind = 0;
 }
 
 /*
-- 
2.43.0