[syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt

[syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    faeab166167f Merge tag 'pinctrl-v7.1-1' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13728836580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=916f2f67e70d1263
dashboard link: https://syzkaller.appspot.com/bug?extid=23d7fcd204e3837866ff
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fe08f489aa35/disk-faeab166.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aef0d8ac5a5a/vmlinux-faeab166.xz
kernel image: https://storage.googleapis.com/syzbot-assets/35d09c9dfe78/bzImage-faeab166.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
 irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
 irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline]
 irqentry_exit+0x7b/0x760 kernel/entry/common.c:164
 sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061
 asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697
 write_comp_data kernel/kcov.c:270 [inline]
 __sanitizer_cov_trace_cmp4+0x86/0x90 kernel/kcov.c:288
 do_csum lib/checksum.c:68 [inline]
 ip_fast_csum+0x24b/0x3f0 lib/checksum.c:99
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:842 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
 nsim_dev_trap_report_work+0x8c0/0x1430 drivers/net/netdevsim/dev.c:922
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385
 worker_thread+0xee4/0x1590 kernel/workqueue.c:3466
 kthread+0x53f/0x600 kernel/kthread.c:436
 ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4576 [inline]
 slab_alloc_node mm/slub.c:4898 [inline]
 __do_kmalloc_node mm/slub.c:5294 [inline]
 __kmalloc_node_track_caller_noprof+0x4f6/0x1750 mm/slub.c:5403
 kmalloc_reserve net/core/skbuff.c:635 [inline]
 __alloc_skb+0x90d/0x1190 net/core/skbuff.c:713
 alloc_skb include/linux/skbuff.h:1383 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:819 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
 nsim_dev_trap_report_work+0x3f2/0x1430 drivers/net/netdevsim/dev.c:922
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385
 worker_thread+0xee4/0x1590 kernel/workqueue.c:3466
 kthread+0x53f/0x600 kernel/kthread.c:436
 ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

CPU: 0 UID: 0 PID: 55 Comm: kworker/u8:3 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events_unbound nsim_dev_trap_report_work
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    66edb901bf87 Merge tag 'v7.1-p3' of git://git.kernel.org/p..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=107b2dba580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1c3f61154f3bb7e5
dashboard link: https://syzkaller.appspot.com/bug?extid=23d7fcd204e3837866ff
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=126caece580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11f00d06580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9014c04fc561/disk-66edb901.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a96b1e11a924/vmlinux-66edb901.xz
kernel image: https://storage.googleapis.com/syzbot-assets/680236de6331/bzImage-66edb901.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
 irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
 irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline]
 irqentry_exit+0x7b/0x760 kernel/entry/common.c:164
 sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061
 asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697
 encrypted_key_alloc+0x8c9/0xa70 security/keys/encrypted-keys/encrypted.c:641
 encrypted_instantiate+0x45e/0x3220 security/keys/encrypted-keys/encrypted.c:812
 __key_instantiate_and_link+0xfe/0x5d0 security/keys/key.c:446
 __key_create_or_update+0x12c4/0x1500 security/keys/key.c:941
 key_create_or_update+0x5f/0x80 security/keys/key.c:1021
 __do_sys_add_key security/keys/keyctl.c:134 [inline]
 __se_sys_add_key+0x656/0x870 security/keys/keyctl.c:74
 __x64_sys_add_key+0xe4/0x150 security/keys/keyctl.c:74
 x64_sys_call+0xd3f/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:249
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable dlen created at:
 encrypted_key_alloc+0x4f/0xa70 security/keys/encrypted-keys/encrypted.c:586
 encrypted_instantiate+0x45e/0x3220 security/keys/encrypted-keys/encrypted.c:812

CPU: 1 UID: 0 PID: 6291 Comm: syz.0.346 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
=====================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Forwarded: Re: [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [kernel?] KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt
Author: pardhuvarma.kernel@gmail.com

#syz test

From cdf97dc0c3019448a000ee20b75d2ee7a7ca4bb8 Mon Sep 17 00:00:00 2001
From: PardhuVarma Konduru <pardhuvarma.kernel@gmail.com>
Date: Sun, 3 May 2026 20:45:00 +0530
Subject: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN
 uninit-value on dlen

KMSAN reports an uninitialized-value use in encrypted_key_alloc()
due to dlen being referenced in a compound condition when kstrtol()
fails.

Split the condition to ensure dlen is only accessed after successful
initialization.

Preserve original error handling semantics.

Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com
Signed-off-by: PardhuVarma Konduru <pardhuvarma.kernel@gmail.com>
---
 security/keys/encrypted-keys/encrypted.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/security/keys/encrypted-keys/encrypted.c
b/security/keys/encrypted-keys/encrypted.c
index 56b531587a1e..4bf4b4e8f7b5 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -588,7 +588,9 @@ static struct encrypted_key_payload
*encrypted_key_alloc(struct key *key,
  int ret;

  ret = kstrtol(datalen, 10, &dlen);
- if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
+ if (ret < 0)
+ return ERR_PTR(-EINVAL);
+ if (dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
  return ERR_PTR(-EINVAL);

  format_len = (!format) ? strlen(key_format_default) : strlen(format);
-- 
2.54.0

Forwarded: Re: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN uninit-value on dlen

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN uninit-value on dlen
Author: pardhuvarma.kernel@gmail.com

#syz test

KMSAN reports an uninitialized-value use in encrypted_key_alloc()
due to dlen being referenced in a compound condition when kstrtol()
fails.

Split the condition to ensure dlen is only accessed after successful
initialization.

Preserve original error handling semantics.

Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com
Signed-off-by: PardhuVarma Konduru <pardhuvarma.kernel@gmail.com>
---
 security/keys/encrypted-keys/encrypted.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/security/keys/encrypted-keys/encrypted.c
b/security/keys/encrypted-keys/encrypted.c
index 56b531587a1e..4bf4b4e8f7b5 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -588,7 +588,9 @@ static struct encrypted_key_payload
*encrypted_key_alloc(struct key *key,
  int ret;

  ret = kstrtol(datalen, 10, &dlen);
- if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
+ if (ret < 0)
+ return ERR_PTR(-EINVAL);
+ if (dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
  return ERR_PTR(-EINVAL);

  format_len = (!format) ? strlen(key_format_default) : strlen(format);
-- 
2.54.0

On Mon, May 4, 2026 at 3:22 AM PardhuVarma Konduru <
pardhuvarma.kernel@gmail.com> wrote:

> KMSAN reports an uninitialized-value use in encrypted_key_alloc()
> due to dlen being referenced in a compound condition when kstrtol()
> fails.
>
> Split the condition to ensure dlen is only accessed after successful
> initialization.
>
> Preserve original error handling semantics.
>
> Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com
> Signed-off-by: PardhuVarma Konduru <pardhuvarma.kernel@gmail.com>
> ---
>  security/keys/encrypted-keys/encrypted.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/security/keys/encrypted-keys/encrypted.c
> b/security/keys/encrypted-keys/encrypted.c
> index 56b531587a1e..4bf4b4e8f7b5 100644
> --- a/security/keys/encrypted-keys/encrypted.c
> +++ b/security/keys/encrypted-keys/encrypted.c
> @@ -588,7 +588,9 @@ static struct encrypted_key_payload
> *encrypted_key_alloc(struct key *key,
>         int ret;
>
>         ret = kstrtol(datalen, 10, &dlen);
> -       if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
> +       if (ret < 0)
> +               return ERR_PTR(-EINVAL);
> +       if (dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
>                 return ERR_PTR(-EINVAL);
>
>         format_len = (!format) ? strlen(key_format_default) :
> strlen(format);
> --
> 2.54.0
>
>

Forwarded: Re: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN uninit-value on dlen

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [PATCH] security/keys/encrypted: encrypted_key_alloc(): fix KMSAN uninit-value on dlen
Author: pardhuvarma.kernel@gmail.com

#syz test


On Mon, May 4, 2026 at 7:45 PM PardhuVarma Konduru <
pardhuvarma.kernel@gmail.com> wrote:

> KMSAN reports an uninitialized-value use in encrypted_key_alloc()
> due to dlen being referenced in a compound condition when kstrtol()
> fails.
>
> Split the condition to ensure dlen is only accessed after successful
> initialization.
>
> Preserve original error handling semantics.
>
> Reported-by: syzbot+23d7fcd204e3837866ff@syzkaller.appspotmail.com
> Signed-off-by: PardhuVarma Konduru <pardhuvarma.kernel@gmail.com>
> ---
>  security/keys/encrypted-keys/encrypted.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/security/keys/encrypted-keys/encrypted.c
> b/security/keys/encrypted-keys/encrypted.c
> index 56b531587a1e..4bf4b4e8f7b5 100644
> --- a/security/keys/encrypted-keys/encrypted.c
> +++ b/security/keys/encrypted-keys/encrypted.c
> @@ -588,7 +588,9 @@ static struct encrypted_key_payload
> *encrypted_key_alloc(struct key *key,
>         int ret;
>
>         ret = kstrtol(datalen, 10, &dlen);
> -       if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
> +       if (ret < 0)
> +               return ERR_PTR(-EINVAL);
> +       if (dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
>                 return ERR_PTR(-EINVAL);
>
>         format_len = (!format) ? strlen(key_format_default) :
> strlen(format);
> --
> 2.54.0
>
>