Just to let syzbot testing it.
See Paolo's suggestion from [1].
Link: https://lore.kernel.org/6d342ef2-d480-4be6-afad-a3841cf205a8@redhat.com [1]
Fixes: cfcceb7a39fc ("tcp: shrink per-packet memset in __tcp_transmit_skb()")
Reported-by: syzbot+ff020673c5e3d94d9478@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/69f44505.050a0220.3cbe47.0008.GAE@google.com
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
---
Cc: Kuniyuki Iwashima <kuniyu@google.com>
Cc: syzkaller-bugs@googlegroups.com
Cc: linux-kernel@vger.kernel.org
---
net/mptcp/options.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 8a1c5698983c..24903a12a4e0 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -583,6 +583,8 @@ static bool mptcp_established_options_dss(struct sock *sk, struct sk_buff *skb,
map_size += TCPOLEN_MPTCP_DSS_CHECKSUM;
opts->ext_copy = *mpext;
+ } else {
+ opts->ext_copy.use_map = 0;
}
dss_size = map_size;
--
2.53.0Hi Matthieu,
Thank you for your modifications, that's great!
Our CI did some validations and here is its report:
- KVM Validation: normal (except selftest_mptcp_join): Success! ✅
- KVM Validation: normal (only selftest_mptcp_join): Success! ✅
- KVM Validation: debug (except selftest_mptcp_join): Unstable: 1 failed test(s): packetdrill_dss ⚠️
- KVM Validation: debug (only selftest_mptcp_join): Success! ✅
- KVM Validation: btf-normal (only bpftest_all): Success! ✅
- KVM Validation: btf-debug (only bpftest_all): Success! ✅
- Task: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/25313209741
Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/f5d0fa2e42ba
Patchwork: https://patchwork.kernel.org/project/mptcp/list/?series=1089187
If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:
$ cd [kernel source code]
$ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
--pull always mptcp/mptcp-upstream-virtme-docker:latest \
auto-normal
For more details:
https://github.com/multipath-tcp/mptcp-upstream-virtme-docker
Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)
Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (NGI0 Core)
Hello,
On 04/05/2026 11:51, Matthieu Baerts (NGI0) wrote:
> Just to let syzbot testing it.
Sorry for the noise: I forgot to add the syzbot instruction... (and I
forgot to remove the MPTCP ML from the sendmail.to option).
Hopefully now the following is correct:
#syz test
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 8a1c5698983c..24903a12a4e0 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -583,6 +583,8 @@ static bool mptcp_established_options_dss(struct sock *sk, struct sk_buff *skb,
map_size += TCPOLEN_MPTCP_DSS_CHECKSUM;
opts->ext_copy = *mpext;
+ } else {
+ opts->ext_copy.use_map = 0;
}
dss_size = map_size;
On 5/4/26 11:59 AM, Matthieu Baerts wrote:
>
> Sorry for the noise: I forgot to add the syzbot instruction... (and I
> forgot to remove the MPTCP ML from the sendmail.to option).
I did not take in account all the possible corner cases.
Let's be a little more conservative.
#syz test
---
diff --git a/include/net/mptcp.h b/include/net/mptcp.h
index f7263fe2a2e4..0763fd6f7758 100644
--- a/include/net/mptcp.h
+++ b/include/net/mptcp.h
@@ -27,6 +27,9 @@ struct mptcp_ext {
u32 subflow_seq;
u16 data_len;
__sum16 csum;
+
+ struct_group(flags,
+
u8 use_map:1,
dsn64:1,
data_fin:1,
@@ -38,6 +41,8 @@ struct mptcp_ext {
u8 reset_reason:4,
csum_reqd:1,
infinite_map:1;
+
+ ); /* end of flags group */
};
#define MPTCPOPT_HMAC_LEN 20
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 8a1c5698983c..3fd40dbff82b 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -572,6 +572,11 @@ static bool mptcp_established_options_dss(struct
sock *sk, struct sk_buff *skb,
bool ret = false;
u64 ack_seq;
+ /* Zero `can_ack` and `use_map` flags with one shot. */
+ BUILD_BUG_ON(sizeof_field(struct mptcp_ext, flags) != sizeof(u16));
+ BUILD_BUG_ON(!IS_ALIGNED(offsetof(struct mptcp_ext, flags),
+ sizeof(u16)));
+ *(u16 *)&opts->ext_copy.flags = 0;
opts->csum_reqd = READ_ONCE(msk->csum_enabled);
mpext = skb ? mptcp_get_ext(skb) : NULL;
@@ -595,7 +600,6 @@ static bool mptcp_established_options_dss(struct
sock *sk, struct sk_buff *skb,
/* passive sockets msk will set the 'can_ack' after accept(), even
* if the first subflow may have the already the remote key handy
*/
- opts->ext_copy.use_ack = 0;
if (!READ_ONCE(msk->can_ack)) {
*size = ALIGN(dss_size, 4);
return ret;
On 5/4/26 6:22 PM, Paolo Abeni wrote: > On 5/4/26 11:59 AM, Matthieu Baerts wrote: >> >> Sorry for the noise: I forgot to add the syzbot instruction... (and I >> forgot to remove the MPTCP ML from the sendmail.to option). > > I did not take in account all the possible corner cases. > > Let's be a little more conservative. Darn... the last upgrade here broke the line (un)wrap extension. Let me attach the patch. Sorry for the spam. #syz test
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt ===================================================== BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline] irqentry_exit+0x7b/0x760 kernel/entry/common.c:164 sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061 asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697 kmsan_get_metadata+0x17/0x160 mm/kmsan/shadow.c:125 kmsan_get_shadow_origin_ptr+0x4a/0xb0 mm/kmsan/shadow.c:102 get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline] __msan_metadata_ptr_for_load_4+0x24/0x40 mm/kmsan/instrumentation.c:93 tcp_data_queue+0xdc/0x7c90 net/ipv4/tcp_input.c:5589 tcp_rcv_established+0x19bb/0x3200 net/ipv4/tcp_input.c:6656 tcp_v4_do_rcv+0xc4b/0x1b10 net/ipv4/tcp_ipv4.c:1852 sk_backlog_rcv include/net/sock.h:1190 [inline] __release_sock+0x360/0x7d0 net/core/sock.c:3216 release_sock+0x22d/0x300 net/core/sock.c:3815 mptcp_subflow_shutdown+0x358/0x690 net/mptcp/protocol.c:3144 mptcp_check_send_data_fin+0x31b/0x3d0 net/mptcp/protocol.c:3218 __mptcp_wr_shutdown net/mptcp/protocol.c:3234 [inline] __mptcp_close+0x860/0x1360 net/mptcp/protocol.c:3313 mptcp_close+0x42/0x260 net/mptcp/protocol.c:3367 inet_release+0x1ee/0x2a0 net/ipv4/af_inet.c:442 __sock_release net/socket.c:722 [inline] sock_close+0xd6/0x2f0 net/socket.c:1514 __fput+0x60e/0x1010 fs/file_table.c:510 ____fput+0x25/0x30 fs/file_table.c:538 task_work_run+0x208/0x2b0 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0x306/0x1b60 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] do_syscall_64+0x236/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable mp_opt created at: mptcp_incoming_options+0x11d/0x43b0 net/mptcp/options.c:1171 tcp_data_queue+0x80/0x7c90 net/ipv4/tcp_input.c:5584 CPU: 1 UID: 0 PID: 8009 Comm: syz.0.635 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 ===================================================== Tested on: commit: 6d35786d Merge tag 'for-linus' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10070d06580000 kernel config: https://syzkaller.appspot.com/x/.config?x=1c3f61154f3bb7e5 dashboard link: https://syzkaller.appspot.com/bug?extid=ff020673c5e3d94d9478 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=13d0b96a580000
Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file include/net/mptcp.h checking file net/mptcp/options.c patch: **** unexpected end of file in patch Tested on: commit: 6d35786d Merge tag 'for-linus' of git://git.kernel.org.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=1c3f61154f3bb7e5 dashboard link: https://syzkaller.appspot.com/bug?extid=ff020673c5e3d94d9478 compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=12558ad2580000
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KMSAN: uninit-value in mptcp_write_options ===================================================== BUG: KMSAN: uninit-value in mptcp_write_options+0x410/0x32e0 net/mptcp/options.c:1462 mptcp_write_options+0x410/0x32e0 net/mptcp/options.c:1462 mptcp_options_write net/ipv4/tcp_output.c:457 [inline] tcp_options_write+0x1399/0x1920 net/ipv4/tcp_output.c:833 __tcp_transmit_skb+0x36fe/0x5fe0 net/ipv4/tcp_output.c:1656 __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499 tcp_send_ack+0x3d/0x60 net/ipv4/tcp_output.c:4505 __mptcp_subflow_send_ack net/mptcp/protocol.c:538 [inline] mptcp_subflow_send_ack net/mptcp/protocol.c:546 [inline] mptcp_send_ack net/mptcp/protocol.c:555 [inline] mptcp_check_data_fin+0xa61/0xf00 net/mptcp/protocol.c:643 mptcp_worker+0xde4/0x1ea0 net/mptcp/protocol.c:2980 process_one_work kernel/workqueue.c:3302 [inline] process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385 worker_thread+0xee4/0x1590 kernel/workqueue.c:3466 kthread+0x53f/0x600 kernel/kthread.c:436 ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Uninit was stored to memory at: mptcp_established_options_dss net/mptcp/options.c:616 [inline] mptcp_established_options+0x2265/0x3580 net/mptcp/options.c:876 tcp_established_options+0x312/0xcc0 net/ipv4/tcp_output.c:1192 __tcp_transmit_skb+0x5dc/0x5fe0 net/ipv4/tcp_output.c:1575 __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499 tcp_send_ack+0x3d/0x60 net/ipv4/tcp_output.c:4505 __mptcp_subflow_send_ack net/mptcp/protocol.c:538 [inline] mptcp_subflow_send_ack net/mptcp/protocol.c:546 [inline] mptcp_send_ack net/mptcp/protocol.c:555 [inline] mptcp_check_data_fin+0xa61/0xf00 net/mptcp/protocol.c:643 mptcp_worker+0xde4/0x1ea0 net/mptcp/protocol.c:2980 process_one_work kernel/workqueue.c:3302 [inline] process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385 worker_thread+0xee4/0x1590 kernel/workqueue.c:3466 kthread+0x53f/0x600 kernel/kthread.c:436 ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Local variable opts created at: __tcp_transmit_skb+0x4d/0x5fe0 net/ipv4/tcp_output.c:1536 __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499 CPU: 0 UID: 0 PID: 4890 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 Workqueue: events mptcp_worker ===================================================== Tested on: commit: 6d35786d Merge tag 'for-linus' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=123d6696580000 kernel config: https://syzkaller.appspot.com/x/.config?x=1c3f61154f3bb7e5 dashboard link: https://syzkaller.appspot.com/bug?extid=ff020673c5e3d94d9478 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=1663f21f980000
© 2016 - 2026 Red Hat, Inc.