Just to let syzbot testing it.
See Paolo's suggestion from [1].
Link: https://lore.kernel.org/6d342ef2-d480-4be6-afad-a3841cf205a8@redhat.com [1]
Fixes: cfcceb7a39fc ("tcp: shrink per-packet memset in __tcp_transmit_skb()")
Reported-by: syzbot+ff020673c5e3d94d9478@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/69f44505.050a0220.3cbe47.0008.GAE@google.com
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
---
Cc: Kuniyuki Iwashima <kuniyu@google.com>
Cc: syzkaller-bugs@googlegroups.com
Cc: linux-kernel@vger.kernel.org
---
net/mptcp/options.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 8a1c5698983c..24903a12a4e0 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -583,6 +583,8 @@ static bool mptcp_established_options_dss(struct sock *sk, struct sk_buff *skb,
map_size += TCPOLEN_MPTCP_DSS_CHECKSUM;
opts->ext_copy = *mpext;
+ } else {
+ opts->ext_copy.use_map = 0;
}
dss_size = map_size;
--
2.53.0Hi Matthieu,
Thank you for your modifications, that's great!
Our CI did some validations and here is its report:
- KVM Validation: normal (except selftest_mptcp_join): Success! ✅
- KVM Validation: normal (only selftest_mptcp_join): Success! ✅
- KVM Validation: debug (except selftest_mptcp_join): Unstable: 1 failed test(s): packetdrill_dss ⚠️
- KVM Validation: debug (only selftest_mptcp_join): Success! ✅
- KVM Validation: btf-normal (only bpftest_all): Success! ✅
- KVM Validation: btf-debug (only bpftest_all): Success! ✅
- Task: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/25313209741
Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/f5d0fa2e42ba
Patchwork: https://patchwork.kernel.org/project/mptcp/list/?series=1089187
If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:
$ cd [kernel source code]
$ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
--pull always mptcp/mptcp-upstream-virtme-docker:latest \
auto-normal
For more details:
https://github.com/multipath-tcp/mptcp-upstream-virtme-docker
Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)
Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (NGI0 Core)
Hello,
On 04/05/2026 11:51, Matthieu Baerts (NGI0) wrote:
> Just to let syzbot testing it.
Sorry for the noise: I forgot to add the syzbot instruction... (and I
forgot to remove the MPTCP ML from the sendmail.to option).
Hopefully now the following is correct:
#syz test
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 8a1c5698983c..24903a12a4e0 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -583,6 +583,8 @@ static bool mptcp_established_options_dss(struct sock *sk, struct sk_buff *skb,
map_size += TCPOLEN_MPTCP_DSS_CHECKSUM;
opts->ext_copy = *mpext;
+ } else {
+ opts->ext_copy.use_map = 0;
}
dss_size = map_size;
On 5/4/26 11:59 AM, Matthieu Baerts wrote:
>
> Sorry for the noise: I forgot to add the syzbot instruction... (and I
> forgot to remove the MPTCP ML from the sendmail.to option).
I did not take in account all the possible corner cases.
Let's be a little more conservative.
#syz test
---
diff --git a/include/net/mptcp.h b/include/net/mptcp.h
index f7263fe2a2e4..0763fd6f7758 100644
--- a/include/net/mptcp.h
+++ b/include/net/mptcp.h
@@ -27,6 +27,9 @@ struct mptcp_ext {
u32 subflow_seq;
u16 data_len;
__sum16 csum;
+
+ struct_group(flags,
+
u8 use_map:1,
dsn64:1,
data_fin:1,
@@ -38,6 +41,8 @@ struct mptcp_ext {
u8 reset_reason:4,
csum_reqd:1,
infinite_map:1;
+
+ ); /* end of flags group */
};
#define MPTCPOPT_HMAC_LEN 20
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 8a1c5698983c..3fd40dbff82b 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -572,6 +572,11 @@ static bool mptcp_established_options_dss(struct
sock *sk, struct sk_buff *skb,
bool ret = false;
u64 ack_seq;
+ /* Zero `can_ack` and `use_map` flags with one shot. */
+ BUILD_BUG_ON(sizeof_field(struct mptcp_ext, flags) != sizeof(u16));
+ BUILD_BUG_ON(!IS_ALIGNED(offsetof(struct mptcp_ext, flags),
+ sizeof(u16)));
+ *(u16 *)&opts->ext_copy.flags = 0;
opts->csum_reqd = READ_ONCE(msk->csum_enabled);
mpext = skb ? mptcp_get_ext(skb) : NULL;
@@ -595,7 +600,6 @@ static bool mptcp_established_options_dss(struct
sock *sk, struct sk_buff *skb,
/* passive sockets msk will set the 'can_ack' after accept(), even
* if the first subflow may have the already the remote key handy
*/
- opts->ext_copy.use_ack = 0;
if (!READ_ONCE(msk->can_ack)) {
*size = ALIGN(dss_size, 4);
return ret;
On 5/4/26 6:22 PM, Paolo Abeni wrote: > On 5/4/26 11:59 AM, Matthieu Baerts wrote: >> >> Sorry for the noise: I forgot to add the syzbot instruction... (and I >> forgot to remove the MPTCP ML from the sendmail.to option). > > I did not take in account all the possible corner cases. > > Let's be a little more conservative. Darn... the last upgrade here broke the line (un)wrap extension. Let me attach the patch. Sorry for the spam. #syz test
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt ===================================================== BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline] irqentry_exit+0x7b/0x760 kernel/entry/common.c:164 sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061 asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697 kmsan_get_metadata+0x17/0x160 mm/kmsan/shadow.c:125 kmsan_get_shadow_origin_ptr+0x4a/0xb0 mm/kmsan/shadow.c:102 get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline] __msan_metadata_ptr_for_load_4+0x24/0x40 mm/kmsan/instrumentation.c:93 tcp_data_queue+0xdc/0x7c90 net/ipv4/tcp_input.c:5589 tcp_rcv_established+0x19bb/0x3200 net/ipv4/tcp_input.c:6656 tcp_v4_do_rcv+0xc4b/0x1b10 net/ipv4/tcp_ipv4.c:1852 sk_backlog_rcv include/net/sock.h:1190 [inline] __release_sock+0x360/0x7d0 net/core/sock.c:3216 release_sock+0x22d/0x300 net/core/sock.c:3815 mptcp_subflow_shutdown+0x358/0x690 net/mptcp/protocol.c:3144 mptcp_check_send_data_fin+0x31b/0x3d0 net/mptcp/protocol.c:3218 __mptcp_wr_shutdown net/mptcp/protocol.c:3234 [inline] __mptcp_close+0x860/0x1360 net/mptcp/protocol.c:3313 mptcp_close+0x42/0x260 net/mptcp/protocol.c:3367 inet_release+0x1ee/0x2a0 net/ipv4/af_inet.c:442 __sock_release net/socket.c:722 [inline] sock_close+0xd6/0x2f0 net/socket.c:1514 __fput+0x60e/0x1010 fs/file_table.c:510 ____fput+0x25/0x30 fs/file_table.c:538 task_work_run+0x208/0x2b0 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0x306/0x1b60 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] do_syscall_64+0x236/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable mp_opt created at: mptcp_incoming_options+0x11d/0x43b0 net/mptcp/options.c:1171 tcp_data_queue+0x80/0x7c90 net/ipv4/tcp_input.c:5584 CPU: 1 UID: 0 PID: 8009 Comm: syz.0.635 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 ===================================================== Tested on: commit: 6d35786d Merge tag 'for-linus' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10070d06580000 kernel config: https://syzkaller.appspot.com/x/.config?x=1c3f61154f3bb7e5 dashboard link: https://syzkaller.appspot.com/bug?extid=ff020673c5e3d94d9478 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=13d0b96a580000
Hi Paolo, Kuniyuki, On 04/05/2026 20:20, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt It looks like the issue is different now: > ===================================================== > BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 > irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 > irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline] > irqentry_exit+0x7b/0x760 kernel/entry/common.c:164 > sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061 > asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697 > kmsan_get_metadata+0x17/0x160 mm/kmsan/shadow.c:125 > kmsan_get_shadow_origin_ptr+0x4a/0xb0 mm/kmsan/shadow.c:102 > get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline] > __msan_metadata_ptr_for_load_4+0x24/0x40 mm/kmsan/instrumentation.c:93 > tcp_data_queue+0xdc/0x7c90 net/ipv4/tcp_input.c:5589 > tcp_rcv_established+0x19bb/0x3200 net/ipv4/tcp_input.c:6656 > tcp_v4_do_rcv+0xc4b/0x1b10 net/ipv4/tcp_ipv4.c:1852 > sk_backlog_rcv include/net/sock.h:1190 [inline] That's the input side. > __release_sock+0x360/0x7d0 net/core/sock.c:3216 > release_sock+0x22d/0x300 net/core/sock.c:3815 > mptcp_subflow_shutdown+0x358/0x690 net/mptcp/protocol.c:3144 > mptcp_check_send_data_fin+0x31b/0x3d0 net/mptcp/protocol.c:3218 > __mptcp_wr_shutdown net/mptcp/protocol.c:3234 [inline] > __mptcp_close+0x860/0x1360 net/mptcp/protocol.c:3313 > mptcp_close+0x42/0x260 net/mptcp/protocol.c:3367 > inet_release+0x1ee/0x2a0 net/ipv4/af_inet.c:442 > __sock_release net/socket.c:722 [inline] > sock_close+0xd6/0x2f0 net/socket.c:1514 > __fput+0x60e/0x1010 fs/file_table.c:510 > ____fput+0x25/0x30 fs/file_table.c:538 > task_work_run+0x208/0x2b0 kernel/task_work.c:233 > resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] > __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] > exit_to_user_mode_loop+0x306/0x1b60 kernel/entry/common.c:98 > __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] > syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] > syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] > do_syscall_64+0x236/0xf80 arch/x86/entry/syscall_64.c:100 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Local variable mp_opt created at: > mptcp_incoming_options+0x11d/0x43b0 net/mptcp/options.c:1171 Confirmed here. With "struct mptcp_options_received" while the original issue was with "struct mptcp_out_options". Plus I'm not exactly sure to understand the issue here: mp_opt is defined and used only in mptcp_incoming_options(), and I don't see anything using it after the end of this function. Or did I miss something? Cheers, Matt -- Sponsored by the NGI0 Core fund.
On 5/7/26 9:44 AM, Matthieu Baerts wrote: > Hi Paolo, Kuniyuki, > > On 04/05/2026 20:20, syzbot wrote: >> Hello, >> >> syzbot has tested the proposed patch but the reproducer is still triggering an issue: >> KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt > > It looks like the issue is different now: > >> ===================================================== >> BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 >> irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 >> irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline] >> irqentry_exit+0x7b/0x760 kernel/entry/common.c:164 >> sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061 >> asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697 >> kmsan_get_metadata+0x17/0x160 mm/kmsan/shadow.c:125 >> kmsan_get_shadow_origin_ptr+0x4a/0xb0 mm/kmsan/shadow.c:102 >> get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline] >> __msan_metadata_ptr_for_load_4+0x24/0x40 mm/kmsan/instrumentation.c:93 >> tcp_data_queue+0xdc/0x7c90 net/ipv4/tcp_input.c:5589 >> tcp_rcv_established+0x19bb/0x3200 net/ipv4/tcp_input.c:6656 >> tcp_v4_do_rcv+0xc4b/0x1b10 net/ipv4/tcp_ipv4.c:1852 >> sk_backlog_rcv include/net/sock.h:1190 [inline] > > That's the input side. > >> __release_sock+0x360/0x7d0 net/core/sock.c:3216 >> release_sock+0x22d/0x300 net/core/sock.c:3815 >> mptcp_subflow_shutdown+0x358/0x690 net/mptcp/protocol.c:3144 >> mptcp_check_send_data_fin+0x31b/0x3d0 net/mptcp/protocol.c:3218 >> __mptcp_wr_shutdown net/mptcp/protocol.c:3234 [inline] >> __mptcp_close+0x860/0x1360 net/mptcp/protocol.c:3313 >> mptcp_close+0x42/0x260 net/mptcp/protocol.c:3367 >> inet_release+0x1ee/0x2a0 net/ipv4/af_inet.c:442 >> __sock_release net/socket.c:722 [inline] >> sock_close+0xd6/0x2f0 net/socket.c:1514 >> __fput+0x60e/0x1010 fs/file_table.c:510 >> ____fput+0x25/0x30 fs/file_table.c:538 >> task_work_run+0x208/0x2b0 kernel/task_work.c:233 >> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] >> __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] >> exit_to_user_mode_loop+0x306/0x1b60 kernel/entry/common.c:98 >> __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] >> syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] >> syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] >> do_syscall_64+0x236/0xf80 arch/x86/entry/syscall_64.c:100 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> >> Local variable mp_opt created at: >> mptcp_incoming_options+0x11d/0x43b0 net/mptcp/options.c:1171 > > Confirmed here. With "struct mptcp_options_received" while the original > issue was with "struct mptcp_out_options". > > Plus I'm not exactly sure to understand the issue here: mp_opt is > defined and used only in mptcp_incoming_options(), and I don't see > anything using it after the end of this function. Or did I miss something? I also had hard time understanding the backtrace, I think some frames are omitted/missing (it happens sometime, IDK why), specifically the one related to mptcp_options_received() - which would be useful to understand the issue. /P
On Fri, May 8, 2026 at 11:27 AM 'Paolo Abeni' via syzkaller-bugs <syzkaller-bugs@googlegroups.com> wrote: > > On 5/7/26 9:44 AM, Matthieu Baerts wrote: > > Hi Paolo, Kuniyuki, > > > > On 04/05/2026 20:20, syzbot wrote: > >> Hello, > >> > >> syzbot has tested the proposed patch but the reproducer is still triggering an issue: > >> KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt > > > > It looks like the issue is different now: > > > >> ===================================================== > >> BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 > >> irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 > >> irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline] > >> irqentry_exit+0x7b/0x760 kernel/entry/common.c:164 > >> sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061 > >> asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697 > >> kmsan_get_metadata+0x17/0x160 mm/kmsan/shadow.c:125 > >> kmsan_get_shadow_origin_ptr+0x4a/0xb0 mm/kmsan/shadow.c:102 > >> get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline] > >> __msan_metadata_ptr_for_load_4+0x24/0x40 mm/kmsan/instrumentation.c:93 > >> tcp_data_queue+0xdc/0x7c90 net/ipv4/tcp_input.c:5589 > >> tcp_rcv_established+0x19bb/0x3200 net/ipv4/tcp_input.c:6656 > >> tcp_v4_do_rcv+0xc4b/0x1b10 net/ipv4/tcp_ipv4.c:1852 > >> sk_backlog_rcv include/net/sock.h:1190 [inline] > > > > That's the input side. > > > >> __release_sock+0x360/0x7d0 net/core/sock.c:3216 > >> release_sock+0x22d/0x300 net/core/sock.c:3815 > >> mptcp_subflow_shutdown+0x358/0x690 net/mptcp/protocol.c:3144 > >> mptcp_check_send_data_fin+0x31b/0x3d0 net/mptcp/protocol.c:3218 > >> __mptcp_wr_shutdown net/mptcp/protocol.c:3234 [inline] > >> __mptcp_close+0x860/0x1360 net/mptcp/protocol.c:3313 > >> mptcp_close+0x42/0x260 net/mptcp/protocol.c:3367 > >> inet_release+0x1ee/0x2a0 net/ipv4/af_inet.c:442 > >> __sock_release net/socket.c:722 [inline] > >> sock_close+0xd6/0x2f0 net/socket.c:1514 > >> __fput+0x60e/0x1010 fs/file_table.c:510 > >> ____fput+0x25/0x30 fs/file_table.c:538 > >> task_work_run+0x208/0x2b0 kernel/task_work.c:233 > >> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] > >> __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] > >> exit_to_user_mode_loop+0x306/0x1b60 kernel/entry/common.c:98 > >> __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] > >> syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] > >> syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] > >> do_syscall_64+0x236/0xf80 arch/x86/entry/syscall_64.c:100 > >> entry_SYSCALL_64_after_hwframe+0x77/0x7f > >> > >> Local variable mp_opt created at: > >> mptcp_incoming_options+0x11d/0x43b0 net/mptcp/options.c:1171 > > > > Confirmed here. With "struct mptcp_options_received" while the original > > issue was with "struct mptcp_out_options". > > > > Plus I'm not exactly sure to understand the issue here: mp_opt is > > defined and used only in mptcp_incoming_options(), and I don't see > > anything using it after the end of this function. Or did I miss something? > > I also had hard time understanding the backtrace, I think some frames > are omitted/missing (it happens sometime, IDK why), specifically the one > related to mptcp_options_received() - which would be useful to > understand the issue. This is probably related to https://lore.kernel.org/all/69e7ee1f.a00a0220.17a17.001d.GAE@google.com/T/ Let me send the patch, perhaps this issue will also go away.
Hi Alexander, Thank you for your reply! On 08/05/2026 12:11, Alexander Potapenko wrote: > On Fri, May 8, 2026 at 11:27 AM 'Paolo Abeni' via syzkaller-bugs > <syzkaller-bugs@googlegroups.com> wrote: >> >> On 5/7/26 9:44 AM, Matthieu Baerts wrote: >>> Hi Paolo, Kuniyuki, >>> >>> On 04/05/2026 20:20, syzbot wrote: >>>> Hello, >>>> >>>> syzbot has tested the proposed patch but the reproducer is still triggering an issue: >>>> KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt >>> >>> It looks like the issue is different now: >>> >>>> ===================================================== >>>> BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 >>>> irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 >>>> irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline] >>>> irqentry_exit+0x7b/0x760 kernel/entry/common.c:164 >>>> sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061 >>>> asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697 >>>> kmsan_get_metadata+0x17/0x160 mm/kmsan/shadow.c:125 >>>> kmsan_get_shadow_origin_ptr+0x4a/0xb0 mm/kmsan/shadow.c:102 >>>> get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline] >>>> __msan_metadata_ptr_for_load_4+0x24/0x40 mm/kmsan/instrumentation.c:93 >>>> tcp_data_queue+0xdc/0x7c90 net/ipv4/tcp_input.c:5589 >>>> tcp_rcv_established+0x19bb/0x3200 net/ipv4/tcp_input.c:6656 >>>> tcp_v4_do_rcv+0xc4b/0x1b10 net/ipv4/tcp_ipv4.c:1852 >>>> sk_backlog_rcv include/net/sock.h:1190 [inline] >>> >>> That's the input side. >>> >>>> __release_sock+0x360/0x7d0 net/core/sock.c:3216 >>>> release_sock+0x22d/0x300 net/core/sock.c:3815 >>>> mptcp_subflow_shutdown+0x358/0x690 net/mptcp/protocol.c:3144 >>>> mptcp_check_send_data_fin+0x31b/0x3d0 net/mptcp/protocol.c:3218 >>>> __mptcp_wr_shutdown net/mptcp/protocol.c:3234 [inline] >>>> __mptcp_close+0x860/0x1360 net/mptcp/protocol.c:3313 >>>> mptcp_close+0x42/0x260 net/mptcp/protocol.c:3367 >>>> inet_release+0x1ee/0x2a0 net/ipv4/af_inet.c:442 >>>> __sock_release net/socket.c:722 [inline] >>>> sock_close+0xd6/0x2f0 net/socket.c:1514 >>>> __fput+0x60e/0x1010 fs/file_table.c:510 >>>> ____fput+0x25/0x30 fs/file_table.c:538 >>>> task_work_run+0x208/0x2b0 kernel/task_work.c:233 >>>> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] >>>> __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] >>>> exit_to_user_mode_loop+0x306/0x1b60 kernel/entry/common.c:98 >>>> __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] >>>> syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] >>>> syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] >>>> do_syscall_64+0x236/0xf80 arch/x86/entry/syscall_64.c:100 >>>> entry_SYSCALL_64_after_hwframe+0x77/0x7f >>>> >>>> Local variable mp_opt created at: >>>> mptcp_incoming_options+0x11d/0x43b0 net/mptcp/options.c:1171 >>> >>> Confirmed here. With "struct mptcp_options_received" while the original >>> issue was with "struct mptcp_out_options". >>> >>> Plus I'm not exactly sure to understand the issue here: mp_opt is >>> defined and used only in mptcp_incoming_options(), and I don't see >>> anything using it after the end of this function. Or did I miss something? >> >> I also had hard time understanding the backtrace, I think some frames >> are omitted/missing (it happens sometime, IDK why), specifically the one >> related to mptcp_options_received() - which would be useful to >> understand the issue. > > This is probably related to > https://lore.kernel.org/all/69e7ee1f.a00a0220.17a17.001d.GAE@google.com/T/ Ah yes, it looks similar. > Let me send the patch, perhaps this issue will also go away. That would be great, thank you! Cheers, Matt -- Sponsored by the NGI0 Core fund.
Hi Alexander, On 08/05/2026 12:46, Matthieu Baerts wrote: > Hi Alexander, > > Thank you for your reply! > > On 08/05/2026 12:11, Alexander Potapenko wrote: >> On Fri, May 8, 2026 at 11:27 AM 'Paolo Abeni' via syzkaller-bugs >> <syzkaller-bugs@googlegroups.com> wrote: >>> >>> On 5/7/26 9:44 AM, Matthieu Baerts wrote: >>>> Hi Paolo, Kuniyuki, >>>> >>>> On 04/05/2026 20:20, syzbot wrote: >>>>> Hello, >>>>> >>>>> syzbot has tested the proposed patch but the reproducer is still triggering an issue: >>>>> KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt >>>> >>>> It looks like the issue is different now: >>>> >>>>> ===================================================== >>>>> BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 >>>>> irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472 >>>>> irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline] >>>>> irqentry_exit+0x7b/0x760 kernel/entry/common.c:164 >>>>> sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061 >>>>> asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697 >>>>> kmsan_get_metadata+0x17/0x160 mm/kmsan/shadow.c:125 >>>>> kmsan_get_shadow_origin_ptr+0x4a/0xb0 mm/kmsan/shadow.c:102 >>>>> get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline] >>>>> __msan_metadata_ptr_for_load_4+0x24/0x40 mm/kmsan/instrumentation.c:93 >>>>> tcp_data_queue+0xdc/0x7c90 net/ipv4/tcp_input.c:5589 >>>>> tcp_rcv_established+0x19bb/0x3200 net/ipv4/tcp_input.c:6656 >>>>> tcp_v4_do_rcv+0xc4b/0x1b10 net/ipv4/tcp_ipv4.c:1852 >>>>> sk_backlog_rcv include/net/sock.h:1190 [inline] >>>> >>>> That's the input side. >>>> >>>>> __release_sock+0x360/0x7d0 net/core/sock.c:3216 >>>>> release_sock+0x22d/0x300 net/core/sock.c:3815 >>>>> mptcp_subflow_shutdown+0x358/0x690 net/mptcp/protocol.c:3144 >>>>> mptcp_check_send_data_fin+0x31b/0x3d0 net/mptcp/protocol.c:3218 >>>>> __mptcp_wr_shutdown net/mptcp/protocol.c:3234 [inline] >>>>> __mptcp_close+0x860/0x1360 net/mptcp/protocol.c:3313 >>>>> mptcp_close+0x42/0x260 net/mptcp/protocol.c:3367 >>>>> inet_release+0x1ee/0x2a0 net/ipv4/af_inet.c:442 >>>>> __sock_release net/socket.c:722 [inline] >>>>> sock_close+0xd6/0x2f0 net/socket.c:1514 >>>>> __fput+0x60e/0x1010 fs/file_table.c:510 >>>>> ____fput+0x25/0x30 fs/file_table.c:538 >>>>> task_work_run+0x208/0x2b0 kernel/task_work.c:233 >>>>> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] >>>>> __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] >>>>> exit_to_user_mode_loop+0x306/0x1b60 kernel/entry/common.c:98 >>>>> __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] >>>>> syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] >>>>> syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] >>>>> do_syscall_64+0x236/0xf80 arch/x86/entry/syscall_64.c:100 >>>>> entry_SYSCALL_64_after_hwframe+0x77/0x7f >>>>> >>>>> Local variable mp_opt created at: >>>>> mptcp_incoming_options+0x11d/0x43b0 net/mptcp/options.c:1171 >>>> >>>> Confirmed here. With "struct mptcp_options_received" while the original >>>> issue was with "struct mptcp_out_options". >>>> >>>> Plus I'm not exactly sure to understand the issue here: mp_opt is >>>> defined and used only in mptcp_incoming_options(), and I don't see >>>> anything using it after the end of this function. Or did I miss something? >>> >>> I also had hard time understanding the backtrace, I think some frames >>> are omitted/missing (it happens sometime, IDK why), specifically the one >>> related to mptcp_options_received() - which would be useful to >>> understand the issue. >> >> This is probably related to >> https://lore.kernel.org/all/69e7ee1f.a00a0220.17a17.001d.GAE@google.com/T/ > > Ah yes, it looks similar. > >> Let me send the patch, perhaps this issue will also go away. > > That would be great, thank you! Thank you for having sent your patch. Here is one combining your modifications, and the ones from Paolo, for syzbot. If this one is OK, we can continue with Paolo's patch. #syz test Cheers, Matt
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt ===================================================== BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:474 irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:474 irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:549 [inline] irqentry_exit+0x7b/0x820 kernel/entry/common.c:164 sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061 asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697 __msan_metadata_ptr_for_load_4+0x5/0x40 mm/kmsan/instrumentation.c:93 tcp_rcv_established+0x19bb/0x3200 net/ipv4/tcp_input.c:6656 tcp_v4_do_rcv+0xc5b/0x1b70 net/ipv4/tcp_ipv4.c:1851 sk_backlog_rcv include/net/sock.h:1190 [inline] __release_sock+0x360/0x7d0 net/core/sock.c:3216 release_sock+0x22d/0x300 net/core/sock.c:3815 mptcp_subflow_shutdown+0x358/0x690 net/mptcp/protocol.c:3144 mptcp_check_send_data_fin+0x31b/0x3d0 net/mptcp/protocol.c:3218 __mptcp_wr_shutdown net/mptcp/protocol.c:3234 [inline] __mptcp_close+0x860/0x1360 net/mptcp/protocol.c:3313 mptcp_close+0x42/0x260 net/mptcp/protocol.c:3367 inet_release+0x1ee/0x2a0 net/ipv4/af_inet.c:442 __sock_release net/socket.c:722 [inline] sock_close+0xd6/0x2f0 net/socket.c:1514 __fput+0x60e/0x1010 fs/file_table.c:510 ____fput+0x25/0x30 fs/file_table.c:538 task_work_run+0x208/0x2b0 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0x306/0x1ea0 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] do_syscall_64+0x236/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable mp_opt created at: mptcp_incoming_options+0x11d/0x43b0 net/mptcp/options.c:1171 tcp_data_queue+0x80/0x7c90 net/ipv4/tcp_input.c:5584 CPU: 0 UID: 0 PID: 10313 Comm: syz.0.1815 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 ===================================================== Tested on: commit: 50897c95 Merge tag 'linux_kselftest-kunit-fixes-7.1-rc.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=121c20c8580000 kernel config: https://syzkaller.appspot.com/x/.config?x=a9f364ffbbe4c1e9 dashboard link: https://syzkaller.appspot.com/bug?extid=ff020673c5e3d94d9478 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=1555c7ce580000
> >>>> Plus I'm not exactly sure to understand the issue here: mp_opt is > >>>> defined and used only in mptcp_incoming_options(), and I don't see > >>>> anything using it after the end of this function. Or did I miss something? > >>> > >>> I also had hard time understanding the backtrace, I think some frames > >>> are omitted/missing (it happens sometime, IDK why), specifically the one > >>> related to mptcp_options_received() - which would be useful to > >>> understand the issue. > >> > >> This is probably related to > >> https://lore.kernel.org/all/69e7ee1f.a00a0220.17a17.001d.GAE@google.com/T/ > > > > Ah yes, it looks similar. > > > >> Let me send the patch, perhaps this issue will also go away. > > > > That would be great, thank you! > > Thank you for having sent your patch. > > Here is one combining your modifications, and the ones from Paolo, for > syzbot. If this one is OK, we can continue with Paolo's patch. Hi Matt, Unfortunately my approach was wrong: see tglx's response there. Hope we'll figure something out (__no_kmsan_checks looks promising) Alex
Hi Alexander, On 12/05/2026 11:31, Alexander Potapenko wrote: >>>>>> Plus I'm not exactly sure to understand the issue here: mp_opt is >>>>>> defined and used only in mptcp_incoming_options(), and I don't see >>>>>> anything using it after the end of this function. Or did I miss something? >>>>> >>>>> I also had hard time understanding the backtrace, I think some frames >>>>> are omitted/missing (it happens sometime, IDK why), specifically the one >>>>> related to mptcp_options_received() - which would be useful to >>>>> understand the issue. >>>> >>>> This is probably related to >>>> https://lore.kernel.org/all/69e7ee1f.a00a0220.17a17.001d.GAE@google.com/T/ >>> >>> Ah yes, it looks similar. >>> >>>> Let me send the patch, perhaps this issue will also go away. >>> >>> That would be great, thank you! >> >> Thank you for having sent your patch. >> >> Here is one combining your modifications, and the ones from Paolo, for >> syzbot. If this one is OK, we can continue with Paolo's patch. > > > Hi Matt, > > Unfortunately my approach was wrong: see tglx's response there. > Hope we'll figure something out (__no_kmsan_checks looks promising) Thank you for your reply, I just found the email thread you mentioned: https://lore.kernel.org/all/87v7cu876c.ffs@tglx If a v2 is not expected "soon", I'm sure we can continue with Paolo's patch, and double-check later to see if it was enough. Cheers, Matt -- Sponsored by the NGI0 Core fund.
Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file include/net/mptcp.h checking file net/mptcp/options.c patch: **** unexpected end of file in patch Tested on: commit: 6d35786d Merge tag 'for-linus' of git://git.kernel.org.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=1c3f61154f3bb7e5 dashboard link: https://syzkaller.appspot.com/bug?extid=ff020673c5e3d94d9478 compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=12558ad2580000
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KMSAN: uninit-value in mptcp_write_options ===================================================== BUG: KMSAN: uninit-value in mptcp_write_options+0x410/0x32e0 net/mptcp/options.c:1462 mptcp_write_options+0x410/0x32e0 net/mptcp/options.c:1462 mptcp_options_write net/ipv4/tcp_output.c:457 [inline] tcp_options_write+0x1399/0x1920 net/ipv4/tcp_output.c:833 __tcp_transmit_skb+0x36fe/0x5fe0 net/ipv4/tcp_output.c:1656 __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499 tcp_send_ack+0x3d/0x60 net/ipv4/tcp_output.c:4505 __mptcp_subflow_send_ack net/mptcp/protocol.c:538 [inline] mptcp_subflow_send_ack net/mptcp/protocol.c:546 [inline] mptcp_send_ack net/mptcp/protocol.c:555 [inline] mptcp_check_data_fin+0xa61/0xf00 net/mptcp/protocol.c:643 mptcp_worker+0xde4/0x1ea0 net/mptcp/protocol.c:2980 process_one_work kernel/workqueue.c:3302 [inline] process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385 worker_thread+0xee4/0x1590 kernel/workqueue.c:3466 kthread+0x53f/0x600 kernel/kthread.c:436 ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Uninit was stored to memory at: mptcp_established_options_dss net/mptcp/options.c:616 [inline] mptcp_established_options+0x2265/0x3580 net/mptcp/options.c:876 tcp_established_options+0x312/0xcc0 net/ipv4/tcp_output.c:1192 __tcp_transmit_skb+0x5dc/0x5fe0 net/ipv4/tcp_output.c:1575 __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499 tcp_send_ack+0x3d/0x60 net/ipv4/tcp_output.c:4505 __mptcp_subflow_send_ack net/mptcp/protocol.c:538 [inline] mptcp_subflow_send_ack net/mptcp/protocol.c:546 [inline] mptcp_send_ack net/mptcp/protocol.c:555 [inline] mptcp_check_data_fin+0xa61/0xf00 net/mptcp/protocol.c:643 mptcp_worker+0xde4/0x1ea0 net/mptcp/protocol.c:2980 process_one_work kernel/workqueue.c:3302 [inline] process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385 worker_thread+0xee4/0x1590 kernel/workqueue.c:3466 kthread+0x53f/0x600 kernel/kthread.c:436 ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Local variable opts created at: __tcp_transmit_skb+0x4d/0x5fe0 net/ipv4/tcp_output.c:1536 __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499 CPU: 0 UID: 0 PID: 4890 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 Workqueue: events mptcp_worker ===================================================== Tested on: commit: 6d35786d Merge tag 'for-linus' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=123d6696580000 kernel config: https://syzkaller.appspot.com/x/.config?x=1c3f61154f3bb7e5 dashboard link: https://syzkaller.appspot.com/bug?extid=ff020673c5e3d94d9478 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=1663f21f980000
© 2016 - 2026 Red Hat, Inc.