For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [net?] KMSAN: uninit-value in __inet_bind
Author: tabreztalks@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git main

From 42a8555a679994cc8113267b7ba08af054a48852 Mon Sep 17 00:00:00 2001
From: Tabrez Ahmed <tabreztalks@gmail.com>
Date: Sun, 15 Feb 2026 11:24:13 +0530
Subject: [PATCH net] rds: tcp: fix uninit-value in __inet_bind

KMSAN reported an uninit-value access in __inet_bind() when binding
an RDS TCP socket. The uninitialized memory originates from
rds_tcp_conn_alloc(), which uses kmem_cache_alloc() to allocate the
rds_tcp_connection structure.

The structure is not zero-initialized, leaving random data in its fields.
When the networking stack later tries to bind the socket using these
dirty values, KMSAN flags the uninitialized access.

Fix this by using kmem_cache_zalloc() instead of kmem_cache_alloc() to
ensure the structure is zeroed out upon allocation.

Reported-by: syzbot+aae646f09192f72a68dc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=aae646f09192f72a68dc
Fixes: 70041088e3b9 ("RDS: Add TCP transport to RDS")

Signed-off-by: Tabrez Ahmed <tabreztalks@gmail.com>
---
 net/rds/tcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index 45484a93d75f..04f310255692 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -373,7 +373,7 @@ static int rds_tcp_conn_alloc(struct rds_connection *conn, gfp_t gfp)
 	int ret = 0;
 
 	for (i = 0; i < RDS_MPATH_WORKERS; i++) {
-		tc = kmem_cache_alloc(rds_tcp_conn_slab, gfp);
+		tc = kmem_cache_zalloc(rds_tcp_conn_slab, gfp);
 		if (!tc) {
 			ret = -ENOMEM;
 			goto fail;
-- 
2.43.0