From nobody Thu Apr 2 06:08:16 2026 Received: from mail-ot1-f72.google.com (mail-ot1-f72.google.com [209.85.210.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F0CC40DFA0 for ; Mon, 30 Mar 2026 02:37:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774838276; cv=none; b=IzCTJZlSPssL/x7FH0fiWqeJP4TdVmG6j8unzWbo/smb9vsVaigduumDGAL1AO/kHM6XSA1NonQ89VQbHioVdbtmfBlP5mxJosdzzN0PGN8GfE0xZBhj/gH6hLXyyMgXmQ1LSGzGZ46kMLc/9NqqfrvyIvozmc5gYYd8vLJpdao= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774838276; c=relaxed/simple; bh=3zcVPQRwkJiM48jS4NeW/rDn1qUTXULl7ChIkK8yWF8=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=H27pr0CAAu3lrrtg0kK8v1pKi//P4/90XCfNeLAIFXyP3eJUsNyLbB57mG5pFascgiBLGCvoUYYhELSUdrFTon8GTMa3EBWK9uBVZ55Gx/7FtKFXz1T7jxYdmEi4kUcBjdtFdYVjv96uT2B7nsPJ9oHGDmL3F8ocyAC81hc8Wbc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f72.google.com with SMTP id 46e09a7af769-7d81042e8c1so15362034a34.3 for ; Sun, 29 Mar 2026 19:37:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774838274; x=1775443074; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RptOXp9ICUQMTGDafOuW7QZFnujkDB/iAquVeaS3ivI=; b=B88Pl5wTLOW8BVnQ3zv3901AdUnPPiKsIqcB6NGluZMKpAlvgsLNpSTOApLckeU0ri KJKSq7c9DIptI2gw9i9YSJIMfgeV/R/YFiiJApdcIAERsoGzbR7HLlbamfCp2NbEJ6wQ 8VIcG1sHE4QLI4WHFy05Np7vrJfMsgxU+bliPwIyzX+zQ/MOK5KGtI4GEzptbddJ8uX8 oeBq9PVPbBpSniKaXMuNpA670YYY4m3fVpB6B+5LWdxrASUWqG+gzVQE0okS1Caw3h8f dIY4VQgsroq/AT8TwsqDESU080HZsxBf1SZ/N6Rez3JAJBrulJcGDJhLumC8CZCZCvru YBew== X-Gm-Message-State: AOJu0YwMIj6JHesY9tCYz5jEU4FkYxfS0GOg4hT1OhN5CuLGxsvs788u rGh6J1ZaBSPDNAU/Pdm98BS4dLOOqr40/AEFOofBHKRZTBigwP2+EXmW1ZHza/fTcd4ghqgFOoo k85Ih8brG05iGRnzcPMV83bx0ayqlzkQ2xEqE2AMxRVCeV3JMKcN99y48LjA= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:4b86:b0:67e:f55:707c with SMTP id 006d021491bc7-67e186f4c9amr5868721eaf.42.1774838274081; Sun, 29 Mar 2026 19:37:54 -0700 (PDT) Date: Sun, 29 Mar 2026 19:37:54 -0700 In-Reply-To: <6954bc70.050a0220.a1b6.0310.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69c9e202.a70a0220.97f31.010b.GAE@google.com> Subject: Forwarded: Re: [syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb Author: sun.jian.kdev@gmail.com Hi syzbot, Please test this patch. #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master From 79039ad5c9cb7906225296c9a98d1c6616990fec Mon Sep 17 00:00:00 2001 From: Sun Jian Date: Sun, 29 Mar 2026 20:20:39 +0800 Subject: [PATCH v2] selftests/bpf: Reject malformed IPv4/IPv6 skb test input bpf_prog_test_run_skb() derives skb->protocol from the Ethernet header through eth_type_trans(), but it does not verify that the provided linear input is long enough to contain the corresponding L3 base header. This can result in an inconsistent skb being passed to test_run helpers such as bpf_skb_adjust_room(), where inferred protocol offsets can lead to operating on uninitialized memory, triggering KMSAN errors. To reject such malformed test input, we check that the linear head is sufficiently large to contain the corresponding L3 base header (IPv4 or IPv6) before running the program. Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D619b9ef527f510a57cfc Signed-off-by: Sun Jian --- v2: - Ensured that the linear head is large enough to accommodate the correspo= nding L3 base header (IPv4 or IPv6), before running the program. Link: net/bpf/test_run.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c index 178c4738e63b..4790bee535b9 100644 --- a/net/bpf/test_run.c +++ b/net/bpf/test_run.c @@ -1118,6 +1118,25 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, con= st union bpf_attr *kattr, skb->protocol =3D eth_type_trans(skb, dev); skb_reset_network_header(skb); =20 + switch (skb->protocol) { + case htons(ETH_P_IP): + if (skb_headlen(skb) < sizeof(struct iphdr)) { + ret =3D -EINVAL; + goto out; + } + break; +#if IS_ENABLED(CONFIG_IPV6) + case htons(ETH_P_IPV6): + if (skb_headlen(skb) < sizeof(struct ipv6hdr)) { + ret =3D -EINVAL; + goto out; + } + break; +#endif + default: + break; + } + switch (skb->protocol) { case htons(ETH_P_IP): sk->sk_family =3D AF_INET; base-commit: cbfffcca2bf0622b601b7eaf477aa29035169184 --=20 2.43.0