[syzbot] [net?] KMSAN: uninit-value in lec_atm_send
0 views
Skip to first unread message
syzbot
Nov 28, 2025, 6:59:27 AM (21 hours ago) Nov 28
to da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ac3fd01e4c1e Linux 6.18-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=139a1612580000
kernel config: https://syzkaller.appspot.com/x/.config?x=61a9bf3cc5d17a01
dashboard link: https://syzkaller.appspot.com/bug?extid=5dd615f890ddada54057
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10f4b8b4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=129d0e58580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/227434a45737/disk-ac3fd01e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d8117003dbb5/vmlinux-ac3fd01e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a13125fb7a7d/bzImage-ac3fd01e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5dd615...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in lec_arp_update net/atm/lec.c:1845 [inline]
BUG: KMSAN: uninit-value in lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
lec_arp_update net/atm/lec.c:1845 [inline]
lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
vcc_sendmsg+0x1052/0x1190 net/atm/common.c:650
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:742
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2630
___sys_sendmsg+0x271/0x3b0 net/socket.c:2684
__sys_sendmsg net/socket.c:2716 [inline]
__do_sys_sendmsg net/socket.c:2721 [inline]
__se_sys_sendmsg net/socket.c:2719 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2719
x64_sys_call+0x1dfd/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4985 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x989/0x16b0 mm/slub.c:5340
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579
__alloc_skb+0x347/0x7d0 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
vcc_sendmsg+0x602/0x1190 net/atm/common.c:628
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:742
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2630
___sys_sendmsg+0x271/0x3b0 net/socket.c:2684
__sys_sendmsg net/socket.c:2716 [inline]
__do_sys_sendmsg net/socket.c:2721 [inline]
__se_sys_sendmsg net/socket.c:2719 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2719
x64_sys_call+0x1dfd/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ac3fd01e4c1e Linux 6.18-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=139a1612580000
kernel config: https://syzkaller.appspot.com/x/.config?x=61a9bf3cc5d17a01
dashboard link: https://syzkaller.appspot.com/bug?extid=5dd615f890ddada54057
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10f4b8b4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=129d0e58580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/227434a45737/disk-ac3fd01e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d8117003dbb5/vmlinux-ac3fd01e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a13125fb7a7d/bzImage-ac3fd01e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5dd615...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in lec_arp_update net/atm/lec.c:1845 [inline]
BUG: KMSAN: uninit-value in lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
lec_arp_update net/atm/lec.c:1845 [inline]
lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
vcc_sendmsg+0x1052/0x1190 net/atm/common.c:650
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:742
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2630
___sys_sendmsg+0x271/0x3b0 net/socket.c:2684
__sys_sendmsg net/socket.c:2716 [inline]
__do_sys_sendmsg net/socket.c:2721 [inline]
__se_sys_sendmsg net/socket.c:2719 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2719
x64_sys_call+0x1dfd/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4985 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x989/0x16b0 mm/slub.c:5340
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579
__alloc_skb+0x347/0x7d0 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
vcc_sendmsg+0x602/0x1190 net/atm/common.c:628
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:742
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2630
___sys_sendmsg+0x271/0x3b0 net/socket.c:2684
__sys_sendmsg net/socket.c:2716 [inline]
__do_sys_sendmsg net/socket.c:2721 [inline]
__se_sys_sendmsg net/socket.c:2719 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2719
x64_sys_call+0x1dfd/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Edward Adam Davis
Nov 28, 2025, 10:56:31 AM (17 hours ago) Nov 28
to syzbot+5dd615...@syzkaller.appspotmail.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
syzbot found an uninitialized targetless variable. The user-provided
data was only 28 bytes long, but initializing targetless requires at
least 44 bytes. This discrepancy ultimately led to the uninitialized
variable access issue reported by syzbot [1].
Adding a message length check to the arp update process eliminates
the uninitialized issue in [1].
[1]
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
net/atm/lec.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/atm/lec.c b/net/atm/lec.c
index afb8d3eb2185..178132b2771a 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -382,6 +382,15 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
break;
fallthrough;
case l_arp_update:
+ {
+ int need_size = offsetofend(struct atmlec_msg,
+ content.normal.targetless_le_arp);
+ if (skb->len < need_size) {
+ pr_info("Input msg size too small, need %d got %u\n",
+ need_size, skb->len);
+ dev_kfree_skb(skb);
+ return -EINVAL;
+ }
lec_arp_update(priv, mesg->content.normal.mac_addr,
mesg->content.normal.atm_addr,
mesg->content.normal.flag,
@@ -394,6 +403,7 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
tmp, mesg->sizeoftlvs);
}
break;
+ }
case l_config:
priv->maximum_unknown_frame_count =
mesg->content.config.maximum_unknown_frame_count;
--
2.43.0
data was only 28 bytes long, but initializing targetless requires at
least 44 bytes. This discrepancy ultimately led to the uninitialized
variable access issue reported by syzbot [1].
Adding a message length check to the arp update process eliminates
the uninitialized issue in [1].
[1]
BUG: KMSAN: uninit-value in lec_arp_update net/atm/lec.c:1845 [inline]
lec_arp_update net/atm/lec.c:1845 [inline]
lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
vcc_sendmsg+0x1052/0x1190 net/atm/common.c:650
Reported-by: syzbot+5dd615...@syzkaller.appspotmail.com
lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
vcc_sendmsg+0x1052/0x1190 net/atm/common.c:650
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
net/atm/lec.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/atm/lec.c b/net/atm/lec.c
index afb8d3eb2185..178132b2771a 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -382,6 +382,15 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
break;
fallthrough;
case l_arp_update:
+ {
+ int need_size = offsetofend(struct atmlec_msg,
+ content.normal.targetless_le_arp);
+ if (skb->len < need_size) {
+ pr_info("Input msg size too small, need %d got %u\n",
+ need_size, skb->len);
+ dev_kfree_skb(skb);
+ return -EINVAL;
+ }
lec_arp_update(priv, mesg->content.normal.mac_addr,
mesg->content.normal.atm_addr,
mesg->content.normal.flag,
@@ -394,6 +403,7 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
tmp, mesg->sizeoftlvs);
}
break;
+ }
case l_config:
priv->maximum_unknown_frame_count =
mesg->content.config.maximum_unknown_frame_count;
--
2.43.0
Reply all
Reply to author
Forward
0 new messages