KMSAN: uninit-value in eth_type_trans
3 views
Skip to first unread message
Aleksandr Nogikh
Sep 25, 2025, 6:37:02 PM (12 days ago) Sep 25
to anthony....@intel.com, przemysla...@intel.com, andrew...@lunn.ch, da...@davemloft.net, edum...@google.com, ku...@kernel.org, pab...@redhat.com, intel-w...@lists.osuosl.org, net...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, gli...@google.com
Hello net developers,
I hit the following kernel crash when I try to boot a CONFIG_KMSAN=y kernel on qemu:
KMSAN: uninit-value in eth_type_trans
Could you please have a look?
Kernel: torvalds
Commit: cec1e6e5d1ab33403b809f79cd20d6aff124ccfe
Config: https://raw.githubusercontent.com/google/syzkaller/refs/heads/master/dashboard/config/linux/upstream-kmsan.config
Qemu command to reproduce:
qemu-system-x86_64 -m 8G -smp 2,sockets=2,cores=1 -machine pc-q35-10.0 \
-enable-kvm -display none -serial stdio -snapshot \
-device virtio-blk-pci,drive=myhd -drive file=~/buildroot_amd64_2024.09,format=raw,if=none,id=myhd \
-kernel ~/linux/arch/x86/boot/bzImage -append "root=/dev/vda1" -cpu max \
-net nic,model=e1000 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22
The command used the buildroot image below:
$ wget 'https://storage.googleapis.com/syzkaller/images/buildroot_amd64_2024.09.gz'
$ gunzip buildroot_amd64_2024.09.gz
Full symbolized report:
BUG: KMSAN: uninit-value in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
BUG: KMSAN: uninit-value in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
e1000_receive_skb drivers/net/ethernet/intel/e1000/e1000_main.c:4005 [inline]
e1000_clean_rx_irq+0x1256/0x1cf0 drivers/net/ethernet/intel/e1000/e1000_main.c:4465
e1000_clean+0x1e4b/0x5f10 drivers/net/ethernet/intel/e1000/e1000_main.c:3807
__napi_poll+0xda/0x850 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0xa56/0x1b00 net/core/dev.c:7696
handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x66/0x180 kernel/softirq.c:680
irq_exit_rcu+0x12/0x20 kernel/softirq.c:696
common_interrupt+0x99/0xb0 arch/x86/kernel/irq.c:318
asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
pv_native_safe_halt+0x17/0x20 arch/x86/kernel/paravirt.c:81
arch_safe_halt arch/x86/kernel/process.c:756 [inline]
default_idle+0xd/0x20 arch/x86/kernel/process.c:757
arch_cpu_idle+0xd/0x20 arch/x86/kernel/process.c:794
default_idle_call+0x41/0x70 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:190 [inline]
do_idle+0x1dc/0x790 kernel/sched/idle.c:330
cpu_startup_entry+0x60/0x80 kernel/sched/idle.c:428
rest_init+0x1df/0x260 init/main.c:744
start_kernel+0x76e/0x960 init/main.c:1097
x86_64_start_reservations+0x28/0x30 arch/x86/kernel/head64.c:307
x86_64_start_kernel+0x139/0x140 arch/x86/kernel/head64.c:288
common_startup_64+0x13e/0x147
Uninit was stored to memory at:
skb_put_data include/linux/skbuff.h:2753 [inline]
e1000_copybreak drivers/net/ethernet/intel/e1000/e1000_main.c:4339 [inline]
e1000_clean_rx_irq+0x870/0x1cf0 drivers/net/ethernet/intel/e1000/e1000_main.c:4384
e1000_clean+0x1e4b/0x5f10 drivers/net/ethernet/intel/e1000/e1000_main.c:3807
__napi_poll+0xda/0x850 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0xa56/0x1b00 net/core/dev.c:7696
handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x66/0x180 kernel/softirq.c:680
irq_exit_rcu+0x12/0x20 kernel/softirq.c:696
common_interrupt+0x99/0xb0 arch/x86/kernel/irq.c:318
asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693
Uninit was stored to memory at:
swiotlb_bounce+0x470/0x640 kernel/dma/swiotlb.c:-1
__swiotlb_sync_single_for_cpu+0x9e/0xc0 kernel/dma/swiotlb.c:1567
swiotlb_sync_single_for_cpu include/linux/swiotlb.h:279 [inline]
dma_direct_sync_single_for_cpu kernel/dma/direct.h:77 [inline]
__dma_sync_single_for_cpu+0x50d/0x710 kernel/dma/mapping.c:370
dma_sync_single_for_cpu include/linux/dma-mapping.h:381 [inline]
e1000_copybreak drivers/net/ethernet/intel/e1000/e1000_main.c:4336 [inline]
e1000_clean_rx_irq+0x7dc/0x1cf0 drivers/net/ethernet/intel/e1000/e1000_main.c:4384
e1000_clean+0x1e4b/0x5f10 drivers/net/ethernet/intel/e1000/e1000_main.c:3807
__napi_poll+0xda/0x850 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0xa56/0x1b00 net/core/dev.c:7696
handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x66/0x180 kernel/softirq.c:680
irq_exit_rcu+0x12/0x20 kernel/softirq.c:696
common_interrupt+0x99/0xb0 arch/x86/kernel/irq.c:318
asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693
Uninit was stored to memory at:
swiotlb_bounce+0x470/0x640 kernel/dma/swiotlb.c:-1
swiotlb_tbl_map_single+0x2956/0x2b20 kernel/dma/swiotlb.c:1439
swiotlb_map+0x349/0x1050 kernel/dma/swiotlb.c:1584
dma_direct_map_page kernel/dma/direct.h:-1 [inline]
dma_map_page_attrs+0x614/0xef0 kernel/dma/mapping.c:169
dma_map_single_attrs include/linux/dma-mapping.h:469 [inline]
e1000_alloc_rx_buffers+0x96d/0x1600 drivers/net/ethernet/intel/e1000/e1000_main.c:4616
e1000_configure+0x16fe/0x1930 drivers/net/ethernet/intel/e1000/e1000_main.c:377
e1000_open+0x985/0x14d0 drivers/net/ethernet/intel/e1000/e1000_main.c:1388
__dev_open+0x7c2/0xc40 net/core/dev.c:1682
__dev_change_flags+0x3ae/0x9b0 net/core/dev.c:9549
netif_change_flags+0x8d/0x1e0 net/core/dev.c:9612
dev_change_flags+0x18c/0x320 net/core/dev_api.c:68
devinet_ioctl+0x162d/0x2570 net/ipv4/devinet.c:1199
inet_ioctl+0x4c0/0x6f0 net/ipv4/af_inet.c:1001
sock_do_ioctl+0x9f/0x480 net/socket.c:1238
sock_ioctl+0x70b/0xd60 net/socket.c:1359
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl+0x23c/0x400 fs/ioctl.c:584
__x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:584
x64_sys_call+0x1cbc/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
__alloc_frozen_pages_noprof+0x648/0xe80 mm/page_alloc.c:5171
__alloc_pages_noprof+0x41/0xd0 mm/page_alloc.c:5182
__page_frag_cache_refill+0x57/0x2a0 mm/page_frag_cache.c:59
__page_frag_alloc_align+0xd0/0x690 mm/page_frag_cache.c:103
__napi_alloc_frag_align net/core/skbuff.c:248 [inline]
__netdev_alloc_frag_align+0x1b7/0x1f0 net/core/skbuff.c:269
netdev_alloc_frag include/linux/skbuff.h:3408 [inline]
e1000_alloc_frag drivers/net/ethernet/intel/e1000/e1000_main.c:2074 [inline]
e1000_alloc_rx_buffers+0x276/0x1600 drivers/net/ethernet/intel/e1000/e1000_main.c:4584
e1000_configure+0x16fe/0x1930 drivers/net/ethernet/intel/e1000/e1000_main.c:377
e1000_open+0x985/0x14d0 drivers/net/ethernet/intel/e1000/e1000_main.c:1388
__dev_open+0x7c2/0xc40 net/core/dev.c:1682
__dev_change_flags+0x3ae/0x9b0 net/core/dev.c:9549
netif_change_flags+0x8d/0x1e0 net/core/dev.c:9612
dev_change_flags+0x18c/0x320 net/core/dev_api.c:68
devinet_ioctl+0x162d/0x2570 net/ipv4/devinet.c:1199
inet_ioctl+0x4c0/0x6f0 net/ipv4/af_inet.c:1001
sock_do_ioctl+0x9f/0x480 net/socket.c:1238
sock_ioctl+0x70b/0xd60 net/socket.c:1359
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl+0x23c/0x400 fs/ioctl.c:584
__x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:584
x64_sys_call+0x1cbc/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
--
Aleksandr
I hit the following kernel crash when I try to boot a CONFIG_KMSAN=y kernel on qemu:
KMSAN: uninit-value in eth_type_trans
Could you please have a look?
Kernel: torvalds
Commit: cec1e6e5d1ab33403b809f79cd20d6aff124ccfe
Config: https://raw.githubusercontent.com/google/syzkaller/refs/heads/master/dashboard/config/linux/upstream-kmsan.config
Qemu command to reproduce:
qemu-system-x86_64 -m 8G -smp 2,sockets=2,cores=1 -machine pc-q35-10.0 \
-enable-kvm -display none -serial stdio -snapshot \
-device virtio-blk-pci,drive=myhd -drive file=~/buildroot_amd64_2024.09,format=raw,if=none,id=myhd \
-kernel ~/linux/arch/x86/boot/bzImage -append "root=/dev/vda1" -cpu max \
-net nic,model=e1000 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22
The command used the buildroot image below:
$ wget 'https://storage.googleapis.com/syzkaller/images/buildroot_amd64_2024.09.gz'
$ gunzip buildroot_amd64_2024.09.gz
Full symbolized report:
BUG: KMSAN: uninit-value in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
BUG: KMSAN: uninit-value in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
e1000_receive_skb drivers/net/ethernet/intel/e1000/e1000_main.c:4005 [inline]
e1000_clean_rx_irq+0x1256/0x1cf0 drivers/net/ethernet/intel/e1000/e1000_main.c:4465
e1000_clean+0x1e4b/0x5f10 drivers/net/ethernet/intel/e1000/e1000_main.c:3807
__napi_poll+0xda/0x850 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0xa56/0x1b00 net/core/dev.c:7696
handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x66/0x180 kernel/softirq.c:680
irq_exit_rcu+0x12/0x20 kernel/softirq.c:696
common_interrupt+0x99/0xb0 arch/x86/kernel/irq.c:318
asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
pv_native_safe_halt+0x17/0x20 arch/x86/kernel/paravirt.c:81
arch_safe_halt arch/x86/kernel/process.c:756 [inline]
default_idle+0xd/0x20 arch/x86/kernel/process.c:757
arch_cpu_idle+0xd/0x20 arch/x86/kernel/process.c:794
default_idle_call+0x41/0x70 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:190 [inline]
do_idle+0x1dc/0x790 kernel/sched/idle.c:330
cpu_startup_entry+0x60/0x80 kernel/sched/idle.c:428
rest_init+0x1df/0x260 init/main.c:744
start_kernel+0x76e/0x960 init/main.c:1097
x86_64_start_reservations+0x28/0x30 arch/x86/kernel/head64.c:307
x86_64_start_kernel+0x139/0x140 arch/x86/kernel/head64.c:288
common_startup_64+0x13e/0x147
Uninit was stored to memory at:
skb_put_data include/linux/skbuff.h:2753 [inline]
e1000_copybreak drivers/net/ethernet/intel/e1000/e1000_main.c:4339 [inline]
e1000_clean_rx_irq+0x870/0x1cf0 drivers/net/ethernet/intel/e1000/e1000_main.c:4384
e1000_clean+0x1e4b/0x5f10 drivers/net/ethernet/intel/e1000/e1000_main.c:3807
__napi_poll+0xda/0x850 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0xa56/0x1b00 net/core/dev.c:7696
handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x66/0x180 kernel/softirq.c:680
irq_exit_rcu+0x12/0x20 kernel/softirq.c:696
common_interrupt+0x99/0xb0 arch/x86/kernel/irq.c:318
asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693
Uninit was stored to memory at:
swiotlb_bounce+0x470/0x640 kernel/dma/swiotlb.c:-1
__swiotlb_sync_single_for_cpu+0x9e/0xc0 kernel/dma/swiotlb.c:1567
swiotlb_sync_single_for_cpu include/linux/swiotlb.h:279 [inline]
dma_direct_sync_single_for_cpu kernel/dma/direct.h:77 [inline]
__dma_sync_single_for_cpu+0x50d/0x710 kernel/dma/mapping.c:370
dma_sync_single_for_cpu include/linux/dma-mapping.h:381 [inline]
e1000_copybreak drivers/net/ethernet/intel/e1000/e1000_main.c:4336 [inline]
e1000_clean_rx_irq+0x7dc/0x1cf0 drivers/net/ethernet/intel/e1000/e1000_main.c:4384
e1000_clean+0x1e4b/0x5f10 drivers/net/ethernet/intel/e1000/e1000_main.c:3807
__napi_poll+0xda/0x850 net/core/dev.c:7506
napi_poll net/core/dev.c:7569 [inline]
net_rx_action+0xa56/0x1b00 net/core/dev.c:7696
handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x66/0x180 kernel/softirq.c:680
irq_exit_rcu+0x12/0x20 kernel/softirq.c:696
common_interrupt+0x99/0xb0 arch/x86/kernel/irq.c:318
asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693
Uninit was stored to memory at:
swiotlb_bounce+0x470/0x640 kernel/dma/swiotlb.c:-1
swiotlb_tbl_map_single+0x2956/0x2b20 kernel/dma/swiotlb.c:1439
swiotlb_map+0x349/0x1050 kernel/dma/swiotlb.c:1584
dma_direct_map_page kernel/dma/direct.h:-1 [inline]
dma_map_page_attrs+0x614/0xef0 kernel/dma/mapping.c:169
dma_map_single_attrs include/linux/dma-mapping.h:469 [inline]
e1000_alloc_rx_buffers+0x96d/0x1600 drivers/net/ethernet/intel/e1000/e1000_main.c:4616
e1000_configure+0x16fe/0x1930 drivers/net/ethernet/intel/e1000/e1000_main.c:377
e1000_open+0x985/0x14d0 drivers/net/ethernet/intel/e1000/e1000_main.c:1388
__dev_open+0x7c2/0xc40 net/core/dev.c:1682
__dev_change_flags+0x3ae/0x9b0 net/core/dev.c:9549
netif_change_flags+0x8d/0x1e0 net/core/dev.c:9612
dev_change_flags+0x18c/0x320 net/core/dev_api.c:68
devinet_ioctl+0x162d/0x2570 net/ipv4/devinet.c:1199
inet_ioctl+0x4c0/0x6f0 net/ipv4/af_inet.c:1001
sock_do_ioctl+0x9f/0x480 net/socket.c:1238
sock_ioctl+0x70b/0xd60 net/socket.c:1359
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl+0x23c/0x400 fs/ioctl.c:584
__x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:584
x64_sys_call+0x1cbc/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
__alloc_frozen_pages_noprof+0x648/0xe80 mm/page_alloc.c:5171
__alloc_pages_noprof+0x41/0xd0 mm/page_alloc.c:5182
__page_frag_cache_refill+0x57/0x2a0 mm/page_frag_cache.c:59
__page_frag_alloc_align+0xd0/0x690 mm/page_frag_cache.c:103
__napi_alloc_frag_align net/core/skbuff.c:248 [inline]
__netdev_alloc_frag_align+0x1b7/0x1f0 net/core/skbuff.c:269
netdev_alloc_frag include/linux/skbuff.h:3408 [inline]
e1000_alloc_frag drivers/net/ethernet/intel/e1000/e1000_main.c:2074 [inline]
e1000_alloc_rx_buffers+0x276/0x1600 drivers/net/ethernet/intel/e1000/e1000_main.c:4584
e1000_configure+0x16fe/0x1930 drivers/net/ethernet/intel/e1000/e1000_main.c:377
e1000_open+0x985/0x14d0 drivers/net/ethernet/intel/e1000/e1000_main.c:1388
__dev_open+0x7c2/0xc40 net/core/dev.c:1682
__dev_change_flags+0x3ae/0x9b0 net/core/dev.c:9549
netif_change_flags+0x8d/0x1e0 net/core/dev.c:9612
dev_change_flags+0x18c/0x320 net/core/dev_api.c:68
devinet_ioctl+0x162d/0x2570 net/ipv4/devinet.c:1199
inet_ioctl+0x4c0/0x6f0 net/ipv4/af_inet.c:1001
sock_do_ioctl+0x9f/0x480 net/socket.c:1238
sock_ioctl+0x70b/0xd60 net/socket.c:1359
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl+0x23c/0x400 fs/ioctl.c:584
__x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:584
x64_sys_call+0x1cbc/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
--
Aleksandr
Alexander Potapenko
2:51 AM (4 hours ago) 2:51 AM
to Robin Murphy, Christoph Hellwig, Marek Szyprowski, Leon Romanovsky, mhkl...@outlook.com, anthony....@intel.com, przemysla...@intel.com, andrew...@lunn.ch, da...@davemloft.net, edum...@google.com, ku...@kernel.org, pab...@redhat.com, intel-w...@lists.osuosl.org, net...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Aleksandr Nogikh
On Fri, Sep 26, 2025 at 12:36 AM Aleksandr Nogikh <nog...@google.com> wrote:
>
> Hello net developers,
CCing DMA developers, as this seems to be a generic problem.
See the question below, after the KMSAN report.
Folks, as far as I understand, dma_direct_sync_single_for_cpu() and
dma_direct_sync_single_for_device() are the places where we send data
to or from the device.
Should we add KMSAN annotations to those functions to catch infoleaks
and mark data from devices as initialized?
>
> Hello net developers,
CCing DMA developers, as this seems to be a generic problem.
See the question below, after the KMSAN report.
dma_direct_sync_single_for_device() are the places where we send data
to or from the device.
Should we add KMSAN annotations to those functions to catch infoleaks
and mark data from devices as initialized?
Reply all
Reply to author
Forward
0 new messages