lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAG_fn=U3Rjd_0zfCJE-vuU3Htbf2fRP_GYczdYjJJ1W5o30+UQ@mail.gmail.com>
Date: Tue, 7 Oct 2025 08:51:12 +0200
From: Alexander Potapenko <glider@...gle.com>
To: Robin Murphy <robin.murphy@....com>, Christoph Hellwig <hch@...radead.org>, 
	Marek Szyprowski <m.szyprowski@...sung.com>, Leon Romanovsky <leonro@...dia.com>, mhklinux@...look.com
Cc: anthony.l.nguyen@...el.com, przemyslaw.kitszel@...el.com, 
	andrew+netdev@...n.ch, davem@...emloft.net, edumazet@...gle.com, 
	kuba@...nel.org, pabeni@...hat.com, intel-wired-lan@...ts.osuosl.org, 
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com, Aleksandr Nogikh <nogikh@...gle.com>
Subject: Re: KMSAN: uninit-value in eth_type_trans

On Fri, Sep 26, 2025 at 12:36 AM Aleksandr Nogikh <nogikh@...gle.com> wrote:
>
> Hello net developers,

CCing DMA developers, as this seems to be a generic problem.
See the question below, after the KMSAN report.

> I hit the following kernel crash when I try to boot a CONFIG_KMSAN=y kernel on qemu:
>
> KMSAN: uninit-value in eth_type_trans
>
> Could you please have a look?
>
> Kernel: torvalds
> Commit: cec1e6e5d1ab33403b809f79cd20d6aff124ccfe
> Config: https://raw.githubusercontent.com/google/syzkaller/refs/heads/master/dashboard/config/linux/upstream-kmsan.config
>
> Qemu command to reproduce:
>
> qemu-system-x86_64 -m 8G -smp 2,sockets=2,cores=1 -machine pc-q35-10.0 \
> -enable-kvm -display none -serial stdio -snapshot \
> -device virtio-blk-pci,drive=myhd -drive file=~/buildroot_amd64_2024.09,format=raw,if=none,id=myhd \
> -kernel ~/linux/arch/x86/boot/bzImage -append "root=/dev/vda1" -cpu max \
> -net nic,model=e1000 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22
>
> The command used the buildroot image below:
> $ wget 'https://storage.googleapis.com/syzkaller/images/buildroot_amd64_2024.09.gz'
> $ gunzip buildroot_amd64_2024.09.gz
>
> Full symbolized report:
>
> BUG: KMSAN: uninit-value in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
> BUG: KMSAN: uninit-value in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
>  eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
>  eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
>  e1000_receive_skb drivers/net/ethernet/intel/e1000/e1000_main.c:4005 [inline]
>  e1000_clean_rx_irq+0x1256/0x1cf0 drivers/net/ethernet/intel/e1000/e1000_main.c:4465
>  e1000_clean+0x1e4b/0x5f10 drivers/net/ethernet/intel/e1000/e1000_main.c:3807
>  __napi_poll+0xda/0x850 net/core/dev.c:7506
>  napi_poll net/core/dev.c:7569 [inline]
>  net_rx_action+0xa56/0x1b00 net/core/dev.c:7696
>  handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
>  __do_softirq kernel/softirq.c:613 [inline]
>  invoke_softirq kernel/softirq.c:453 [inline]
>  __irq_exit_rcu+0x66/0x180 kernel/softirq.c:680
>  irq_exit_rcu+0x12/0x20 kernel/softirq.c:696
>  common_interrupt+0x99/0xb0 arch/x86/kernel/irq.c:318
>  asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693
>  native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
>  pv_native_safe_halt+0x17/0x20 arch/x86/kernel/paravirt.c:81
>  arch_safe_halt arch/x86/kernel/process.c:756 [inline]
>  default_idle+0xd/0x20 arch/x86/kernel/process.c:757
>  arch_cpu_idle+0xd/0x20 arch/x86/kernel/process.c:794
>  default_idle_call+0x41/0x70 kernel/sched/idle.c:122
>  cpuidle_idle_call kernel/sched/idle.c:190 [inline]
>  do_idle+0x1dc/0x790 kernel/sched/idle.c:330
>  cpu_startup_entry+0x60/0x80 kernel/sched/idle.c:428
>  rest_init+0x1df/0x260 init/main.c:744
>  start_kernel+0x76e/0x960 init/main.c:1097
>  x86_64_start_reservations+0x28/0x30 arch/x86/kernel/head64.c:307
>  x86_64_start_kernel+0x139/0x140 arch/x86/kernel/head64.c:288
>  common_startup_64+0x13e/0x147
>
> Uninit was stored to memory at:
>  skb_put_data include/linux/skbuff.h:2753 [inline]
>  e1000_copybreak drivers/net/ethernet/intel/e1000/e1000_main.c:4339 [inline]
>  e1000_clean_rx_irq+0x870/0x1cf0 drivers/net/ethernet/intel/e1000/e1000_main.c:4384
>  e1000_clean+0x1e4b/0x5f10 drivers/net/ethernet/intel/e1000/e1000_main.c:3807
>  __napi_poll+0xda/0x850 net/core/dev.c:7506
>  napi_poll net/core/dev.c:7569 [inline]
>  net_rx_action+0xa56/0x1b00 net/core/dev.c:7696
>  handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
>  __do_softirq kernel/softirq.c:613 [inline]
>  invoke_softirq kernel/softirq.c:453 [inline]
>  __irq_exit_rcu+0x66/0x180 kernel/softirq.c:680
>  irq_exit_rcu+0x12/0x20 kernel/softirq.c:696
>  common_interrupt+0x99/0xb0 arch/x86/kernel/irq.c:318
>  asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693
>
> Uninit was stored to memory at:
>  swiotlb_bounce+0x470/0x640 kernel/dma/swiotlb.c:-1
>  __swiotlb_sync_single_for_cpu+0x9e/0xc0 kernel/dma/swiotlb.c:1567
>  swiotlb_sync_single_for_cpu include/linux/swiotlb.h:279 [inline]
>  dma_direct_sync_single_for_cpu kernel/dma/direct.h:77 [inline]
>  __dma_sync_single_for_cpu+0x50d/0x710 kernel/dma/mapping.c:370
>  dma_sync_single_for_cpu include/linux/dma-mapping.h:381 [inline]
>  e1000_copybreak drivers/net/ethernet/intel/e1000/e1000_main.c:4336 [inline]
>  e1000_clean_rx_irq+0x7dc/0x1cf0 drivers/net/ethernet/intel/e1000/e1000_main.c:4384
>  e1000_clean+0x1e4b/0x5f10 drivers/net/ethernet/intel/e1000/e1000_main.c:3807
>  __napi_poll+0xda/0x850 net/core/dev.c:7506
>  napi_poll net/core/dev.c:7569 [inline]
>  net_rx_action+0xa56/0x1b00 net/core/dev.c:7696
>  handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
>  __do_softirq kernel/softirq.c:613 [inline]
>  invoke_softirq kernel/softirq.c:453 [inline]
>  __irq_exit_rcu+0x66/0x180 kernel/softirq.c:680
>  irq_exit_rcu+0x12/0x20 kernel/softirq.c:696
>  common_interrupt+0x99/0xb0 arch/x86/kernel/irq.c:318
>  asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:693
>
> Uninit was stored to memory at:
>  swiotlb_bounce+0x470/0x640 kernel/dma/swiotlb.c:-1
>  swiotlb_tbl_map_single+0x2956/0x2b20 kernel/dma/swiotlb.c:1439
>  swiotlb_map+0x349/0x1050 kernel/dma/swiotlb.c:1584
>  dma_direct_map_page kernel/dma/direct.h:-1 [inline]
>  dma_map_page_attrs+0x614/0xef0 kernel/dma/mapping.c:169
>  dma_map_single_attrs include/linux/dma-mapping.h:469 [inline]
>  e1000_alloc_rx_buffers+0x96d/0x1600 drivers/net/ethernet/intel/e1000/e1000_main.c:4616
>  e1000_configure+0x16fe/0x1930 drivers/net/ethernet/intel/e1000/e1000_main.c:377
>  e1000_open+0x985/0x14d0 drivers/net/ethernet/intel/e1000/e1000_main.c:1388
>  __dev_open+0x7c2/0xc40 net/core/dev.c:1682
>  __dev_change_flags+0x3ae/0x9b0 net/core/dev.c:9549
>  netif_change_flags+0x8d/0x1e0 net/core/dev.c:9612
>  dev_change_flags+0x18c/0x320 net/core/dev_api.c:68
>  devinet_ioctl+0x162d/0x2570 net/ipv4/devinet.c:1199
>  inet_ioctl+0x4c0/0x6f0 net/ipv4/af_inet.c:1001
>  sock_do_ioctl+0x9f/0x480 net/socket.c:1238
>  sock_ioctl+0x70b/0xd60 net/socket.c:1359
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:598 [inline]
>  __se_sys_ioctl+0x23c/0x400 fs/ioctl.c:584
>  __x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:584
>  x64_sys_call+0x1cbc/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:17
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Uninit was created at:
>  __alloc_frozen_pages_noprof+0x648/0xe80 mm/page_alloc.c:5171
>  __alloc_pages_noprof+0x41/0xd0 mm/page_alloc.c:5182
>  __page_frag_cache_refill+0x57/0x2a0 mm/page_frag_cache.c:59
>  __page_frag_alloc_align+0xd0/0x690 mm/page_frag_cache.c:103
>  __napi_alloc_frag_align net/core/skbuff.c:248 [inline]
>  __netdev_alloc_frag_align+0x1b7/0x1f0 net/core/skbuff.c:269
>  netdev_alloc_frag include/linux/skbuff.h:3408 [inline]
>  e1000_alloc_frag drivers/net/ethernet/intel/e1000/e1000_main.c:2074 [inline]
>  e1000_alloc_rx_buffers+0x276/0x1600 drivers/net/ethernet/intel/e1000/e1000_main.c:4584
>  e1000_configure+0x16fe/0x1930 drivers/net/ethernet/intel/e1000/e1000_main.c:377
>  e1000_open+0x985/0x14d0 drivers/net/ethernet/intel/e1000/e1000_main.c:1388
>  __dev_open+0x7c2/0xc40 net/core/dev.c:1682
>  __dev_change_flags+0x3ae/0x9b0 net/core/dev.c:9549
>  netif_change_flags+0x8d/0x1e0 net/core/dev.c:9612
>  dev_change_flags+0x18c/0x320 net/core/dev_api.c:68
>  devinet_ioctl+0x162d/0x2570 net/ipv4/devinet.c:1199
>  inet_ioctl+0x4c0/0x6f0 net/ipv4/af_inet.c:1001
>  sock_do_ioctl+0x9f/0x480 net/socket.c:1238
>  sock_ioctl+0x70b/0xd60 net/socket.c:1359
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:598 [inline]
>  __se_sys_ioctl+0x23c/0x400 fs/ioctl.c:584
>  __x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:584
>  x64_sys_call+0x1cbc/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:17
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f

Folks, as far as I understand, dma_direct_sync_single_for_cpu() and
dma_direct_sync_single_for_device() are the places where we send data
to or from the device.
Should we add KMSAN annotations to those functions to catch infoleaks
and mark data from devices as initialized?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ