Re: Question about to KMSAN: uninit-value in can_receive

From: Prithvi Tambewagh
Date: Mon Nov 17 2025 - 12:30:50 EST

Next message: Doug Anderson: "Re: [REGRESSION] Bluetooth adapter provided by `btusb` not recognized since v6.13.2"
Previous message: Barnabás Czémán: "[PATCH v2 4/4] arm64: dts: qcom: msm8937: add reset for display subsystem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

The call trace suggests that the bug appears to be due to effect of change
in headroom by pskb_header_expand(). The new headroom remains uninitialized
and when can_receive tries accessing can_skb_prv(skb)->skbcnt, indirectly
skb->head is accessed which causes KMSAN uninitialized value read bug.

To fix this bug, I think we can call can_dropped_invalid_skb() in can_rcv()
just before calling can_receive(). Further, we can add a condition for these
sk_buff with uninitialized headroom to initialize the skb, the way it had
been done in the patch for an earlier packet injection case in a similar
KMSAN bug:
https://lore.kernel.org/linux-can/20191207183418.28868-1-socketcan@xxxxxxxxxxxx/

However, I am not getting on what basis can I filter the sk_buff so that
only those with an uninitialized headroom will be initialized via this path.
Is this the correct approach?

Thank you,
Prithvi

Next message: Doug Anderson: "Re: [REGRESSION] Bluetooth adapter provided by `btusb` not recognized since v6.13.2"
Previous message: Barnabás Czémán: "[PATCH v2 4/4] arm64: dts: qcom: msm8937: add reset for display subsystem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]