In the Linux kernel, the following vulnerability has been resolved:

bpf: Mark bpf prog stack with kmsanunposionmemory in interpreter mode

syzbot reported uninit memory usages during map{lookup,delete}elem.

========== BUG: KMSAN: uninit-value in devmaplookupelem kernel/bpf/devmap.c:441 [inline] BUG: KMSAN: uninit-value in devmaplookupelem+0xf3/0x170 kernel/bpf/devmap.c:796 _devmaplookupelem kernel/bpf/devmap.c:441 [inline] devmaplookupelem+0xf3/0x170 kernel/bpf/devmap.c:796 _bpfmaplookupelem kernel/bpf/helpers.c:42 [inline] bpfmaplookupelem+0x5c/0x80 kernel/bpf/helpers.c:38 _bpfprogrun+0x13fe/0xe0f0 kernel/bpf/core.c:1997

_bpfprog_run256+0xb5/0xe0 kernel/bpf/core.c:2237

The reproducer should be in the interpreter mode.

The C reproducer is trying to run the following bpf prog:

0: (18) r0 = 0x0
2: (18) r1 = map[id:49]
4: (b7) r8 = 16777216
5: (7b) *(u64 *)(r10 -8) = r8
6: (bf) r2 = r10
7: (07) r2 += -229
        ^^^^^^^^^^

8: (b7) r3 = 8
9: (b7) r4 = 0

10: (85) call devmaplookup_elem#1543472 11: (95) exit

It is due to the "void *key" (r2) passed to the helper. bpf allows uninit stack memory access for bpf prog with the right privileges. This patch uses kmsanunpoisonmemory() to mark the stack as initialized.

This should address different syzbot reports on the uninit "void *key" argument during map{lookup,delete}elem.