syzbot

 sign-in | mailing list | source | docs
🐞 Open [1512]
Subsystems
🐞 Fixed [6628]
🐞 Invalid [16988]
Missing Backports [211]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KMSAN: uninit-value in netif_skb_features (4)

Status: upstream: reported on 2025/10/07 06:40
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+1543a7d954d9c6d00407@syzkaller.appspotmail.com
First crash: 4d06h, last: 4d06h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] KMSAN: uninit-value in netif_skb_features (4) 0 (1) 2025/10/07 06:40
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: kernel-infoleak in copyout (2) net 17 C 6723 852d 2020d 22/29 fixed on 2023/06/08 14:41
upstream KMSAN: uninit-value in netif_skb_features (2) net 7 C 9 659d 747d 25/29 fixed on 2024/01/30 15:47
upstream KMSAN: kernel-infoleak in _copy_to_iter (7) net 23 C 138977 956d 1308d 22/29 fixed on 2023/02/24 13:50
upstream KMSAN: uninit-value in netif_skb_features (3) net 7 1 229d 229d 0/29 auto-obsoleted due to no activity on 2025/05/29 13:17
upstream KMSAN: uninit-value in netif_skb_features net 7 C 119 2708d 2735d 5/29 fixed on 2018/05/08 18:30

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in netif_skb_features+0x115b/0x2160 net/core/dev.c:3825
 netif_skb_features+0x115b/0x2160 net/core/dev.c:3825
 validate_xmit_skb+0xb6/0x1d50 net/core/dev.c:3985
 __dev_queue_xmit+0x23f8/0x5e60 net/core/dev.c:4755
 dev_queue_xmit include/linux/netdevice.h:3365 [inline]
 hsr_xmit net/hsr/hsr_forward.c:430 [inline]
 hsr_forward_do net/hsr/hsr_forward.c:571 [inline]
 hsr_forward_skb+0x2162/0x3c40 net/hsr/hsr_forward.c:733
 hsr_handle_frame+0xd6d/0x11a0 net/hsr/hsr_slave.c:81
 __netif_receive_skb_core+0x2040/0x7150 net/core/dev.c:5966
 __netif_receive_skb_list_core+0x2f1/0x16b0 net/core/dev.c:6154
 __netif_receive_skb_list net/core/dev.c:6221 [inline]
 netif_receive_skb_list_internal+0xee7/0x1530 net/core/dev.c:6312
 gro_normal_list include/net/gro.h:524 [inline]
 gro_flush_normal include/net/gro.h:532 [inline]
 napi_complete_done+0x3fb/0x7d0 net/core/dev.c:6681
 gro_cell_poll+0x2c9/0x310 net/core/gro_cells.c:66
 __napi_poll+0xda/0x8a0 net/core/dev.c:7594
 napi_poll net/core/dev.c:7657 [inline]
 net_rx_action+0xbc8/0x1c30 net/core/dev.c:7784
 handle_softirqs+0x169/0x6e0 kernel/softirq.c:622
 __do_softirq+0x14/0x1b kernel/softirq.c:656
 do_softirq+0x99/0x100 kernel/softirq.c:523
 __local_bh_enable_ip+0xa1/0xb0 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 tun_rx_batched+0x889/0x980 drivers/net/tun.c:-1
 tun_get_user+0x5d60/0x6d70 drivers/net/tun.c:1953
 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0xbdf/0x15d0 fs/read_write.c:686
 ksys_write fs/read_write.c:738 [inline]
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
 x64_sys_call+0x3014/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4953 [inline]
 slab_alloc_node mm/slub.c:5245 [inline]
 kmem_cache_alloc_node_noprof+0x989/0x16b0 mm/slub.c:5297
 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579
 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670
 __pskb_copy_fclone+0xcc/0x14d0 net/core/skbuff.c:2164
 __pskb_copy include/linux/skbuff.h:1447 [inline]
 hsr_create_tagged_frame+0x32c/0x11b0 net/hsr/hsr_forward.c:340
 hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]
 hsr_forward_skb+0x16a4/0x3c40 net/hsr/hsr_forward.c:733
 hsr_handle_frame+0xd6d/0x11a0 net/hsr/hsr_slave.c:81
 __netif_receive_skb_core+0x2040/0x7150 net/core/dev.c:5966
 __netif_receive_skb_list_core+0x2f1/0x16b0 net/core/dev.c:6154
 __netif_receive_skb_list net/core/dev.c:6221 [inline]
 netif_receive_skb_list_internal+0xee7/0x1530 net/core/dev.c:6312
 gro_normal_list include/net/gro.h:524 [inline]
 gro_flush_normal include/net/gro.h:532 [inline]
 napi_complete_done+0x3fb/0x7d0 net/core/dev.c:6681
 gro_cell_poll+0x2c9/0x310 net/core/gro_cells.c:66
 __napi_poll+0xda/0x8a0 net/core/dev.c:7594
 napi_poll net/core/dev.c:7657 [inline]
 net_rx_action+0xbc8/0x1c30 net/core/dev.c:7784
 handle_softirqs+0x169/0x6e0 kernel/softirq.c:622
 __do_softirq+0x14/0x1b kernel/softirq.c:656

CPU: 1 UID: 0 PID: 11876 Comm: syz.2.2011 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
=====================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/10/03 06:32 upstream e406d57be7bd 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in netif_skb_features
* Struck through repros no longer work on HEAD.