syzbot

 sign-in | mailing list | source | docs
🐞 Open [1453]
Subsystems
🐞 Fixed [6862]
🐞 Invalid [17798]
Missing Backports [226]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KMSAN: uninit-value in bpf_prog_test_run_skb

Status: upstream: reported C repro on 2025/12/31 06:02
Subsystems: bpf
[Documentation on labels]
Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
First crash: 19d, last: 5d01h
Discussions (3)
Title Replies (including bot) Last reply
[PATCH] net: skbuff: fix uninitialized memory use in pskb_expand_head() 1 (2) 2026/01/14 15:06
[syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb 0 (7) 2026/01/14 12:33
[syzbot] Monthly bpf report (Jan 2026) 0 (1) 2026/01/07 07:29
Last patch testing requests (9)
Created Duration User Patch Repo Result
2026/01/14 13:57 51m sohammetha01@gmail.com patch upstream OK log
2026/01/14 12:33 30m sohammetha01@gmail.com patch upstream OK log
2026/01/14 12:09 6m sohammetha01@gmail.com patch upstream error
2026/01/10 16:33 49m retest repro upstream report log
2026/01/10 16:33 29m retest repro upstream report log
2026/01/04 03:58 50m kartikey406@gmail.com patch upstream report log
2026/01/04 03:48 53m kartikey406@gmail.com patch upstream report log
2026/01/04 02:01 23m kartikey406@gmail.com patch upstream report log
2026/01/02 02:20 24m kartikey406@gmail.com patch upstream report log

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
 bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 pskb_expand_head+0x310/0x15d0 net/core/skbuff.c:2290
 __skb_cow include/linux/skbuff.h:3853 [inline]
 skb_cow_head include/linux/skbuff.h:3887 [inline]
 bpf_skb_net_grow net/core/filter.c:3511 [inline]
 ____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
 bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
 ___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
 __bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
 bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run include/linux/filter.h:730 [inline]
 bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
 bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 skb_data_move+0x424/0x570 include/linux/skbuff.h:-1
 skb_postpush_data_move include/linux/skbuff.h:4639 [inline]
 bpf_skb_generic_push net/core/filter.c:3267 [inline]
 bpf_skb_net_hdr_push net/core/filter.c:3305 [inline]
 bpf_skb_net_grow net/core/filter.c:3542 [inline]
 ____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
 bpf_skb_adjust_room+0x116c/0x3310 net/core/filter.c:3699
 ___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
 __bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
 bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run include/linux/filter.h:730 [inline]
 bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
 bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4960 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
 pskb_expand_head+0x1fc/0x15d0 net/core/skbuff.c:2282
 __skb_cow include/linux/skbuff.h:3853 [inline]
 skb_cow_head include/linux/skbuff.h:3887 [inline]
 bpf_skb_net_grow net/core/filter.c:3511 [inline]
 ____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
 bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
 ___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
 __bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
 bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run include/linux/filter.h:730 [inline]
 bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
 bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 6072 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/12/27 10:15 upstream 3f0e9c8cefa9 d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in bpf_prog_test_run_skb
2025/12/27 08:07 upstream 3f0e9c8cefa9 d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in bpf_prog_test_run_skb
2025/12/27 05:55 upstream 3f0e9c8cefa9 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in bpf_prog_test_run_skb
* Struck through repros no longer work on HEAD.