syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1343]
Subsystems
🐞 Fixed [7063]
🐞 Invalid [18526]
Missing Backports [222]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KMSAN: uninit-value in bpf_prog_test_run_skb

Status: upstream: reported C repro on 2025/12/31 06:02
Subsystems: bpf
[Documentation on labels]
Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Fix commit: 12bec2bd4b76 bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
Patched on: [ci-qemu-gce-upstream-auto ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce], missing on: [ci-qemu-native-arm64-kvm ci-qemu2-riscv64 ci-upstream-gce-arm64 ci2-upstream-usb]
First crash: 112d, last: 28d
Discussions (9)
Title Replies (including bot) Last reply
[PATCH bpf v4 0/2] bpf: fix short IPv4/IPv6 handling in test_run_skb 4 (4) 2026/04/12 22:50
[PATCH bpf-next v3] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb 4 (4) 2026/04/07 01:34
[PATCH v2] selftests/bpf: Reject malformed IPv4/IPv6 skb test input 7 (7) 2026/04/02 07:35
[syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb 0 (8) 2026/03/30 02:37
[PATCH] selftests/bpf: Reject malformed IPv4/IPv6 skb test input 2 (2) 2026/03/29 13:24
Re: [PATCH v2] net: skbuff: fix uninitialized memory use in pskb_expand_head() 1 (1) 2026/01/26 13:26
[PATCH v2] net: skbuff: fix uninitialized memory use in pskb_expand_head() 1 (1) 2026/01/26 11:43
[PATCH] net: skbuff: fix uninitialized memory use in pskb_expand_head() 1 (2) 2026/01/14 15:06
[syzbot] Monthly bpf report (Jan 2026) 0 (1) 2026/01/07 07:29
Last patch testing requests (12)
Created Duration User Patch Repo Result
2026/03/30 02:37 57m sun.jian.kdev@gmail.com patch upstream OK log
2026/03/21 20:21 53m retest repro upstream report log
2026/03/21 20:21 40m retest repro upstream report log
2026/01/14 13:57 51m sohammetha01@gmail.com patch upstream OK log
2026/01/14 12:33 30m sohammetha01@gmail.com patch upstream OK log
2026/01/14 12:09 6m sohammetha01@gmail.com patch upstream error
2026/01/10 16:33 49m retest repro upstream report log
2026/01/10 16:33 29m retest repro upstream report log
2026/01/04 03:58 50m kartikey406@gmail.com patch upstream report log
2026/01/04 03:48 53m kartikey406@gmail.com patch upstream report log
2026/01/04 02:01 23m kartikey406@gmail.com patch upstream report log
2026/01/02 02:20 24m kartikey406@gmail.com patch upstream report log

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
 bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 pskb_expand_head+0x310/0x15d0 net/core/skbuff.c:2290
 __skb_cow include/linux/skbuff.h:3853 [inline]
 skb_cow_head include/linux/skbuff.h:3887 [inline]
 bpf_skb_net_grow net/core/filter.c:3511 [inline]
 ____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
 bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
 ___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
 __bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
 bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run include/linux/filter.h:730 [inline]
 bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
 bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 skb_data_move+0x424/0x570 include/linux/skbuff.h:-1
 skb_postpush_data_move include/linux/skbuff.h:4639 [inline]
 bpf_skb_generic_push net/core/filter.c:3267 [inline]
 bpf_skb_net_hdr_push net/core/filter.c:3305 [inline]
 bpf_skb_net_grow net/core/filter.c:3542 [inline]
 ____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
 bpf_skb_adjust_room+0x116c/0x3310 net/core/filter.c:3699
 ___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
 __bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
 bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run include/linux/filter.h:730 [inline]
 bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
 bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4960 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
 pskb_expand_head+0x1fc/0x15d0 net/core/skbuff.c:2282
 __skb_cow include/linux/skbuff.h:3853 [inline]
 skb_cow_head include/linux/skbuff.h:3887 [inline]
 bpf_skb_net_grow net/core/filter.c:3511 [inline]
 ____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
 bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
 ___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
 __bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
 bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run include/linux/filter.h:730 [inline]
 bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
 bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
 bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
 __sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
 x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 6072 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/12/27 10:15 upstream 3f0e9c8cefa9 d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in bpf_prog_test_run_skb
2025/12/27 08:07 upstream 3f0e9c8cefa9 d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in bpf_prog_test_run_skb
2026/01/24 09:27 upstream c133687c2eae 4f25b9b4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in bpf_prog_test_run_skb
2025/12/27 05:55 upstream 3f0e9c8cefa9 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in bpf_prog_test_run_skb
* Struck through repros no longer work on HEAD.