syzbot

 sign-in | mailing list | source | docs
🐞 Open [1593]
Subsystems
🐞 Fixed [6369]
🐞 Invalid [16229]
Missing Backports [194]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KMSAN: uninit-value in xfrm_state_find (4)

Status: upstream: reported on 2025/05/21 19:14
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+7ed9d47e15e88581dc5b@syzkaller.appspotmail.com
Fix commit: xfrm: state: initialize state_ptrs earlier in xfrm_state_find
Patched on: [ci-upstream-linux-next-kasan-gce-root ci-upstream-rust-kasan-gce], missing on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 53d, last: 3h25m
Discussions (2)
Title Replies (including bot) Last reply
[PATCH ipsec 0/2] xfrm: fixes for xfrm_state_find under preemption 4 (4) 2025/06/10 07:55
[syzbot] [net?] KMSAN: uninit-value in xfrm_state_find (4) 1 (2) 2025/05/22 11:54
Similar bugs (8)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in xfrm_state_find (2) net 17 19 456d 615d 0/29 auto-obsoleted due to no activity on 2024/07/18 11:50
upstream KMSAN: uninit-value in xfrm_state_find (3) net 7 1 313d 313d 0/29 closed as invalid on 2024/10/09 09:35
upstream KASAN: slab-out-of-bounds Read in xfrm_state_find net 17 10 71d 225d 28/29 fixed on 2025/05/06 15:33
upstream KMSAN: uninit-value in xfrm_state_find net 17 C error done 215 782d 2581d 22/29 fixed on 2023/07/01 16:05
android-54 KASAN: stack-out-of-bounds Read in xfrm_state_find 17 C 1 920d 920d 0/2 upstream: reported C repro on 2023/01/01 01:05
android-5-15 KASAN: stack-out-of-bounds Read in xfrm_state_find origin:upstream missing-backport 17 C error error 2 435d 920d 0/2 upstream: reported C repro on 2023/01/01 00:40
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) 17 syz error error 1 920d 920d 0/2 auto-obsoleted due to no activity on 2023/05/14 02:28
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find 17 1 1340d 1340d 0/2 closed as invalid on 2022/02/03 13:56

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in xfrm_state_find+0x2423/0xaae0 net/xfrm/xfrm_state.c:1438
 xfrm_state_find+0x2423/0xaae0 net/xfrm/xfrm_state.c:1438
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2519 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2570 [inline]
 xfrm_resolve_and_create_bundle+0xabc/0x58b0 net/xfrm/xfrm_policy.c:2868
 xfrm_lookup_with_ifid+0x48c/0x3ac0 net/xfrm/xfrm_policy.c:3202
 xfrm_lookup net/xfrm/xfrm_policy.c:3333 [inline]
 xfrm_lookup_route+0x63/0x2b0 net/xfrm/xfrm_policy.c:3344
 ip_route_output_flow+0x20d/0x2b0 net/ipv4/route.c:2918
 ip_route_connect include/net/route.h:352 [inline]
 tcp_v4_connect+0xa43/0x1cd0 net/ipv4/tcp_ipv4.c:252
 tcp_v6_connect+0x134a/0x1d40 net/ipv6/tcp_ipv6.c:240
 __inet_stream_connect+0x2d3/0x1760 net/ipv4/af_inet.c:677
 inet_stream_connect+0x69/0xd0 net/ipv4/af_inet.c:748
 __sys_connect_file net/socket.c:2038 [inline]
 __sys_connect+0x523/0x680 net/socket.c:2057
 __do_sys_connect net/socket.c:2063 [inline]
 __se_sys_connect net/socket.c:2060 [inline]
 __x64_sys_connect+0x95/0x100 net/socket.c:2060
 x64_sys_call+0x23bb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:43
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x1b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable tmp.i.i created at:
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2491 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2570 [inline]
 xfrm_resolve_and_create_bundle+0x3a7/0x58b0 net/xfrm/xfrm_policy.c:2868
 xfrm_lookup_with_ifid+0x48c/0x3ac0 net/xfrm/xfrm_policy.c:3202

CPU: 1 UID: 0 PID: 11691 Comm: syz.5.1451 Not tainted 6.15.0-rc6-syzkaller-00278-g172a9d94339c #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
=====================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/05/17 19:07 upstream 172a9d94339c f41472b0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in xfrm_state_find
2025/07/09 19:35 linux-next 835244aba90d f4e5e155 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/07/09 14:21 linux-next 835244aba90d f4e5e155 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/07/09 04:20 linux-next 58ba80c47402 abade794 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/07/08 13:21 linux-next 58ba80c47402 4f67c4ae .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in xfrm_state_find
* Struck through repros no longer work on HEAD.