syzbot

 sign-in | mailing list | source | docs
🐞 Open [1502]
Subsystems
🐞 Fixed [6532]
🐞 Invalid [16696]
Missing Backports [202]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KMSAN: uninit-value in xfrm_state_find (4)

Status: upstream: reported on 2025/05/21 19:14
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+7ed9d47e15e88581dc5b@syzkaller.appspotmail.com
Fix commit: 94d077c33173 xfrm: state: initialize state_ptrs earlier in xfrm_state_find
Patched on: [ci-qemu-gce-upstream-auto ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu-native-arm64-kvm]
First crash: 107d, last: 21m
Discussions (3)
Title Replies (including bot) Last reply
[PATCH 1/8] xfrm: state: initialize state_ptrs earlier in xfrm_state_find 1 (1) 2025/07/23 07:53
[PATCH ipsec 0/2] xfrm: fixes for xfrm_state_find under preemption 4 (4) 2025/06/10 07:55
[syzbot] [net?] KMSAN: uninit-value in xfrm_state_find (4) 1 (2) 2025/05/22 11:54
Similar bugs (9)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in xfrm_state_find (2) net 17 19 510d 669d 0/29 auto-obsoleted due to no activity on 2024/07/18 11:50
upstream KMSAN: uninit-value in xfrm_state_find (3) net 7 1 367d 367d 0/29 closed as invalid on 2024/10/09 09:35
upstream KASAN: slab-out-of-bounds Read in xfrm_state_find net 17 10 125d 279d 28/29 fixed on 2025/05/06 15:33
upstream KMSAN: uninit-value in xfrm_state_find net 17 C error done 215 836d 2635d 22/29 fixed on 2023/07/01 16:05
android-54 KASAN: stack-out-of-bounds Read in xfrm_state_find 17 C 1 974d 974d 0/2 upstream: reported C repro on 2023/01/01 01:05
android-5-15 KASAN: stack-out-of-bounds Read in xfrm_state_find origin:upstream missing-backport 17 C error error 2 489d 974d 0/2 upstream: reported C repro on 2023/01/01 00:40
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) 17 syz error error 1 974d 974d 0/2 auto-obsoleted due to no activity on 2023/05/14 02:28
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find 17 1 1394d 1394d 0/2 closed as invalid on 2022/02/03 13:56
linux-6.6 KASAN: slab-use-after-free Read in xfrm_state_find 19 6 2d16h 4d01h 0/2 upstream: reported on 2025/08/28 18:56

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in xfrm_state_find+0x2423/0xaae0 net/xfrm/xfrm_state.c:1438
 xfrm_state_find+0x2423/0xaae0 net/xfrm/xfrm_state.c:1438
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2519 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2570 [inline]
 xfrm_resolve_and_create_bundle+0xabc/0x58b0 net/xfrm/xfrm_policy.c:2868
 xfrm_lookup_with_ifid+0x48c/0x3ac0 net/xfrm/xfrm_policy.c:3202
 xfrm_lookup net/xfrm/xfrm_policy.c:3333 [inline]
 xfrm_lookup_route+0x63/0x2b0 net/xfrm/xfrm_policy.c:3344
 ip_route_output_flow+0x20d/0x2b0 net/ipv4/route.c:2918
 ip_route_connect include/net/route.h:352 [inline]
 tcp_v4_connect+0xa43/0x1cd0 net/ipv4/tcp_ipv4.c:252
 tcp_v6_connect+0x134a/0x1d40 net/ipv6/tcp_ipv6.c:240
 __inet_stream_connect+0x2d3/0x1760 net/ipv4/af_inet.c:677
 inet_stream_connect+0x69/0xd0 net/ipv4/af_inet.c:748
 __sys_connect_file net/socket.c:2038 [inline]
 __sys_connect+0x523/0x680 net/socket.c:2057
 __do_sys_connect net/socket.c:2063 [inline]
 __se_sys_connect net/socket.c:2060 [inline]
 __x64_sys_connect+0x95/0x100 net/socket.c:2060
 x64_sys_call+0x23bb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:43
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x1b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable tmp.i.i created at:
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2491 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2570 [inline]
 xfrm_resolve_and_create_bundle+0x3a7/0x58b0 net/xfrm/xfrm_policy.c:2868
 xfrm_lookup_with_ifid+0x48c/0x3ac0 net/xfrm/xfrm_policy.c:3202

CPU: 1 UID: 0 PID: 11691 Comm: syz.5.1451 Not tainted 6.15.0-rc6-syzkaller-00278-g172a9d94339c #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
=====================================================

Crashes (2225):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/05/17 19:07 upstream 172a9d94339c f41472b0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in xfrm_state_find
2025/07/22 04:00 upstream 89be9a83ccf1 0b3788a0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in xfrm_state_find
2025/07/18 13:33 upstream 6832a9317eee f550e092 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in xfrm_state_find
2025/09/01 12:13 upstream b320789d6883 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 11:07 upstream b320789d6883 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 17:15 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 08:46 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 17:54 upstream 11e7861d680c 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 14:20 upstream 11e7861d680c 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/29 09:44 upstream 07d9df80082b 3e1beec6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce BUG: unable to handle kernel paging request in xfrm_state_find
2025/08/29 04:16 upstream 07d9df80082b 3e1beec6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in xfrm_state_find
2025/08/25 17:17 upstream b6add54ba618 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in xfrm_state_find
2025/08/05 15:46 upstream 7e161a991ea7 904e669c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 05:08 upstream 5c3b3264e585 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 09:56 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 08:16 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 03:26 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 02:17 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 02:16 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 01:14 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 16:50 upstream 11e7861d680c 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 06:27 upstream 11e7861d680c 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/23 23:30 upstream 8d245acc1e88 bf27483f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 11:36 upstream c8bc81a52d5a 807a3b61 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/24 01:13 upstream 8d245acc1e88 bf27483f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in xfrm_state_find
2025/08/06 09:34 upstream 6bcdbd62bd56 ffe1dd46 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm64-mte KASAN: invalid-access Read in xfrm_state_find
2025/09/01 19:13 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 17:52 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 16:54 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 15:46 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 14:21 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 13:18 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 09:53 bpf 71ca59e23445 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 08:02 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 07:20 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 04:03 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 01:40 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 00:17 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 20:59 bpf 71ca59e23445 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 19:54 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 18:32 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 15:50 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 13:49 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 00:12 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 21:34 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 20:17 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 19:17 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 19:06 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 15:20 net 788bc43d8330 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 12:30 net 9c736ace0666 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 11:00 net 9c736ace0666 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 10:00 bpf 5aa00f0e9589 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 08:52 net 9c736ace0666 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 07:42 net 9c736ace0666 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 23:04 net-next 864ecc4a6dad 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 14:50 net-next 864ecc4a6dad 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 12:40 net-next 864ecc4a6dad 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 07:09 net-next 864ecc4a6dad 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 06:06 net-next 864ecc4a6dad 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/31 04:30 net-next 864ecc4a6dad 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/30 03:09 bpf-next 98857d111c53 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/16 02:28 net-next 7de0eebbb4c3 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KFENCE: use-after-free read in xfrm_state_find
2025/08/10 05:27 net-next 37816488247d 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in xfrm_state_find
2025/09/01 06:20 linux-next 7fa4d8dc380f 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/09/01 02:54 linux-next 7fa4d8dc380f 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 10:47 linux-next 7fa4d8dc380f e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: use-after-free Read in xfrm_state_find
2025/08/17 17:27 linux-next 931e46dcbc7e 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/15 18:11 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8f5ae30d69d7 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/29 01:29 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next 8f5ae30d69d7 d401b9d7 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: slab-use-after-free Read in xfrm_state_find
* Struck through repros no longer work on HEAD.