syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1349]
Subsystems
🐞 Fixed [7099]
🐞 Invalid [18751]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KMSAN: uninit-value in xlog_verify_head

Status: upstream: reported on 2026/04/02 18:55
Subsystems: xfs
[Documentation on labels]
Reported-by: syzbot+b7dfbed0c6c2b5e9fd34@syzkaller.appspotmail.com
First crash: 51d, last: 51d
✨ AI Jobs (1)
ID Workflow Result Correct Bug Created Started Finished Revision Error
8d464bff-5cf4-4ca1-9c41-284d40a140fc assessment-security 💥 KMSAN: uninit-value in xlog_verify_head 2026/05/14 11:54 2026/05/14 11:54 2026/05/14 11:56 6ccb967e465e832a7bfd7a116ad00d52a0923a5d failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/09d1caa061cb53c83a74b4ab1f16c58752477a4b" "-s" "bzImage" "compile_commands.json"]: exit status 2 /app/workdir/cache/src/5acf2b7ba2e43c3b198e1427067fd29376b7032f/security/apparmor/apparmorfs.c:177:28: warning: unused function 'get_loaddata_common_ref' [-Wunused-function] 177 | static struct aa_loaddata *get_loaddata_common_ref(struct aa_common_ref *ref) | ^~~~~~~~~~~~~~~~~~~~~~~ 1 warning generated. fatal error: error in backend: IO failure on output stream: No space left on device PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script. Stack dump: 0. Program arguments: /usr/bin/clang --target=x86_64-linux-gnu -fintegrated-as -Werror=unknown-warning-option -Werror=ignored-optimization-argument -Werror=option-ignored -Werror=unused-command-line-argument -fmacro-prefix-map=/app/workdir/cache/src/5acf2b7ba2e43c3b198e1427067fd29376b7032f/= -std=gnu11 -fshort-wchar -funsigned-char -fno-common -fno-PIE -fno-strict-aliasing -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -mno-sse4a -fcf-protection=branch -fno-jump-tables -m64 -falign-loops=1 -mno-80387 -mno-fp-ret-in-387 -mstack-alignment=8 -mskip-rax-setup -march=x86-64 -mtune=generic -mno-red-zone -mcmodel=kernel -Wno-sign-compare -fno-asynchronous-unwind-tables -mretpoline-external-thunk -mindirect-branch-cs-prefix -mfunction-return=thunk-extern -fpatchable-function-entry=16,16 -fno-delete-null-pointer-checks -O2 -fno-stack-protector -fno-omit-frame-pointer -fno-optimize-sibling-calls -fno-stack-clash-protection -falign-functions=16 -fstrict-flex-arrays=3 -fms-extensions -fno-strict-overflow -fno-stack-check -fno-builtin-wcslen -Wall -Wextra -Wundef -Werror=implicit-function-declaration -Werror=implicit-int -Werror=return-type -Werror=strict-prototypes -Wno-format-security -Wno-trigraphs -Wno-frame-address -Wno-address-of-packed-member -Wmissing-declarations -Wmissing-prototypes -Wframe-larger-than=2048 -Wno-gnu -Wno-microsoft-anon-tag -Wno-format-overflow-non-kprintf -Wno-format-truncation-non-kprintf -Wno-default-const-init-unsafe -Wno-type-limits -Wno-pointer-sign -Wcast-function-type -Wno-unterminated-string-initialization -Wimplicit-fallthrough -Werror=date-time -Werror=incompatible-pointer-types -Wenum-conversion -Wunused -Wno-unused-but-set-variable -Wno-unused-const-variable -Wno-format-overflow -Wno-override-init -Wno-pointer-to-enum-cast -Wno-tautological-constant-out-of-range-compare -Wno-unaligned-access -Wno-enum-compare-conditional -Wno-missing-field-initializers -Wno-shift-negative-value -Wno-enum-enum-conversion -Wno-sign-compare -Wno-unused-parameter -g -gdwarf-4 -fsanitize=kernel-memory -fsanitize-memory-param-retval -fsanitize-coverage=trace-pc -fsanitize-coverage=trace-cmp -fdebug-info-for-profiling -mllvm -enable-fs-discriminator=true -mllvm -improved-fs-discriminator=true -fbasic-block-address-map -nostdinc -I/app/workdir/cache/src/5acf2b7ba2e43c3b198e1427067fd29376b7032f/arch/x86/include -I./arch/x86/include/generated -I/app/workdir/cache/src/5acf2b7ba2e43c3b198e1427067fd29376b7032f/include -I./include -I/app/workdir/cache/src/5acf2b7ba2e43c3b198e1427067fd29376b7032f/arch/x86/include/uapi -I./arch/x86/include/generated/uapi -I/app/workdir/cache/src/5acf2b7ba2e43c3b198e1427067fd29376b7032f/include/uapi -I./include/generated/uapi -include /app/workdir/cache/src/5acf2b7ba2e43c3b198e1427067fd29376b7032f/include/linux/compiler-version.h -include /app/workdir/cache/src/5acf2b7ba2e43c3b198e1427067fd29376b7032f/include/linux/kconfig.h -include /app/workdir/cache/src/5acf2b7ba2e43c3b198e1427067fd29376b7032f/include/linux/compiler_types.h -D__KERNEL__ -I/app/workdir/cache/src/5acf2b7ba2e43c3b198e1427067fd29376b7032f/sound/core/seq/oss -Isound/core/seq/oss -DKBUILD_MODFILE=\"sound/core/seq/oss/snd-seq-oss\" -DKBUILD_BASENAME=\"seq_oss_midi\" -DKBUILD_MO
Discussions (2)
Title Replies (including bot) Last reply
[PATCH] xfs: reject CRC validation when the log header cannot be retrieved 4 (4) 2026/04/07 07:47
[syzbot] [xfs?] KMSAN: uninit-value in xlog_verify_head 0 (1) 2026/04/02 18:55

Sample crash report:
XFS (loop4): Mounting V5 Filesystem d7dc424e-7990-42cb-9f91-9cb7200a101d
=====================================================
BUG: KMSAN: uninit-value in xlog_verify_head+0x6c3/0x910 fs/xfs/xfs_log_recover.c:1058
 xlog_verify_head+0x6c3/0x910 fs/xfs/xfs_log_recover.c:1058
 xlog_find_tail+0xc2e/0x1a50 fs/xfs/xfs_log_recover.c:1315
 xlog_recover+0x6d/0x800 fs/xfs/xfs_log_recover.c:3426
 xfs_log_mount+0x4da/0x880 fs/xfs/xfs_log.c:617
 xfs_mountfs+0x1599/0x2d00 fs/xfs/xfs_mount.c:1034
 xfs_fs_fill_super+0x2603/0x2be0 fs/xfs/xfs_super.c:1938
 get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
 get_tree_bdev+0x38/0x50 fs/super.c:1717
 xfs_fs_get_tree+0x35/0x40 fs/xfs/xfs_super.c:1985
 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3763 [inline]
 do_new_mount+0x885/0x1dd0 fs/namespace.c:3839
 path_mount+0x7a2/0x20b0 fs/namespace.c:4159
 do_mount fs/namespace.c:4172 [inline]
 __do_sys_mount fs/namespace.c:4361 [inline]
 __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338
 __ia32_sys_mount+0xe2/0x150 fs/namespace.c:4338
 ia32_sys_call+0x27fe/0x4360 arch/x86/include/generated/asm/syscalls_32.h:22
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0x17f/0x3f0 arch/x86/entry/syscall_32.c:307
 do_fast_syscall_32+0x37/0x80 arch/x86/entry/syscall_32.c:332
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:370
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

Uninit was stored to memory at:
 xlog_verify_head+0x6bc/0x910 fs/xfs/xfs_log_recover.c:1058
 xlog_find_tail+0xc2e/0x1a50 fs/xfs/xfs_log_recover.c:1315
 xlog_recover+0x6d/0x800 fs/xfs/xfs_log_recover.c:3426
 xfs_log_mount+0x4da/0x880 fs/xfs/xfs_log.c:617
 xfs_mountfs+0x1599/0x2d00 fs/xfs/xfs_mount.c:1034
 xfs_fs_fill_super+0x2603/0x2be0 fs/xfs/xfs_super.c:1938
 get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
 get_tree_bdev+0x38/0x50 fs/super.c:1717
 xfs_fs_get_tree+0x35/0x40 fs/xfs/xfs_super.c:1985
 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3763 [inline]
 do_new_mount+0x885/0x1dd0 fs/namespace.c:3839
 path_mount+0x7a2/0x20b0 fs/namespace.c:4159
 do_mount fs/namespace.c:4172 [inline]
 __do_sys_mount fs/namespace.c:4361 [inline]
 __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338
 __ia32_sys_mount+0xe2/0x150 fs/namespace.c:4338
 ia32_sys_call+0x27fe/0x4360 arch/x86/include/generated/asm/syscalls_32.h:22
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0x17f/0x3f0 arch/x86/entry/syscall_32.c:307
 do_fast_syscall_32+0x37/0x80 arch/x86/entry/syscall_32.c:332
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:370
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

Local variable tmp_rhead_blk created at:
 xlog_verify_head+0x81/0x910 fs/xfs/xfs_log_recover.c:1032
 xlog_find_tail+0xc2e/0x1a50 fs/xfs/xfs_log_recover.c:1315

CPU: 1 UID: 0 PID: 7664 Comm: syz.4.285 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
=====================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/03/29 18:48 upstream cbfffcca2bf0 356bdfc9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in xlog_verify_head
* Struck through repros no longer work on HEAD.