syzbot

 sign-in | mailing list | source | docs
🐞 Open [1407]
Subsystems
🐞 Fixed [6991]
🐞 Invalid [18240]
Missing Backports [223]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KMSAN: uninit-value in copy_from_kernel_nofault

Status: upstream: reported on 2026/03/16 10:22
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+c18de0ad13d62f18469d@syzkaller.appspotmail.com
First crash: 5d04h, last: 5d04h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [mm?] KMSAN: uninit-value in copy_from_kernel_nofault 3 (4) 2026/03/16 14:36
Similar bugs (9)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: out-of-bounds Read in copy_from_kernel_nofault mm 17 C done 1628 356d 533d 28/29 fixed on 2025/05/06 15:33
upstream KASAN: out-of-bounds Write in copy_from_kernel_nofault mm 21 1 573d 572d 0/29 closed as invalid on 2024/09/13 11:13
linux-5.15 Internal error in copy_from_kernel_nofault origin:lts-only 2 C error 33 5d18h 220d 0/3 upstream: reported C repro on 2025/08/09 00:00
upstream BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2) mm 8 C 2 704d 714d 25/29 fixed on 2024/05/22 23:36
upstream BUG: unable to handle kernel paging request in copy_from_kernel_nofault mm 8 C done 5 749d 848d 25/29 fixed on 2024/03/29 01:33
linux-5.15 BUG: unable to handle kernel paging request in copy_from_kernel_nofault origin:upstream 8 C done 2 749d 852d 3/3 fixed on 2024/03/28 13:37
linux-6.1 KASAN: stack-out-of-bounds Write in copy_from_kernel_nofault origin:lts-only 21 C unreliable 3 749d 1079d 0/3 upstream: reported C repro on 2023/04/02 16:05
android-5-15 BUG: unable to handle kernel paging request in copy_from_kernel_nofault missing-backport 8 C done 231 583d 852d 0/2 auto-obsoleted due to no activity on 2024/10/20 13:25
android-6-1 BUG: unable to handle kernel paging request in copy_from_kernel_nofault origin:upstream missing-backport 8 C done inconclusive 127 636d 852d 0/2 auto-obsoleted due to no activity on 2024/08/28 01:00

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
 copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
 prepend_copy fs/d_path.c:50 [inline]
 prepend fs/d_path.c:76 [inline]
 prepend_name fs/d_path.c:101 [inline]
 __prepend_path fs/d_path.c:133 [inline]
 prepend_path+0x64e/0x1090 fs/d_path.c:172
 d_absolute_path+0x11b/0x240 fs/d_path.c:234
 tomoyo_get_absolute_path security/tomoyo/realpath.c:101 [inline]
 tomoyo_realpath_from_path+0x4bd/0x9f0 security/tomoyo/realpath.c:271
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x249/0x9a0 security/tomoyo/file.c:827
 tomoyo_inode_getattr+0x35/0x40 security/tomoyo/tomoyo.c:123
 security_inode_getattr+0x16e/0x590 security/security.c:1869
 vfs_getattr fs/stat.c:259 [inline]
 vfs_fstat fs/stat.c:281 [inline]
 __do_sys_newfstat fs/stat.c:551 [inline]
 __se_sys_newfstat+0xd5/0xa60 fs/stat.c:546
 __x64_sys_newfstat+0x78/0xb0 fs/stat.c:546
 x64_sys_call+0x2f28/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:6
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

<Zero or more stacks not recorded to save memory>

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4549 [inline]
 slab_alloc_node mm/slub.c:4869 [inline]
 kmem_cache_alloc_lru_noprof+0x382/0x1280 mm/slub.c:4888
 __d_alloc+0x55/0xa00 fs/dcache.c:1740
 d_alloc+0x57/0x300 fs/dcache.c:1819
 lookup_one_qstr_excl+0x1a1/0x7b0 fs/namei.c:1801
 __start_renaming+0x38e/0x870 fs/namei.c:3862
 filename_renameat2+0x735/0x1260 fs/namei.c:6119
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 5-7 of 8 are uninitialized
Memory access of size 8 starts at ffff888014109578

CPU: 0 UID: 0 PID: 5966 Comm: udevd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/27/2026
=====================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/03/12 10:17 upstream 80234b5ab240 4efadf07 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in copy_from_kernel_nofault
* Struck through repros no longer work on HEAD.