syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1345]
Subsystems
🐞 Fixed [7066]
🐞 Invalid [18556]
Missing Backports [222]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KMSAN: uninit-value in copy_from_kernel_nofault

Status: upstream: reported on 2026/03/16 10:22
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+c18de0ad13d62f18469d@syzkaller.appspotmail.com
First crash: 41d, last: 20h12m
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [mm?] KMSAN: uninit-value in copy_from_kernel_nofault 3 (4) 2026/03/16 14:36
Similar bugs (9)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: out-of-bounds Read in copy_from_kernel_nofault mm 17 C done 1628 393d 569d 28/29 fixed on 2025/05/06 15:33
upstream KASAN: out-of-bounds Write in copy_from_kernel_nofault mm 21 1 609d 609d 0/29 closed as invalid on 2024/09/13 11:13
linux-5.15 Internal error in copy_from_kernel_nofault origin:lts-only 2 C error 33 42d 257d 0/3 upstream: reported C repro on 2025/08/09 00:00
upstream BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2) mm 8 C 2 740d 750d 25/29 fixed on 2024/05/22 23:36
upstream BUG: unable to handle kernel paging request in copy_from_kernel_nofault mm 8 C done 5 786d 885d 25/29 fixed on 2024/03/29 01:33
linux-5.15 BUG: unable to handle kernel paging request in copy_from_kernel_nofault origin:upstream 8 C done 2 786d 889d 3/3 fixed on 2024/03/28 13:37
linux-6.1 KASAN: stack-out-of-bounds Write in copy_from_kernel_nofault origin:lts-only 21 C unreliable 3 786d 1116d 0/3 upstream: reported C repro on 2023/04/02 16:05
android-5-15 BUG: unable to handle kernel paging request in copy_from_kernel_nofault missing-backport 8 C done 231 619d 889d 0/2 auto-obsoleted due to no activity on 2024/10/20 13:25
android-6-1 BUG: unable to handle kernel paging request in copy_from_kernel_nofault origin:upstream missing-backport 8 C done inconclusive 127 672d 889d 0/2 auto-obsoleted due to no activity on 2024/08/28 01:00

Sample crash report:
page: refcount:2 mapcount:0 mapping:ffff88810102ef70 index:0x21 pfn:0x52554
memcg:ffff888050295b80
=====================================================
BUG: KMSAN: uninit-value in copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
 copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
 dump_mapping+0x5cc/0xa10 fs/inode.c:754
 __dump_folio+0x863/0xc40 mm/debug.c:106
 __dump_page+0x12a/0x170 mm/debug.c:138
 dump_page+0xcf/0x140 mm/debug.c:146
 free_large_kmalloc+0x1fb/0x300 mm/slub.c:6472
 kfree+0x1fd/0x1100 mm/slub.c:6556
 urb_destroy drivers/usb/core/urb.c:25 [inline]
 kref_put include/linux/kref.h:65 [inline]
 usb_free_urb+0x125/0x150 drivers/usb/core/urb.c:96
 smsusb_term_device+0x473/0x700 drivers/media/usb/siano/smsusb.c:352
 smsusb_init_device drivers/media/usb/siano/smsusb.c:497 [inline]
 smsusb_probe+0x2d2a/0x3700 drivers/media/usb/siano/smsusb.c:575
 usb_probe_interface+0xd51/0x1440 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x4d5/0xe40 drivers/base/dd.c:709
 __driver_probe_device+0x2fb/0x410 drivers/base/dd.c:871
 driver_probe_device+0x70/0x8f0 drivers/base/dd.c:901
 __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:1029
 bus_for_each_drv+0x3e3/0x680 drivers/base/bus.c:500
 __device_attach+0x3c5/0x5f0 drivers/base/dd.c:1101
 device_initial_probe+0x126/0x170 drivers/base/dd.c:1156
 bus_probe_device+0x287/0x530 drivers/base/bus.c:613
 device_add+0x12e3/0x1c90 drivers/base/core.c:3706
 usb_set_configuration+0x3484/0x3b60 drivers/usb/core/message.c:2268
 usb_generic_driver_probe+0xfc/0x290 drivers/usb/core/generic.c:250
 usb_probe_device+0x38d/0x690 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x4d5/0xe40 drivers/base/dd.c:709
 __driver_probe_device+0x2fb/0x410 drivers/base/dd.c:871
 driver_probe_device+0x70/0x8f0 drivers/base/dd.c:901
 __device_attach_driver+0x4ee/0x950 drivers/base/dd.c:1029
 bus_for_each_drv+0x3e3/0x680 drivers/base/bus.c:500
 __device_attach+0x3c5/0x5f0 drivers/base/dd.c:1101
 device_initial_probe+0x126/0x170 drivers/base/dd.c:1156
 bus_probe_device+0x287/0x530 drivers/base/bus.c:613
 device_add+0x12e3/0x1c90 drivers/base/core.c:3706
 usb_new_device+0x106a/0x2120 drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x5404/0x77c0 drivers/usb/core/hub.c:5953
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385
 worker_thread+0xee4/0x1590 kernel/workqueue.c:3466
 kthread+0x53f/0x600 kernel/kthread.c:436
 ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4576 [inline]
 slab_alloc_node mm/slub.c:4898 [inline]
 kmem_cache_alloc_lru_noprof+0x37a/0x1260 mm/slub.c:4917
 __d_alloc+0x55/0xa00 fs/dcache.c:1807
 d_alloc_pseudo+0x3b/0x1b0 fs/dcache.c:1938
 alloc_path_pseudo fs/file_table.c:405 [inline]
 alloc_file_pseudo_noaccount+0x111/0x400 fs/file_table.c:449
 bdev_file_open_by_dev+0x2cf/0x590 block/bdev.c:1059
 setup_bdev_super+0x72/0xad0 fs/super.c:1612
 get_tree_bdev_flags+0x564/0x920 fs/super.c:1692
 get_tree_bdev+0x38/0x50 fs/super.c:1717
 ntfs_fs_get_tree+0x35/0x40 fs/ntfs3/super.c:1815
 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3758 [inline]
 do_new_mount+0x885/0x1dd0 fs/namespace.c:3834
 path_mount+0x7a2/0x20b0 fs/namespace.c:4154
 do_mount fs/namespace.c:4167 [inline]
 __do_sys_mount fs/namespace.c:4383 [inline]
 __se_sys_mount+0x704/0x7f0 fs/namespace.c:4360
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4360
 x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 1-7 of 8 are uninitialized
Memory access of size 8 starts at ffff888013cec6f8

CPU: 1 UID: 0 PID: 2161 Comm: kworker/1:2 Tainted: G        W           syzkaller #0 PREEMPT(full) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: usb_hub_wq hub_event
=====================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/04/22 04:34 upstream e2683c8868d0 0b6ab7ec .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in copy_from_kernel_nofault
2026/04/19 17:07 upstream faeab166167f 303e2802 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in copy_from_kernel_nofault
2026/04/13 22:39 upstream 0f0013213293 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in copy_from_kernel_nofault
2026/04/10 10:40 upstream 9a9c8ce300cd 38c8e246 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in copy_from_kernel_nofault
2026/03/28 22:39 upstream be762d8b6dd7 356bdfc9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in copy_from_kernel_nofault
2026/03/12 10:17 upstream 80234b5ab240 4efadf07 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in copy_from_kernel_nofault
* Struck through repros no longer work on HEAD.