syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1319]
Subsystems
🐞 Fixed [7175]
🐞 Invalid [18950]
Missing Backports [221]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KMSAN: uninit-value in copy_from_kernel_nofault

Status: upstream: reported on 2026/03/16 10:22
Subsystems: mm
Labels: prio:high
[Documentation on labels]
Reported-by: syzbot+c18de0ad13d62f18469d@syzkaller.appspotmail.com
First crash: 98d, last: 23h26m
✨ AI Jobs (1)
ID Workflow Result Correct Bug Created Started Finished Revision Error
670af089-dd20-4368-bf68-0ae5517084d2 assessment-security DenialOfService: ❌ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ✅ UserNamespace: ✅ VMGuestTrigger: ❌ VMHostTrigger: ❌ KMSAN: uninit-value in copy_from_kernel_nofault 2026/05/25 04:31 2026/05/25 04:31 2026/05/25 05:22 c69befb30ac10e158cc9d1557b508ee3f0eca1de 

			
				
	

	
	



			

		

	

	
	

		

			
			
			Discussions (1)
		

		

			
			
			



	
	

		Title
		Replies (including bot)
		Last reply
	

	
	
	
		

			[syzbot] [mm?] KMSAN: uninit-value in copy_from_kernel_nofault
			3 (4)
			2026/03/16 14:36
		

	
	




			
			
		

	

	
	

		

			
			
			Similar bugs (9)
		

		

			




	
	

		
			Kernel
		
		Title
		
			Rank
			
🛈

		
		Repro
		Cause bisect
		Fix bisect
		Count
		Last
		Reported
		
		
		
			Patched
		
		
			Status
		
		
	

	
	
	
		

			upstream
			
				KASAN: out-of-bounds Read in copy_from_kernel_nofault
					mm
			
			17
			C
			done
			
			1628
			450d
			
				
					626d
				
			
			
			
			
				28/29
			
			
				
					
						fixed on 2025/05/06 15:33
					
				
			
			
		

	
		

			upstream
			
				KASAN: out-of-bounds Write in copy_from_kernel_nofault
					mm
			
			21
			
			
			
			1
			666d
			
				
					666d
				
			
			
			
			
				0/29
			
			
				
					
						closed as invalid on 2024/09/13 11:13
					
				
			
			
		

	
		

			linux-5.15
			
				Internal error in copy_from_kernel_nofault
					origin:lts-only
			
			2
			C
			
			error
			33
			22d
			
				
					314d
				
			
			
			
			
				0/3
			
			
				
					
						upstream: reported C repro on 2025/08/09 00:00
					
				
			
			
		

	
		

			upstream
			
				BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2)
					mm
			
			8
			C
			
			
			2
			797d
			
				
					807d
				
			
			
			
			
				25/29
			
			
				
					
						fixed on 2024/05/22 23:36
					
				
			
			
		

	
		

			upstream
			
				BUG: unable to handle kernel paging request in copy_from_kernel_nofault
					mm
			
			8
			C
			done
			
			5
			843d
			
				
					942d
				
			
			
			
			
				25/29
			
			
				
					
						fixed on 2024/03/29 01:33
					
				
			
			
		

	
		

			linux-5.15
			
				BUG: unable to handle kernel paging request in copy_from_kernel_nofault
					origin:upstream
			
			8
			C
			
			done
			2
			843d
			
				
					946d
				
			
			
			
			
				3/3
			
			
				
					
						fixed on 2024/03/28 13:37
					
				
			
			
		

	
		

			linux-6.1
			
				KASAN: stack-out-of-bounds Write in copy_from_kernel_nofault
					origin:lts-only
			
			21
			C
			
			unreliable
			3
			843d
			
				
					1173d
				
			
			
			
			
				0/3
			
			
				
					
						upstream: reported C repro on 2023/04/02 16:05
					
				
			
			
		

	
		

			android-5-15
			
				BUG: unable to handle kernel paging request in copy_from_kernel_nofault
					missing-backport
			
			8
			C
			
			done
			231
			676d
			
				
					946d
				
			
			
			
			
				0/2
			
			
				
					
						auto-obsoleted due to no activity on 2024/10/20 13:25
					
				
			
			
		

	
		

			android-6-1
			
				BUG: unable to handle kernel paging request in copy_from_kernel_nofault
					origin:upstream
					missing-backport
			
			8
			C
			done
			inconclusive
			127
			730d
			
				
					946d
				
			
			
			
			
				0/2
			
			
				
					
						auto-obsoleted due to no activity on 2024/08/28 01:00
					
				
			
			
		

	
	





			
			
			
			
		

	

	

	
	
Sample crash report:

	
=====================================================
BUG: KMSAN: uninit-value in copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
 copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
 prepend_copy fs/d_path.c:50 [inline]
 prepend fs/d_path.c:76 [inline]
 prepend_name fs/d_path.c:101 [inline]
 __prepend_path fs/d_path.c:133 [inline]
 prepend_path+0x64e/0x1090 fs/d_path.c:172
 d_absolute_path+0x11b/0x240 fs/d_path.c:234
 tomoyo_get_absolute_path security/tomoyo/realpath.c:101 [inline]
 tomoyo_realpath_from_path+0x4bd/0x9f0 security/tomoyo/realpath.c:271
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x249/0x9a0 security/tomoyo/file.c:827
 tomoyo_inode_getattr+0x35/0x40 security/tomoyo/tomoyo.c:123
 security_inode_getattr+0x16e/0x590 security/security.c:1895
 vfs_getattr fs/stat.c:259 [inline]
 vfs_fstat fs/stat.c:281 [inline]
 __do_sys_newfstat fs/stat.c:551 [inline]
 __se_sys_newfstat+0xd5/0xa60 fs/stat.c:546
 __x64_sys_newfstat+0x78/0xb0 fs/stat.c:546
 x64_sys_call+0x2f28/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:6
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15d/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

<Zero or more stacks not recorded to save memory>

Uninit was stored to memory at:
 copy_name fs/dcache.c:2928 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2997
 d_move+0x71/0xf0 fs/dcache.c:3044
 vfs_rename+0x2510/0x2650 fs/namei.c:6079
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6182
 __do_sys_rename fs/namei.c:6226 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6222
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6222
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15d/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2928 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2997
 d_move+0x71/0xf0 fs/dcache.c:3044
 vfs_rename+0x2510/0x2650 fs/namei.c:6079
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6182
 __do_sys_rename fs/namei.c:6226 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6222
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6222
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15d/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2928 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2997
 d_move+0x71/0xf0 fs/dcache.c:3044
 vfs_rename+0x2510/0x2650 fs/namei.c:6079
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6182
 __do_sys_rename fs/namei.c:6226 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6222
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6222
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15d/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2928 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2997
 d_move+0x71/0xf0 fs/dcache.c:3044
 vfs_rename+0x2510/0x2650 fs/namei.c:6079
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6182
 __do_sys_rename fs/namei.c:6226 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6222
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6222
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15d/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2928 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2997
 d_move+0x71/0xf0 fs/dcache.c:3044
 vfs_rename+0x2510/0x2650 fs/namei.c:6079
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6182
 __do_sys_rename fs/namei.c:6226 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6222
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6222
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15d/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2928 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2997
 d_move+0x71/0xf0 fs/dcache.c:3044
 vfs_rename+0x2510/0x2650 fs/namei.c:6079
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6182
 __do_sys_rename fs/namei.c:6226 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6222
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6222
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15d/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2928 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2997
 d_move+0x71/0xf0 fs/dcache.c:3044
 vfs_rename+0x2510/0x2650 fs/namei.c:6079
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6182
 __do_sys_rename fs/namei.c:6226 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6222
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6222
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15d/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4577 [inline]
 slab_alloc_node mm/slub.c:4899 [inline]
 kmem_cache_alloc_lru_noprof+0x37a/0x1260 mm/slub.c:4918
 __d_alloc+0x55/0xa00 fs/dcache.c:1807
 d_alloc+0x57/0x300 fs/dcache.c:1886
 lookup_one_qstr_excl+0x19d/0x7b0 fs/namei.c:1801
 __start_renaming+0x38e/0x870 fs/namei.c:3890
 filename_renameat2+0x735/0x1260 fs/namei.c:6157
 __do_sys_rename fs/namei.c:6226 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6222
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6222
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15d/0x3c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 5-7 of 8 are uninitialized
Memory access of size 8 starts at ffff8880142ad338

CPU: 0 UID: 0 PID: 5917 Comm: udevd Tainted: G        W           syzkaller #0 PREEMPT(lazy) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
=====================================================



	

	



	Crashes (20):
		
		

			Time
			Kernel
			Commit
			Syzkaller
			Config
			Log
			Report
			Syz repro
			C repro
			VM info
			Assets (help?)
			Manager
			Title
		

		
		
		
		

			2026/06/18 05:46
			upstream
			2b414a95b8f7
			b62b3ded
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/06/16 12:08
			upstream
			2b414a95b8f7
			50bb0618
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/06/14 05:40
			upstream
			2b414a95b8f7
			1d2f3589
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/06/11 11:37
			upstream
			9716c086c8e8
			b754d2d8
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/06/02 00:57
			upstream
			e43ffb69e043
			1095583b
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/06/01 01:03
			upstream
			8d9c51eac648
			6b4a8443
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/05/24 22:12
			upstream
			6a97c4d5262d
			c69befb3
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/05/21 13:54
			upstream
			8bc67e4db64a
			e195359d
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/05/20 20:44
			upstream
			df685633c3db
			62fb93a2
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/05/18 12:48
			upstream
			5200f5f493f7
			55156e84
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/05/13 06:41
			upstream
			c21b90f77687
			a0949470
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/05/06 03:51
			upstream
			9207d47f966b
			26da2c66
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/05/04 09:15
			upstream
			6d35786de281
			a0d91488
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/04/22 04:34
			upstream
			e2683c8868d0
			0b6ab7ec
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/04/19 17:07
			upstream
			faeab166167f
			303e2802
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/04/13 22:39
			upstream
			0f0013213293
			1a086e7c
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/05/15 01:38
			upstream
			66182ca873a4
			6ccb967e
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-386-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/04/10 10:40
			upstream
			9a9c8ce300cd
			38c8e246
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-386-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/03/28 22:39
			upstream
			be762d8b6dd7
			356bdfc9
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-386-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		

			2026/03/12 10:17
			upstream
			80234b5ab240
			4efadf07
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-upstream-kmsan-gce-386-root
			KMSAN: uninit-value in copy_from_kernel_nofault
		

		
		


* Struck through repros no longer work on HEAD.