syzbot

 sign-in | mailing list | source | docs
🐞 Open [1583]
Subsystems
🐞 Fixed [6160]
🐞 Invalid [15442]
Missing Backports [173]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KMSAN: uninit-value in __kernfs_remove

Status: upstream: reported on 2025/04/05 13:17
Subsystems: kernfs
[Documentation on labels]
Reported-by: syzbot+cc330991864da84c780a@syzkaller.appspotmail.com
First crash: 6d08h, last: 6d08h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [kernfs?] KMSAN: uninit-value in __kernfs_remove 0 (1) 2025/04/05 13:17
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in __kernfs_remove kernfs 4 1221d 1321d 0/28 auto-closed as invalid on 2022/04/02 06:14
upstream KASAN: use-after-free Read in __kernfs_remove C done 3985 912d 956d 22/28 fixed on 2023/02/24 13:50
android-5-15 KASAN: null-ptr-deref Write in __kernfs_remove 1 274d 274d 0/2 auto-obsoleted due to no activity on 2024/10/04 23:45
android-5-10 KASAN: null-ptr-deref Write in __kernfs_remove 1 252d 252d 0/2 auto-obsoleted due to no activity on 2024/10/27 11:25

Sample crash report:
netdevsim netdevsim3 eth3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
=====================================================
BUG: KMSAN: uninit-value in __rb_change_child include/linux/rbtree_augmented.h:-1 [inline]
BUG: KMSAN: uninit-value in __rb_erase_augmented include/linux/rbtree_augmented.h:242 [inline]
BUG: KMSAN: uninit-value in rb_erase+0x597/0x23b0 lib/rbtree.c:443
 __rb_change_child include/linux/rbtree_augmented.h:-1 [inline]
 __rb_erase_augmented include/linux/rbtree_augmented.h:242 [inline]
 rb_erase+0x597/0x23b0 lib/rbtree.c:443
 kernfs_unlink_sibling fs/kernfs/dir.c:419 [inline]
 __kernfs_remove+0xbd5/0xfd0 fs/kernfs/dir.c:1493
 kernfs_remove+0xa5/0xf0 fs/kernfs/dir.c:1529
 sysfs_remove_dir+0x102/0x170 fs/sysfs/dir.c:101
 __kobject_del+0x13e/0x4b0 lib/kobject.c:604
 kobject_del lib/kobject.c:627 [inline]
 kset_unregister+0x4d/0x90 lib/kobject.c:890
 remove_queue_kobjects net/core/net-sysfs.c:2156 [inline]
 netdev_unregister_kobject+0x527/0x570 net/core/net-sysfs.c:2304
 unregister_netdevice_many_notify+0x3a00/0x4600 net/core/dev.c:12009
 unregister_netdevice_many net/core/dev.c:12037 [inline]
 unregister_netdevice_queue+0x598/0x5f0 net/core/dev.c:11889
 unregister_netdevice include/linux/netdevice.h:3374 [inline]
 nsim_destroy+0x147/0x720 drivers/net/netdevsim/netdev.c:1051
 __nsim_dev_port_del+0x1e9/0x320 drivers/net/netdevsim/dev.c:1428
 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1440 [inline]
 nsim_dev_reload_destroy+0x464/0x7b0 drivers/net/netdevsim/dev.c:1661
 nsim_drv_remove+0x93/0x310 drivers/net/netdevsim/dev.c:1676
 nsim_bus_remove+0x1e/0x30 drivers/net/netdevsim/bus.c:398
 device_remove drivers/base/dd.c:567 [inline]
 __device_release_driver drivers/base/dd.c:1273 [inline]
 device_release_driver_internal+0x58a/0x990 drivers/base/dd.c:1296
 device_release_driver+0x22/0x30 drivers/base/dd.c:1319
 bus_remove_device+0x71b/0x760 drivers/base/bus.c:579
 device_del+0x7ee/0xd40 drivers/base/core.c:3855
 device_unregister+0x1e/0x40 drivers/base/core.c:3896
 nsim_bus_dev_del drivers/net/netdevsim/bus.c:462 [inline]
 del_device_store+0x421/0x640 drivers/net/netdevsim/bus.c:226
 bus_attr_store+0x92/0xf0 drivers/base/bus.c:172
 sysfs_kf_write+0x19a/0x250 fs/sysfs/file.c:139
 kernfs_fop_write_iter+0x525/0x910 fs/kernfs/file.c:334
 new_sync_write fs/read_write.c:591 [inline]
 vfs_write+0xb34/0x1540 fs/read_write.c:684
 ksys_write+0x240/0x4b0 fs/read_write.c:736
 __do_sys_write fs/read_write.c:747 [inline]
 __se_sys_write fs/read_write.c:744 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:744
 x64_sys_call+0x34de/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable tmp created at:
 number+0x8f/0x1e70 lib/vsprintf.c:455
 vsnprintf+0x91b/0x1a10 lib/vsprintf.c:2811

CPU: 1 UID: 0 PID: 8025 Comm: syz-executor Not tainted 6.14.0-syzkaller-11270-g08733088b566 #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
=====================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/04/01 13:09 upstream 08733088b566 36d76a97 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in __kernfs_remove
* Struck through repros no longer work on HEAD.