syzbot

 sign-in | mailing list | source | docs
🐞 Open [1444]
Subsystems
🐞 Fixed [6942]
🐞 Invalid [18087]
Missing Backports [223]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KMSAN: uninit-value in IP6_ECN_decapsulate (3)

Status: upstream: reported C repro on 2026/01/07 16:24
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com
Fix commit: 81c734dae203 ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
Patched on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-upstream-gce-arm64]
First crash: 123d, last: 49d
Discussions (9)
Title Replies (including bot) Last reply
[PATCH v4] selftests/net: add test for IP-in-IPv6 tunneling 3 (3) 2026/02/24 01:40
[PATCH v3] selftests/net: add test for IP-in-IPv6 tunneling 3 (3) 2026/02/14 13:40
[PATCH v2] selftests/net: add test for IPv4-in-IPv6 tunneling 3 (3) 2026/02/11 02:14
[PATCH] selftests/net: add test for IPv4-in-IPv6 tunneling 5 (5) 2026/02/10 13:31
Re: [PATCH net] ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() 6 (6) 2026/02/10 13:21
Re: [PATCH net] ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() 1 (1) 2026/01/31 01:28
Re: [PATCH net] ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() 1 (1) 2026/01/30 23:53
[PATCH net] ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() 2 (2) 2026/01/10 02:20
[syzbot] [net?] KMSAN: uninit-value in IP6_ECN_decapsulate (3) 0 (1) 2026/01/07 16:24
Similar bugs (2)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in IP6_ECN_decapsulate (2) net 7 C 3 752d 767d 25/29 fixed on 2024/03/26 17:39
upstream KMSAN: uninit-value in IP6_ECN_decapsulate net 7 C 981 799d 2715d 25/29 fixed on 2023/12/21 03:45
Last patch testing requests (6)
Created Duration User Patch Repo Result
2026/01/07 16:03 31m edumazet@google.com patch upstream OK log
2026/01/07 15:43 37m edumazet@google.com patch upstream OK log
2026/01/07 12:42 25m edumazet@google.com upstream report log
2025/11/09 05:05 31m retest repro upstream report log
2025/11/09 05:05 19m retest repro upstream report log
2025/11/09 05:05 23m retest repro upstream report log

Sample crash report:
syz.0.17 uses obsolete (PF_INET,SOCK_PACKET)
=====================================================
BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
 INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
 IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
 ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
 __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
 ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
 gre_rcv+0x14fd/0x1b60 net/ipv6/ip6_gre.c:-1
 ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
 ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
 dst_input include/net/dst.h:474 [inline]
 ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
 __netif_receive_skb_one_core net/core/dev.c:6079 [inline]
 __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6192
 netif_receive_skb_internal net/core/dev.c:6278 [inline]
 netif_receive_skb+0x57/0x630 net/core/dev.c:6337
 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
 tun_get_user+0x5d60/0x6d70 drivers/net/tun.c:1953
 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0xbe2/0x15d0 fs/read_write.c:686
 ksys_write fs/read_write.c:738 [inline]
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
 x64_sys_call+0x3014/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4977 [inline]
 slab_alloc_node mm/slub.c:5280 [inline]
 kmem_cache_alloc_node_noprof+0x989/0x16b0 mm/slub.c:5332
 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579
 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670
 alloc_skb include/linux/skbuff.h:1383 [inline]
 alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6671
 sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2965
 tun_alloc_skb drivers/net/tun.c:1461 [inline]
 tun_get_user+0x1142/0x6d70 drivers/net/tun.c:1794
 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0xbe2/0x15d0 fs/read_write.c:686
 ksys_write fs/read_write.c:738 [inline]
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
 x64_sys_call+0x3014/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 6032 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
=====================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/10/26 05:04 upstream 9bb956508c9d c0460fcd .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in IP6_ECN_decapsulate
2025/10/26 02:36 upstream 9bb956508c9d c0460fcd .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in IP6_ECN_decapsulate
2025/10/26 00:08 upstream 9bb956508c9d c0460fcd .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in IP6_ECN_decapsulate
2025/10/25 16:57 upstream 566771afc7a8 c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in IP6_ECN_decapsulate
* Struck through repros no longer work on HEAD.