===================================================== BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak-after-free in _inline_copy_to_user include/linux/uaccess.h:196 [inline] BUG: KMSAN: kernel-infoleak-after-free in _copy_to_user+0xcc/0x120 lib/usercopy.c:26 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _inline_copy_to_user include/linux/uaccess.h:196 [inline] _copy_to_user+0xcc/0x120 lib/usercopy.c:26 copy_to_user include/linux/uaccess.h:225 [inline] copy_siginfo_to_user+0x3f/0x140 kernel/signal.c:3503 x64_setup_rt_frame+0x1392/0x2590 arch/x86/kernel/signal_64.c:194 setup_rt_frame arch/x86/kernel/signal.c:250 [inline] handle_signal arch/x86/kernel/signal.c:294 [inline] arch_do_signal_or_restart+0x5ca/0xbe0 arch/x86/kernel/signal.c:339 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x6c/0xb0 kernel/entry/common.c:218 do_syscall_64+0xe6/0x1b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 13603 at kernel/stacktrace.c:29 stack_trace_print+0xd4/0xf0 kernel/stacktrace.c:29 Modules linked in: CPU: 1 UID: 0 PID: 13603 Comm: syz.1.2100 Tainted: G W 6.15.0-rc3-syzkaller-00094-g02ddfb981de8 #0 PREEMPT(undef) Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:stack_trace_print+0xd4/0xf0 kernel/stacktrace.c:29 Code: 88 22 e0 91 89 de ba 20 00 00 00 4c 89 e1 e8 33 d5 4f ff 49 83 c6 08 49 ff cd 0f 85 6e ff ff ff eb 0b e8 2f e7 c0 00 eb d4 90 <0f> 0b 90 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 66 0f 1f RSP: 0018:ffff888130387828 EFLAGS: 00010246 RAX: ffff88803f7f4cd8 RBX: 0000000000000000 RCX: 000007ffffffffff RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff888130387850 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88812fb87868 R11: fffffffffffeea88 R12: 0000000000000000 R13: 00000000abcd0100 R14: 0000000000000000 R15: 0000000000000000 FS: 000055556079c500(0000) GS:ffff8881aabc5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c30d76d CR3: 000000011be9c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kmsan_print_origin+0xb0/0x340 mm/kmsan/report.c:133 kmsan_report+0x1b8/0x2a0 mm/kmsan/report.c:196 kmsan_internal_check_memory+0x1d1/0x570 mm/kmsan/core.c:296 kmsan_copy_to_user+0xca/0xe0 mm/kmsan/hooks.c:271 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _inline_copy_to_user include/linux/uaccess.h:196 [inline] _copy_to_user+0xcc/0x120 lib/usercopy.c:26 copy_to_user include/linux/uaccess.h:225 [inline] copy_siginfo_to_user+0x3f/0x140 kernel/signal.c:3503 x64_setup_rt_frame+0x1392/0x2590 arch/x86/kernel/signal_64.c:194 setup_rt_frame arch/x86/kernel/signal.c:250 [inline] handle_signal arch/x86/kernel/signal.c:294 [inline] arch_do_signal_or_restart+0x5ca/0xbe0 arch/x86/kernel/signal.c:339 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x6c/0xb0 kernel/entry/common.c:218 do_syscall_64+0xe6/0x1b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd874a67da5 Code: 72 f3 48 83 e8 08 48 39 f2 73 17 66 2e 0f 1f 84 00 00 00 00 00 48 8b 70 f8 48 83 e8 08 48 39 f2 72 f3 48 39 c3 73 3e 48 89 33 <48> 83 c3 08 48 8b 70 f8 48 89 08 48 8b 0b 49 8b 14 24 eb bf 48 39 RSP: 002b:00007fff31da68d0 EFLAGS: 00000287 RAX: 00007fd873f43490 RBX: 00007fd873f429b8 RCX: ffffffff82728218 RDX: ffffffff82728218 RSI: ffffffff82728218 RDI: 00007fd873f435c0 RBP: 00007fd873f42890 R08: 00007fd873f42f20 R09: 00007fd874da2000 R10: 00007fd873dfd008 R11: 0000000000000008 R12: 00007fd873f42888 R13: 0000000000000013 R14: ffffffffffffffff R15: 00007fd873dfd008 ---[ end trace 0000000000000000 ]--- Uninit was created at: slab_free_hook mm/slub.c:2324 [inline] slab_free mm/slub.c:4656 [inline] kmem_cache_free+0x286/0xf00 mm/slub.c:4758 __sigqueue_free+0x23a/0x270 kernel/signal.c:475 collect_signal kernel/signal.c:587 [inline] __dequeue_signal+0x66b/0x970 kernel/signal.c:609 dequeue_signal+0x1c0/0x840 kernel/signal.c:632 get_signal+0xbf8/0x2a20 kernel/signal.c:2914 arch_do_signal_or_restart+0x53/0xbe0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x6c/0xb0 kernel/entry/common.c:218 do_syscall_64+0xe6/0x1b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 12-15 of 48 are uninitialized Memory access of size 48 starts at ffff888130387e18 Data copied to user address 00007fff31da6470 CPU: 1 UID: 0 PID: 13603 Comm: syz.1.2100 Tainted: G W 6.15.0-rc3-syzkaller-00094-g02ddfb981de8 #0 PREEMPT(undef) Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 =====================================================