syzbot


KMSAN: uninit-value in xfrm_state_find (4)

Status: upstream: reported on 2025/05/21 19:14
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+7ed9d47e15e88581dc5b@syzkaller.appspotmail.com
Fix commit: 94d077c33173 xfrm: state: initialize state_ptrs earlier in xfrm_state_find
Patched on: [ci-qemu-gce-upstream-auto ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu-native-arm64-kvm]
First crash: 103d, last: 19m
Discussions (3)
Title Replies (including bot) Last reply
[PATCH 1/8] xfrm: state: initialize state_ptrs earlier in xfrm_state_find 1 (1) 2025/07/23 07:53
[PATCH ipsec 0/2] xfrm: fixes for xfrm_state_find under preemption 4 (4) 2025/06/10 07:55
[syzbot] [net?] KMSAN: uninit-value in xfrm_state_find (4) 1 (2) 2025/05/22 11:54
Similar bugs (9)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in xfrm_state_find (2) net 17 19 506d 665d 0/29 auto-obsoleted due to no activity on 2024/07/18 11:50
upstream KMSAN: uninit-value in xfrm_state_find (3) net 7 1 363d 363d 0/29 closed as invalid on 2024/10/09 09:35
upstream KASAN: slab-out-of-bounds Read in xfrm_state_find net 17 10 121d 275d 28/29 fixed on 2025/05/06 15:33
upstream KMSAN: uninit-value in xfrm_state_find net 17 C error done 215 832d 2631d 22/29 fixed on 2023/07/01 16:05
android-54 KASAN: stack-out-of-bounds Read in xfrm_state_find 17 C 1 971d 971d 0/2 upstream: reported C repro on 2023/01/01 01:05
android-5-15 KASAN: stack-out-of-bounds Read in xfrm_state_find origin:upstream missing-backport 17 C error error 2 485d 971d 0/2 upstream: reported C repro on 2023/01/01 00:40
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) 17 syz error error 1 971d 971d 0/2 auto-obsoleted due to no activity on 2023/05/14 02:28
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find 17 1 1390d 1390d 0/2 closed as invalid on 2022/02/03 13:56
linux-6.6 KASAN: slab-use-after-free Read in xfrm_state_find 19 4 17m 6h59m 0/2 upstream: reported on 2025/08/28 18:56

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in xfrm_state_find+0x2423/0xaae0 net/xfrm/xfrm_state.c:1438
 xfrm_state_find+0x2423/0xaae0 net/xfrm/xfrm_state.c:1438
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2519 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2570 [inline]
 xfrm_resolve_and_create_bundle+0xabc/0x58b0 net/xfrm/xfrm_policy.c:2868
 xfrm_lookup_with_ifid+0x48c/0x3ac0 net/xfrm/xfrm_policy.c:3202
 xfrm_lookup net/xfrm/xfrm_policy.c:3333 [inline]
 xfrm_lookup_route+0x63/0x2b0 net/xfrm/xfrm_policy.c:3344
 ip_route_output_flow+0x20d/0x2b0 net/ipv4/route.c:2918
 ip_route_connect include/net/route.h:352 [inline]
 tcp_v4_connect+0xa43/0x1cd0 net/ipv4/tcp_ipv4.c:252
 tcp_v6_connect+0x134a/0x1d40 net/ipv6/tcp_ipv6.c:240
 __inet_stream_connect+0x2d3/0x1760 net/ipv4/af_inet.c:677
 inet_stream_connect+0x69/0xd0 net/ipv4/af_inet.c:748
 __sys_connect_file net/socket.c:2038 [inline]
 __sys_connect+0x523/0x680 net/socket.c:2057
 __do_sys_connect net/socket.c:2063 [inline]
 __se_sys_connect net/socket.c:2060 [inline]
 __x64_sys_connect+0x95/0x100 net/socket.c:2060
 x64_sys_call+0x23bb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:43
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x1b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable tmp.i.i created at:
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2491 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2570 [inline]
 xfrm_resolve_and_create_bundle+0x3a7/0x58b0 net/xfrm/xfrm_policy.c:2868
 xfrm_lookup_with_ifid+0x48c/0x3ac0 net/xfrm/xfrm_policy.c:3202

CPU: 1 UID: 0 PID: 11691 Comm: syz.5.1451 Not tainted 6.15.0-rc6-syzkaller-00278-g172a9d94339c #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
=====================================================

Crashes (1969):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/05/17 19:07 upstream 172a9d94339c f41472b0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in xfrm_state_find
2025/07/22 04:00 upstream 89be9a83ccf1 0b3788a0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in xfrm_state_find
2025/07/18 13:33 upstream 6832a9317eee f550e092 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in xfrm_state_find
2025/08/29 00:10 upstream 07d9df80082b 3e1beec6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/29 00:03 upstream 07d9df80082b 3e1beec6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/28 21:25 upstream 07d9df80082b 443c11c7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/28 10:28 upstream 07d9df80082b 443c11c7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/28 08:16 upstream 07d9df80082b e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/28 06:35 upstream 39f90c196721 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in xfrm_state_find
2025/08/28 05:06 upstream 39f90c196721 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 17:44 upstream fab1beda7597 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 16:38 upstream fab1beda7597 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 08:11 upstream fab1beda7597 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 06:50 upstream fab1beda7597 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 02:12 upstream fab1beda7597 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 23:01 upstream fab1beda7597 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 05:42 upstream fab1beda7597 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 02:34 upstream b6add54ba618 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/25 17:17 upstream b6add54ba618 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in xfrm_state_find
2025/08/05 15:46 upstream 7e161a991ea7 904e669c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/25 02:15 upstream c330cb607721 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/23 23:30 upstream 8d245acc1e88 bf27483f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 12:31 upstream fab1beda7597 e12e5ba4 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/24 01:13 upstream 8d245acc1e88 bf27483f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in xfrm_state_find
2025/08/06 09:34 upstream 6bcdbd62bd56 ffe1dd46 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm64-mte KASAN: invalid-access Read in xfrm_state_find
2025/08/28 18:39 net bd2902e0bcac 443c11c7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/28 15:44 net bd2902e0bcac 443c11c7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/28 00:59 net ceb951552404 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 22:40 net ceb951552404 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 20:32 net ceb951552404 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 19:07 net ceb951552404 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 17:40 net ceb951552404 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 13:42 net 9448ccd85336 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 09:14 net 9448ccd85336 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 06:50 bpf 27861fc720be e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 04:39 net 9448ccd85336 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 21:41 net 007a5ffadc4f e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 18:53 net 007a5ffadc4f e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 16:50 net 007a5ffadc4f bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 15:22 bpf 27861fc720be bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 14:09 net 007a5ffadc4f bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 12:33 net 007a5ffadc4f bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 11:04 net 007a5ffadc4f bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 09:15 net 007a5ffadc4f bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 07:41 net 007a5ffadc4f bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 04:54 net 007a5ffadc4f bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 03:39 net 007a5ffadc4f bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 01:34 net 007a5ffadc4f bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 01:19 net 007a5ffadc4f bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/28 22:44 net-next d4854be4ec21 443c11c7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/28 20:11 net-next d4854be4ec21 443c11c7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/28 12:04 net-next d4854be4ec21 443c11c7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/28 03:09 net-next 705609dedea1 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 23:52 net-next 242041164339 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 14:50 net-next 242041164339 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 05:44 net-next 3c14917953a5 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 03:28 net-next 3c14917953a5 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 00:20 net-next 3c14917953a5 e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/26 13:39 net-next 07ca488d688c bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/22 11:27 bpf-next 21aeabb68258 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/16 02:28 net-next 7de0eebbb4c3 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KFENCE: use-after-free read in xfrm_state_find
2025/08/10 05:27 net-next 37816488247d 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: global-out-of-bounds Read in xfrm_state_find
2025/08/28 17:29 linux-next 7fa4d8dc380f 443c11c7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/27 10:47 linux-next 7fa4d8dc380f e12e5ba4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: use-after-free Read in xfrm_state_find
2025/08/17 17:27 linux-next 931e46dcbc7e 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/15 18:11 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8f5ae30d69d7 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/29 01:29 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next 8f5ae30d69d7 d401b9d7 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: slab-use-after-free Read in xfrm_state_find
2025/08/21 20:38 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next 8f5ae30d69d7 3e79b825 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: slab-use-after-free Read in xfrm_state_find
* Struck through repros no longer work on HEAD.