syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1341]
Subsystems
🐞 Fixed [7059]
🐞 Invalid [18498]
Missing Backports [222]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KMSAN: uninit-value in copy_from_kernel_nofault

Status: upstream: reported on 2026/03/16 10:22
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+c18de0ad13d62f18469d@syzkaller.appspotmail.com
First crash: 34d, last: 1d14h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [mm?] KMSAN: uninit-value in copy_from_kernel_nofault 3 (4) 2026/03/16 14:36
Similar bugs (9)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: out-of-bounds Read in copy_from_kernel_nofault mm 17 C done 1628 385d 561d 28/29 fixed on 2025/05/06 15:33
upstream KASAN: out-of-bounds Write in copy_from_kernel_nofault mm 21 1 601d 601d 0/29 closed as invalid on 2024/09/13 11:13
linux-5.15 Internal error in copy_from_kernel_nofault origin:lts-only 2 C error 33 34d 249d 0/3 upstream: reported C repro on 2025/08/09 00:00
upstream BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2) mm 8 C 2 733d 743d 25/29 fixed on 2024/05/22 23:36
upstream BUG: unable to handle kernel paging request in copy_from_kernel_nofault mm 8 C done 5 778d 877d 25/29 fixed on 2024/03/29 01:33
linux-5.15 BUG: unable to handle kernel paging request in copy_from_kernel_nofault origin:upstream 8 C done 2 778d 881d 3/3 fixed on 2024/03/28 13:37
linux-6.1 KASAN: stack-out-of-bounds Write in copy_from_kernel_nofault origin:lts-only 21 C unreliable 3 778d 1108d 0/3 upstream: reported C repro on 2023/04/02 16:05
android-5-15 BUG: unable to handle kernel paging request in copy_from_kernel_nofault missing-backport 8 C done 231 611d 881d 0/2 auto-obsoleted due to no activity on 2024/10/20 13:25
android-6-1 BUG: unable to handle kernel paging request in copy_from_kernel_nofault origin:upstream missing-backport 8 C done inconclusive 127 665d 881d 0/2 auto-obsoleted due to no activity on 2024/08/28 01:00

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
 copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
 prepend_copy fs/d_path.c:50 [inline]
 prepend fs/d_path.c:76 [inline]
 prepend_name fs/d_path.c:101 [inline]
 __prepend_path fs/d_path.c:133 [inline]
 prepend_path+0x64e/0x1090 fs/d_path.c:172
 d_absolute_path+0x11b/0x240 fs/d_path.c:234
 tomoyo_get_absolute_path security/tomoyo/realpath.c:101 [inline]
 tomoyo_realpath_from_path+0x4bd/0x9f0 security/tomoyo/realpath.c:271
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x249/0x9a0 security/tomoyo/file.c:827
 tomoyo_path_truncate security/tomoyo/tomoyo.c:135 [inline]
 tomoyo_file_truncate+0x39/0x50 security/tomoyo/tomoyo.c:147
 security_file_truncate+0x116/0x4d0 security/security.c:2669
 handle_truncate fs/namei.c:4305 [inline]
 do_open fs/namei.c:4703 [inline]
 path_openat+0x5a46/0x64c0 fs/namei.c:4858
 do_file_open+0x2aa/0x680 fs/namei.c:4887
 do_sys_openat2+0x163/0x380 fs/open.c:1366
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x240/0x300 fs/open.c:1383
 x64_sys_call+0x2445/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:258
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

<Zero or more stacks not recorded to save memory>

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6069
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6172
 __do_sys_rename fs/namei.c:6216 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6212
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6212
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6069
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6172
 __do_sys_rename fs/namei.c:6216 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6212
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6212
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6069
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6172
 __do_sys_rename fs/namei.c:6216 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6212
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6212
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6069
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6172
 __do_sys_rename fs/namei.c:6216 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6212
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6212
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6069
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6172
 __do_sys_rename fs/namei.c:6216 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6212
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6212
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6069
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6172
 __do_sys_rename fs/namei.c:6216 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6212
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6212
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6069
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6172
 __do_sys_rename fs/namei.c:6216 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6212
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6212
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4545 [inline]
 slab_alloc_node mm/slub.c:4866 [inline]
 kmem_cache_alloc_lru_noprof+0x382/0x1280 mm/slub.c:4885
 __d_alloc+0x55/0xa00 fs/dcache.c:1740
 d_alloc+0x57/0x300 fs/dcache.c:1819
 lookup_one_qstr_excl+0x19d/0x7b0 fs/namei.c:1801
 __start_renaming+0x38e/0x870 fs/namei.c:3890
 filename_renameat2+0x735/0x1260 fs/namei.c:6147
 __do_sys_rename fs/namei.c:6216 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6212
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6212
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 5-7 of 8 are uninitialized
Memory access of size 8 starts at ffff8880548640f8

CPU: 1 UID: 0 PID: 5944 Comm: udevd Tainted: G        W           syzkaller #0 PREEMPT(full) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
=====================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/04/13 22:39 upstream 0f0013213293 1a086e7c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in copy_from_kernel_nofault
2026/04/10 10:40 upstream 9a9c8ce300cd 38c8e246 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in copy_from_kernel_nofault
2026/03/28 22:39 upstream be762d8b6dd7 356bdfc9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in copy_from_kernel_nofault
2026/03/12 10:17 upstream 80234b5ab240 4efadf07 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in copy_from_kernel_nofault
* Struck through repros no longer work on HEAD.