[syzbot] [mm?] KMSAN: uninit-value in copy_from_kernel_nofault

[syzbot] [mm?] KMSAN: uninit-value in copy_from_kernel_nofault

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    80234b5ab240 Merge tag 'rproc-v7.0-fixes' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1474cd52580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=242f02fcd3fbc8f3
dashboard link: https://syzkaller.appspot.com/bug?extid=c18de0ad13d62f18469d
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a0d037332dff/disk-80234b5a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0a1f7f8b54f8/vmlinux-80234b5a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/83eb68ee6421/bzImage-80234b5a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c18de0ad13d62f18469d@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
 copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
 prepend_copy fs/d_path.c:50 [inline]
 prepend fs/d_path.c:76 [inline]
 prepend_name fs/d_path.c:101 [inline]
 __prepend_path fs/d_path.c:133 [inline]
 prepend_path+0x64e/0x1090 fs/d_path.c:172
 d_absolute_path+0x11b/0x240 fs/d_path.c:234
 tomoyo_get_absolute_path security/tomoyo/realpath.c:101 [inline]
 tomoyo_realpath_from_path+0x4bd/0x9f0 security/tomoyo/realpath.c:271
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x249/0x9a0 security/tomoyo/file.c:827
 tomoyo_inode_getattr+0x35/0x40 security/tomoyo/tomoyo.c:123
 security_inode_getattr+0x16e/0x590 security/security.c:1869
 vfs_getattr fs/stat.c:259 [inline]
 vfs_fstat fs/stat.c:281 [inline]
 __do_sys_newfstat fs/stat.c:551 [inline]
 __se_sys_newfstat+0xd5/0xa60 fs/stat.c:546
 __x64_sys_newfstat+0x78/0xb0 fs/stat.c:546
 x64_sys_call+0x2f28/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:6
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

<Zero or more stacks not recorded to save memory>

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 copy_name fs/dcache.c:2861 [inline]
 __d_move+0xf72/0x2aa0 fs/dcache.c:2930
 d_move+0x71/0xf0 fs/dcache.c:2977
 vfs_rename+0x2510/0x2650 fs/namei.c:6041
 filename_renameat2+0xb7f/0x1260 fs/namei.c:6144
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4549 [inline]
 slab_alloc_node mm/slub.c:4869 [inline]
 kmem_cache_alloc_lru_noprof+0x382/0x1280 mm/slub.c:4888
 __d_alloc+0x55/0xa00 fs/dcache.c:1740
 d_alloc+0x57/0x300 fs/dcache.c:1819
 lookup_one_qstr_excl+0x1a1/0x7b0 fs/namei.c:1801
 __start_renaming+0x38e/0x870 fs/namei.c:3862
 filename_renameat2+0x735/0x1260 fs/namei.c:6119
 __do_sys_rename fs/namei.c:6188 [inline]
 __se_sys_rename+0xc5/0x5d0 fs/namei.c:6184
 __x64_sys_rename+0x78/0xb0 fs/namei.c:6184
 x64_sys_call+0x329/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 5-7 of 8 are uninitialized
Memory access of size 8 starts at ffff888014109578

CPU: 0 UID: 0 PID: 5966 Comm: udevd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/27/2026
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [mm?] KMSAN: uninit-value in copy_from_kernel_nofault

[Christian Brauner]

On Mon, Mar 16, 2026 at 03:22:46AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    80234b5ab240 Merge tag 'rproc-v7.0-fixes' of git://git.ker..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1474cd52580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=242f02fcd3fbc8f3
> dashboard link: https://syzkaller.appspot.com/bug?extid=c18de0ad13d62f18469d
> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> userspace arch: i386
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/a0d037332dff/disk-80234b5a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/0a1f7f8b54f8/vmlinux-80234b5a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/83eb68ee6421/bzImage-80234b5a.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+c18de0ad13d62f18469d@syzkaller.appspotmail.com
> 
> =====================================================
> BUG: KMSAN: uninit-value in copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
>  copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
>  prepend_copy fs/d_path.c:50 [inline]
>  prepend fs/d_path.c:76 [inline]
>  prepend_name fs/d_path.c:101 [inline]
>  __prepend_path fs/d_path.c:133 [inline]
>  prepend_path+0x64e/0x1090 fs/d_path.c:172

I think this might just be KMSAN not being able to deal with seqlocks
appropriately? 

dentry->d_shortname.string[DNAME_INLINE_LEN-1] = 0;

is initialized with a zero byte at the end instead of:

memset(&dentry->d_shortname, 0, sizeof(dentry->d_shortname));

which would prevent that warning. But that's zeroing 40 bytes vs one and
the dache is fast-fast-fast.

prepend_path() detects the initialization race via rename_lock seqlock
and retries d_absolute_path(). So this is entirely harmless and works
correct.

Re: [syzbot] [mm?] KMSAN: uninit-value in copy_from_kernel_nofault

[vbabka]

On 3/16/26 12:58, Christian Brauner wrote:
> On Mon, Mar 16, 2026 at 03:22:46AM -0700, syzbot wrote:
>> Hello,
>> 
>> syzbot found the following issue on:
>> 
>> HEAD commit:    80234b5ab240 Merge tag 'rproc-v7.0-fixes' of git://git.ker..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1474cd52580000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=242f02fcd3fbc8f3
>> dashboard link: https://syzkaller.appspot.com/bug?extid=c18de0ad13d62f18469d
>> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
>> userspace arch: i386
>> 
>> Unfortunately, I don't have any reproducer for this issue yet.
>> 
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/a0d037332dff/disk-80234b5a.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/0a1f7f8b54f8/vmlinux-80234b5a.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/83eb68ee6421/bzImage-80234b5a.xz
>> 
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+c18de0ad13d62f18469d@syzkaller.appspotmail.com
>> 
>> =====================================================
>> BUG: KMSAN: uninit-value in copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
>>  copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
>>  prepend_copy fs/d_path.c:50 [inline]
>>  prepend fs/d_path.c:76 [inline]
>>  prepend_name fs/d_path.c:101 [inline]
>>  __prepend_path fs/d_path.c:133 [inline]
>>  prepend_path+0x64e/0x1090 fs/d_path.c:172
> 
> I think this might just be KMSAN not being able to deal with seqlocks
> appropriately? 

Let's cc KMSAN folks then. Maybe there's a way to teach it that/add
exceptions/ignores.

> dentry->d_shortname.string[DNAME_INLINE_LEN-1] = 0;
> 
> is initialized with a zero byte at the end instead of:
> 
> memset(&dentry->d_shortname, 0, sizeof(dentry->d_shortname));
> 
> which would prevent that warning. But that's zeroing 40 bytes vs one and
> the dache is fast-fast-fast.
> 
> prepend_path() detects the initialization race via rename_lock seqlock
> and retries d_absolute_path(). So this is entirely harmless and works
> correct.

Re: [syzbot] [mm?] KMSAN: uninit-value in copy_from_kernel_nofault

[Alexander Potapenko]

On Mon, Mar 16, 2026 at 1:44 PM <vbabka@kernel.org> wrote:
>
> On 3/16/26 12:58, Christian Brauner wrote:
> > On Mon, Mar 16, 2026 at 03:22:46AM -0700, syzbot wrote:
> >> Hello,
> >>
> >> syzbot found the following issue on:
> >>
> >> HEAD commit:    80234b5ab240 Merge tag 'rproc-v7.0-fixes' of git://git.ker..
> >> git tree:       upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=1474cd52580000
> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=242f02fcd3fbc8f3
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=c18de0ad13d62f18469d
> >> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> >> userspace arch: i386
> >>
> >> Unfortunately, I don't have any reproducer for this issue yet.
> >>
> >> Downloadable assets:
> >> disk image: https://storage.googleapis.com/syzbot-assets/a0d037332dff/disk-80234b5a.raw.xz
> >> vmlinux: https://storage.googleapis.com/syzbot-assets/0a1f7f8b54f8/vmlinux-80234b5a.xz
> >> kernel image: https://storage.googleapis.com/syzbot-assets/83eb68ee6421/bzImage-80234b5a.xz
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: syzbot+c18de0ad13d62f18469d@syzkaller.appspotmail.com
> >>
> >> =====================================================
> >> BUG: KMSAN: uninit-value in copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
> >>  copy_from_kernel_nofault+0x15f/0x570 mm/maccess.c:41
> >>  prepend_copy fs/d_path.c:50 [inline]
> >>  prepend fs/d_path.c:76 [inline]
> >>  prepend_name fs/d_path.c:101 [inline]
> >>  __prepend_path fs/d_path.c:133 [inline]
> >>  prepend_path+0x64e/0x1090 fs/d_path.c:172
> >
> > I think this might just be KMSAN not being able to deal with seqlocks
> > appropriately?

I think KMSAN correctly points out that the data is uninitialized at
the point when copy_from_kernel_nofault executes.
KMSAN actually knows nothing about seqlocks or any other
synchronization primitives, it just tracks the state of every
uninitialized bit in the kernel, and reports an error if the data is
uninitialized when a check is requested.
It's a good question whether we need the aggressive KMSAN check in
copy_from_kernel() (are there cases in which this function copies data
out of the kernel?)
If we do, the following patch should fix the report in question:

diff --git a/fs/dcache.c b/fs/dcache.c
index 9ceab142896f..923e32e6a2d4 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -32,6 +32,7 @@
 #include <linux/bit_spinlock.h>
 #include <linux/rculist_bl.h>
 #include <linux/list_lru.h>
+#include <linux/kmsan-checks.h>
 #include "internal.h"
 #include "mount.h"

@@ -1749,6 +1750,7 @@ static struct dentry *__d_alloc(struct
super_block *sb, const struct qstr *name)
         * be overwriting an internal NUL character
         */
        dentry->d_shortname.string[DNAME_INLINE_LEN-1] = 0;
+       kmsan_unpoison_memory(&dentry->d_shortname,
sizeof(dentry->d_shortname));
        if (unlikely(!name)) {
                name = &slash_name;
                dname = dentry->d_shortname.string;