[moderation] [fs?] KMSAN: uninit-value in alloc_fd
2 views
Skip to first unread message
syzbot
May 29, 2026, 6:35:29 PMMay 29
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e7ae89a0c97c Linux 7.1-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=171636d2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=91978e795dcd971b
dashboard link: https://syzkaller.appspot.com/bug?extid=69acc0e826171a4222c9
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: i386
CC: [bra...@kernel.org ja...@suse.cz linux-...@vger.kernel.org linux-...@vger.kernel.org vi...@zeniv.linux.org.uk]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0e525f9ececc/disk-e7ae89a0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/168c4560249e/vmlinux-e7ae89a0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7230eb3a0df8/bzImage-e7ae89a0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+69acc0...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in alloc_fd+0x31b/0xc60 fs/file.c:584
alloc_fd+0x31b/0xc60 fs/file.c:584
__get_unused_fd_flags fs/file.c:617 [inline]
get_unused_fd_flags+0x6f/0xa0 fs/file.c:622
do_sys_openat2+0xf2/0x370 fs/open.c:1364
do_sys_open fs/open.c:1370 [inline]
__do_compat_sys_openat fs/open.c:1432 [inline]
__se_compat_sys_openat fs/open.c:1430 [inline]
__ia32_compat_sys_openat+0x238/0x300 fs/open.c:1430
ia32_sys_call+0x330b/0x4360 arch/x86/include/generated/asm/syscalls_32.h:296
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0x180/0x460 arch/x86/entry/syscall_32.c:307
do_fast_syscall_32+0x37/0x80 arch/x86/entry/syscall_32.c:332
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:370
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4577 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
kmem_cache_alloc_noprof+0x373/0x1250 mm/slub.c:4906
dup_fd+0x66/0x1160 fs/file.c:390
copy_files+0x10c/0x250 kernel/fork.c:1639
copy_process+0x3018/0x6ad0 kernel/fork.c:2252
kernel_clone+0x4d4/0x1190 kernel/fork.c:2721
__do_compat_sys_ia32_clone arch/x86/kernel/sys_ia32.c:255 [inline]
__se_compat_sys_ia32_clone arch/x86/kernel/sys_ia32.c:241 [inline]
__ia32_compat_sys_ia32_clone+0x251/0x360 arch/x86/kernel/sys_ia32.c:241
ia32_sys_call+0x1c6d/0x4360 arch/x86/include/generated/asm/syscalls_32.h:121
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0x180/0x460 arch/x86/entry/syscall_32.c:307
do_fast_syscall_32+0x37/0x80 arch/x86/entry/syscall_32.c:332
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:370
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
CPU: 1 UID: 0 PID: 6128 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: e7ae89a0c97c Linux 7.1-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=171636d2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=91978e795dcd971b
dashboard link: https://syzkaller.appspot.com/bug?extid=69acc0e826171a4222c9
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: i386
CC: [bra...@kernel.org ja...@suse.cz linux-...@vger.kernel.org linux-...@vger.kernel.org vi...@zeniv.linux.org.uk]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0e525f9ececc/disk-e7ae89a0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/168c4560249e/vmlinux-e7ae89a0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7230eb3a0df8/bzImage-e7ae89a0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+69acc0...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in alloc_fd+0x31b/0xc60 fs/file.c:584
alloc_fd+0x31b/0xc60 fs/file.c:584
__get_unused_fd_flags fs/file.c:617 [inline]
get_unused_fd_flags+0x6f/0xa0 fs/file.c:622
do_sys_openat2+0xf2/0x370 fs/open.c:1364
do_sys_open fs/open.c:1370 [inline]
__do_compat_sys_openat fs/open.c:1432 [inline]
__se_compat_sys_openat fs/open.c:1430 [inline]
__ia32_compat_sys_openat+0x238/0x300 fs/open.c:1430
ia32_sys_call+0x330b/0x4360 arch/x86/include/generated/asm/syscalls_32.h:296
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0x180/0x460 arch/x86/entry/syscall_32.c:307
do_fast_syscall_32+0x37/0x80 arch/x86/entry/syscall_32.c:332
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:370
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4577 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
kmem_cache_alloc_noprof+0x373/0x1250 mm/slub.c:4906
dup_fd+0x66/0x1160 fs/file.c:390
copy_files+0x10c/0x250 kernel/fork.c:1639
copy_process+0x3018/0x6ad0 kernel/fork.c:2252
kernel_clone+0x4d4/0x1190 kernel/fork.c:2721
__do_compat_sys_ia32_clone arch/x86/kernel/sys_ia32.c:255 [inline]
__se_compat_sys_ia32_clone arch/x86/kernel/sys_ia32.c:241 [inline]
__ia32_compat_sys_ia32_clone+0x251/0x360 arch/x86/kernel/sys_ia32.c:241
ia32_sys_call+0x1c6d/0x4360 arch/x86/include/generated/asm/syscalls_32.h:121
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0x180/0x460 arch/x86/entry/syscall_32.c:307
do_fast_syscall_32+0x37/0x80 arch/x86/entry/syscall_32.c:332
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:370
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
CPU: 1 UID: 0 PID: 6128 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages