syzbot

 sign-in | mailing list | source | docs
🐞 Open [1431]
Subsystems
🐞 Fixed [6900]
🐞 Invalid [17950]
Missing Backports [224]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KMSAN: kernel-infoleak-after-free in do_arpt_get_ctl

Status: closed as invalid on 2026/01/07 12:42
Subsystems: netfilter
[Documentation on labels]
First crash: 93d, last: 93d

Sample crash report:
=====================================================
BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak-after-free in _inline_copy_to_user include/linux/uaccess.h:196 [inline]
BUG: KMSAN: kernel-infoleak-after-free in _copy_to_user+0xcc/0x120 lib/usercopy.c:26
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 _inline_copy_to_user include/linux/uaccess.h:196 [inline]
 _copy_to_user+0xcc/0x120 lib/usercopy.c:26
 copy_to_user include/linux/uaccess.h:225 [inline]
 get_info net/ipv4/netfilter/arp_tables.c:831 [inline]
 do_arpt_get_ctl+0x16bc/0x1cf0 net/ipv4/netfilter/arp_tables.c:1452
 nf_getsockopt+0x497/0x4f0 net/netfilter/nf_sockopt.c:116
 ip_getsockopt+0x29d/0x3e0 net/ipv4/ip_sockglue.c:1777
 tcp_getsockopt+0x174/0x1a0 net/ipv4/tcp.c:4810
 sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3885
 do_sock_getsockopt+0x4e7/0x580 net/socket.c:2421
 __sys_getsockopt net/socket.c:2450 [inline]
 __do_sys_getsockopt net/socket.c:2457 [inline]
 __se_sys_getsockopt net/socket.c:2454 [inline]
 __x64_sys_getsockopt+0x32e/0x520 net/socket.c:2454
 x64_sys_call+0x36e0/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:56
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 get_info net/ipv4/netfilter/arp_tables.c:823 [inline]
 do_arpt_get_ctl+0x143b/0x1cf0 net/ipv4/netfilter/arp_tables.c:1452
 nf_getsockopt+0x497/0x4f0 net/netfilter/nf_sockopt.c:116
 ip_getsockopt+0x29d/0x3e0 net/ipv4/ip_sockglue.c:1777
 tcp_getsockopt+0x174/0x1a0 net/ipv4/tcp.c:4810
 sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3885
 do_sock_getsockopt+0x4e7/0x580 net/socket.c:2421
 __sys_getsockopt net/socket.c:2450 [inline]
 __do_sys_getsockopt net/socket.c:2457 [inline]
 __se_sys_getsockopt net/socket.c:2454 [inline]
 __x64_sys_getsockopt+0x32e/0x520 net/socket.c:2454
 x64_sys_call+0x36e0/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:56
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 ext4_xattr_set_entry+0x130c/0x3440 fs/ext4/xattr.c:1735
 ext4_xattr_block_set+0xc82/0x5010 fs/ext4/xattr.c:2025
 ext4_xattr_set_handle+0x22d7/0x2c00 fs/ext4/xattr.c:2452
 ext4_xattr_set+0x2ff/0x5b0 fs/ext4/xattr.c:2554
 ext4_xattr_trusted_set+0x51/0x70 fs/ext4/xattr_trusted.c:38
 __vfs_setxattr+0x742/0x850 fs/xattr.c:200
 __vfs_setxattr_noperm+0x224/0xad0 fs/xattr.c:234
 __vfs_setxattr_locked+0x448/0x490 fs/xattr.c:295
 vfs_setxattr+0x27f/0x640 fs/xattr.c:321
 do_setxattr fs/xattr.c:636 [inline]
 filename_setxattr+0x3a4/0xcc0 fs/xattr.c:665
 path_setxattrat+0x734/0x820 fs/xattr.c:713
 __do_sys_lsetxattr fs/xattr.c:754 [inline]
 __se_sys_lsetxattr fs/xattr.c:750 [inline]
 __x64_sys_lsetxattr+0x103/0x1c0 fs/xattr.c:750
 x64_sys_call+0x30f0/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:190
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_free_hook mm/slub.c:2465 [inline]
 slab_free mm/slub.c:6630 [inline]
 kfree+0x254/0x1460 mm/slub.c:6837
 sk_prot_free net/core/sock.c:2278 [inline]
 __sk_destruct+0x83b/0xae0 net/core/sock.c:2373
 sk_destruct net/core/sock.c:2401 [inline]
 __sk_free+0x519/0x590 net/core/sock.c:2412
 sk_free+0x71/0xc0 net/core/sock.c:2423
 sock_put include/net/sock.h:1972 [inline]
 pfkey_release+0x3d9/0x610 net/key/af_key.c:186
 __sock_release net/socket.c:662 [inline]
 sock_close+0xd6/0x2e0 net/socket.c:1455
 __fput+0x60b/0x1040 fs/file_table.c:468
 ____fput+0x25/0x30 fs/file_table.c:496
 task_work_run+0x209/0x2b0 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0x2d1/0x370 kernel/entry/common.c:43
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x1e3/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 36-47 of 68 are uninitialized
Memory access of size 68 starts at ffff88804c107a80
Data copied to user address 00007ffe9f528fd0

CPU: 1 UID: 0 PID: 6181 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
=====================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/11/02 20:39 upstream 691d401c7e0e 2c50b6a9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak-after-free in do_arpt_get_ctl
* Struck through repros no longer work on HEAD.