[PATCH AUTOSEL 6.1 03/18] jfs: Fix uninit-value access of imap allocated in the diMount() function

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zhongqiu Han <quic_zhonhan@quicinc.com>,
	syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com,
	Dave Kleikamp <dave.kleikamp@oracle.com>,
	Sasha Levin <sashal@kernel.org>,
	shaggy@kernel.org, aha310510@gmail.com, eadavis@qq.com,
	dmantipov@yandex.ru, jfs-discussion@lists.sourceforge.net
Subject: [PATCH AUTOSEL 6.1 03/18] jfs: Fix uninit-value access of imap allocated in the diMount() function
Date: Thu,  3 Apr 2025 15:08:29 -0400	[thread overview]
Message-ID: <20250403190845.2678025-3-sashal@kernel.org> (raw)
In-Reply-To: <20250403190845.2678025-1-sashal@kernel.org>

From: Zhongqiu Han <quic_zhonhan@quicinc.com>

[ Upstream commit 9629d7d66c621671d9a47afe27ca9336bfc8a9ea ]

syzbot reports that hex_dump_to_buffer is using uninit-value:

=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876
jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156
evict+0x723/0xd10 fs/inode.c:796
iput_final fs/inode.c:1946 [inline]
iput+0x97b/0xdb0 fs/inode.c:1972
txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733
kthread+0x6b9/0xef0 kernel/kthread.c:464
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
slab_post_alloc_hook mm/slub.c:4121 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
__kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320
kmalloc_noprof include/linux/slab.h:901 [inline]
diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105
jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176
jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523
get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636
get_tree_bdev+0x37/0x50 fs/super.c:1659
jfs_get_tree+0x34/0x40 fs/jfs/super.c:635
vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
path_mount+0x742/0x1f10 fs/namespace.c:3887
do_mount fs/namespace.c:3900 [inline]
__do_sys_mount fs/namespace.c:4111 [inline]
__se_sys_mount+0x71f/0x800 fs/namespace.c:4088
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
=====================================================

The reason is that imap is not properly initialized after memory
allocation. It will cause the snprintf() function to write uninitialized
data into linebuf within hex_dump_to_buffer().

Fix this by using kzalloc instead of kmalloc to clear its content at the
beginning in diMount().

Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Reported-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/67b5d07e.050a0220.14d86d.00e6.GAE@google.com/
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/jfs/jfs_imap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index c72e97f065798..309b5f6e977d7 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -102,7 +102,7 @@ int diMount(struct inode *ipimap)
 	 * allocate/initialize the in-memory inode map control structure
 	 */
 	/* allocate the in-memory inode map control structure. */
-	imap = kmalloc(sizeof(struct inomap), GFP_KERNEL);
+	imap = kzalloc(sizeof(struct inomap), GFP_KERNEL);
 	if (imap == NULL)
 		return -ENOMEM;
 
-- 
2.39.5

next prev parent reply	other threads:[~2025-04-03 19:08 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-03 19:08 [f2fs-dev] [PATCH AUTOSEL 6.1 01/18] f2fs: don't retry IO for corrupted data scenario Sasha Levin via Linux-f2fs-devel
2025-04-03 19:08 ` Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 02/18] page_pool: avoid infinite loop to schedule delayed worker Sasha Levin
2025-04-03 19:08 ` Sasha Levin [this message]
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 04/18] fs/jfs: cast inactags to s64 to prevent potential overflow Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 05/18] fs/jfs: Prevent integer overflow in AG size calculation Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 06/18] jfs: Prevent copying of nlink with value 0 from disk inode Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 07/18] jfs: add sanity check for agwidth in dbMount Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 08/18] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Sasha Levin
2025-04-03 19:08 ` [f2fs-dev] [PATCH AUTOSEL 6.1 09/18] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Sasha Levin via Linux-f2fs-devel
2025-04-03 19:08   ` Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 10/18] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 11/18] ext4: protect ext4_release_dquot against freezing Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 12/18] ext4: ignore xattrs past end Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 13/18] scsi: st: Fix array overflow in st_setup() Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 14/18] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 15/18] net: vlan: don't propagate flags on open Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 16/18] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 17/18] Bluetooth: hci_uart: fix race during initialization Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 18/18] Bluetooth: qca: simplify WCN399x NVM loading Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c72e97f06579 dfblob:309b5f6e977d )
 OR (
bs:"[PATCH AUTOSEL 6.1 03/18] jfs: Fix uninit-value access of imap allocated in the diMount() function" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250403190845.2678025-3-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=aha310510@gmail.com \
    --cc=dave.kleikamp@oracle.com \
    --cc=dmantipov@yandex.ru \
    --cc=eadavis@qq.com \
    --cc=jfs-discussion@lists.sourceforge.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=quic_zhonhan@quicinc.com \
    --cc=shaggy@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.