* [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get
@ 2026-02-06 3:37 syzbot
2026-02-06 3:46 ` Qing Wang
` (3 more replies)
0 siblings, 4 replies; 8+ messages in thread
From: syzbot @ 2026-02-06 3:37 UTC (permalink / raw)
To: linux-fsdevel, linux-kernel, miklos, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 18f7fcd5e69a Linux 6.19-rc8
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16bafc5a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9682a42d8ec8b05c
dashboard link: https://syzkaller.appspot.com/bug?extid=7c31755f2cea07838b0c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1329b322580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=178a425a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c8e19a1c3a97/disk-18f7fcd5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ffdc9733836e/vmlinux-18f7fcd5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8cdf30f0d2d2/bzImage-18f7fcd5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7c31755f2cea07838b0c@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
vfs_fileattr_get fs/file_attr.c:94 [inline]
__do_sys_file_getattr fs/file_attr.c:416 [inline]
__se_sys_file_getattr+0x6cb/0xbd0 fs/file_attr.c:372
__x64_sys_file_getattr+0xe4/0x150 fs/file_attr.c:372
x64_sys_call+0x17cd/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:469
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable fa.i created at:
__do_sys_file_getattr fs/file_attr.c:380 [inline]
__se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372
__x64_sys_file_getattr+0xe4/0x150 fs/file_attr.c:372
CPU: 1 UID: 0 PID: 6065 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get
2026-02-06 3:37 [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get syzbot
@ 2026-02-06 3:46 ` Qing Wang
2026-02-06 4:16 ` syzbot
2026-02-06 5:50 ` Edward Adam Davis
` (2 subsequent siblings)
3 siblings, 1 reply; 8+ messages in thread
From: Qing Wang @ 2026-02-06 3:46 UTC (permalink / raw)
To: syzbot+7c31755f2cea07838b0c
Cc: linux-fsdevel, linux-kernel, miklos, syzkaller-bugs
#syz test
diff --git a/fs/file_attr.c b/fs/file_attr.c
index 13cdb31a3e94..4f514e487e35 100644
--- a/fs/file_attr.c
+++ b/fs/file_attr.c
@@ -413,6 +413,7 @@ SYSCALL_DEFINE5(file_getattr, int, dfd, const char __user *, filename,
return error;
}
+ memset(&fa, 0, sizeof(struct file_kattr));
error = vfs_fileattr_get(filepath.dentry, &fa);
if (error == -ENOIOCTLCMD || error == -ENOTTY)
error = -EOPNOTSUPP;
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get
2026-02-06 3:46 ` Qing Wang
@ 2026-02-06 4:16 ` syzbot
0 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2026-02-06 4:16 UTC (permalink / raw)
To: linux-fsdevel, linux-kernel, miklos, syzkaller-bugs, wangqing7171
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7c31755f2cea07838b0c@syzkaller.appspotmail.com
Tested-by: syzbot+7c31755f2cea07838b0c@syzkaller.appspotmail.com
Tested on:
commit: 06bc4e26 Merge tag 'block-6.19-20260205' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1498e402580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9682a42d8ec8b05c
dashboard link: https://syzkaller.appspot.com/bug?extid=7c31755f2cea07838b0c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=17f0e402580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get
2026-02-06 3:37 [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get syzbot
2026-02-06 3:46 ` Qing Wang
@ 2026-02-06 5:50 ` Edward Adam Davis
2026-02-06 6:20 ` syzbot
2026-02-06 6:00 ` Qing Wang
2026-02-06 6:20 ` [PATCH] fs: init flags_valid before calling vfs_fileattr_get Edward Adam Davis
3 siblings, 1 reply; 8+ messages in thread
From: Edward Adam Davis @ 2026-02-06 5:50 UTC (permalink / raw)
To: syzbot+7c31755f2cea07838b0c; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/fs/file_attr.c b/fs/file_attr.c
index 13cdb31a3e94..4889cf59b256 100644
--- a/fs/file_attr.c
+++ b/fs/file_attr.c
@@ -377,7 +377,7 @@ SYSCALL_DEFINE5(file_getattr, int, dfd, const char __user *, filename,
struct filename *name __free(putname) = NULL;
unsigned int lookup_flags = 0;
struct file_attr fattr;
- struct file_kattr fa;
+ struct file_kattr fa = { .flags_valid = true }; /* hint only */
int error;
BUILD_BUG_ON(sizeof(struct file_attr) < FILE_ATTR_SIZE_VER0);
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get
2026-02-06 3:37 [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get syzbot
2026-02-06 3:46 ` Qing Wang
2026-02-06 5:50 ` Edward Adam Davis
@ 2026-02-06 6:00 ` Qing Wang
2026-02-06 6:53 ` syzbot
2026-02-06 6:20 ` [PATCH] fs: init flags_valid before calling vfs_fileattr_get Edward Adam Davis
3 siblings, 1 reply; 8+ messages in thread
From: Qing Wang @ 2026-02-06 6:00 UTC (permalink / raw)
To: syzbot+7c31755f2cea07838b0c
Cc: linux-fsdevel, linux-kernel, miklos, syzkaller-bugs
#syz test
diff --git a/fs/file_attr.c b/fs/file_attr.c
index 13cdb31a3e94..8b5565cbccb0 100644
--- a/fs/file_attr.c
+++ b/fs/file_attr.c
@@ -377,7 +377,7 @@ SYSCALL_DEFINE5(file_getattr, int, dfd, const char __user *, filename,
struct filename *name __free(putname) = NULL;
unsigned int lookup_flags = 0;
struct file_attr fattr;
- struct file_kattr fa;
+ struct file_kattr fa = {};
int error;
BUILD_BUG_ON(sizeof(struct file_attr) < FILE_ATTR_SIZE_VER0);
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get
2026-02-06 5:50 ` Edward Adam Davis
@ 2026-02-06 6:20 ` syzbot
0 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2026-02-06 6:20 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7c31755f2cea07838b0c@syzkaller.appspotmail.com
Tested-by: syzbot+7c31755f2cea07838b0c@syzkaller.appspotmail.com
Tested on:
commit: b7ff7151 Merge tag 'hwmon-for-v6.19-final' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=145e878a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9682a42d8ec8b05c
dashboard link: https://syzkaller.appspot.com/bug?extid=7c31755f2cea07838b0c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=10bc27fa580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] fs: init flags_valid before calling vfs_fileattr_get
2026-02-06 3:37 [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get syzbot
` (2 preceding siblings ...)
2026-02-06 6:00 ` Qing Wang
@ 2026-02-06 6:20 ` Edward Adam Davis
3 siblings, 0 replies; 8+ messages in thread
From: Edward Adam Davis @ 2026-02-06 6:20 UTC (permalink / raw)
To: syzbot+7c31755f2cea07838b0c
Cc: linux-fsdevel, linux-kernel, miklos, brauner, aalbersh,
syzkaller-bugs
syzbot reported a uninit-value bug in [1].
Similar to the "*get" context where the kernel's internal file_kattr
structure is initialized before calling vfs_fileattr_get(), we should
use the same mechanism when using fa.
[1]
BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
vfs_fileattr_get fs/file_attr.c:94 [inline]
__do_sys_file_getattr fs/file_attr.c:416 [inline]
Local variable fa.i created at:
__do_sys_file_getattr fs/file_attr.c:380 [inline]
__se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372
Reported-by: syzbot+7c31755f2cea07838b0c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7c31755f2cea07838b0c
Tested-by: syzbot+7c31755f2cea07838b0c@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
fs/file_attr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/file_attr.c b/fs/file_attr.c
index 13cdb31a3e94..4889cf59b256 100644
--- a/fs/file_attr.c
+++ b/fs/file_attr.c
@@ -377,7 +377,7 @@ SYSCALL_DEFINE5(file_getattr, int, dfd, const char __user *, filename,
struct filename *name __free(putname) = NULL;
unsigned int lookup_flags = 0;
struct file_attr fattr;
- struct file_kattr fa;
+ struct file_kattr fa = { .flags_valid = true }; /* hint only */
int error;
BUILD_BUG_ON(sizeof(struct file_attr) < FILE_ATTR_SIZE_VER0);
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get
2026-02-06 6:00 ` Qing Wang
@ 2026-02-06 6:53 ` syzbot
0 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2026-02-06 6:53 UTC (permalink / raw)
To: linux-fsdevel, linux-kernel, miklos, syzkaller-bugs, wangqing7171
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7c31755f2cea07838b0c@syzkaller.appspotmail.com
Tested-by: syzbot+7c31755f2cea07838b0c@syzkaller.appspotmail.com
Tested on:
commit: b7ff7151 Merge tag 'hwmon-for-v6.19-final' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16fe878a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9682a42d8ec8b05c
dashboard link: https://syzkaller.appspot.com/bug?extid=7c31755f2cea07838b0c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=14978a52580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2026-02-06 6:53 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-06 3:37 [syzbot] [fuse?] KMSAN: uninit-value in fuse_fileattr_get syzbot
2026-02-06 3:46 ` Qing Wang
2026-02-06 4:16 ` syzbot
2026-02-06 5:50 ` Edward Adam Davis
2026-02-06 6:20 ` syzbot
2026-02-06 6:00 ` Qing Wang
2026-02-06 6:53 ` syzbot
2026-02-06 6:20 ` [PATCH] fs: init flags_valid before calling vfs_fileattr_get Edward Adam Davis
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.