From: syzbot <syzbot+ba5f49027aace342d24d@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] jfs: zero-initialize btstack to fix KMSAN uninit-value in BT_STACK_DUMP
Date: Fri, 17 Apr 2026 03:12:02 -0700 [thread overview]
Message-ID: <69e20772.a00a0220.1cdc.0008.GAE@google.com> (raw)
In-Reply-To: <68197d2b.050a0220.23d401.2859.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] jfs: zero-initialize btstack to fix KMSAN uninit-value in BT_STACK_DUMP
Author: tristmd@gmail.com
From: Tristan Madani <tristan@talencesecurity.com>
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
BT_STACK_DUMP() unconditionally prints all MAXTREEHEIGHT entries of the
btstack->stack[] array. However, only entries between stack[0] and *top
have been written by BT_PUSH(); the rest contain uninitialized stack
data.
When dtSearch() or dtReadFirst() detect a corrupted B-tree that exceeds
MAXTREEHEIGHT, they call BT_STACK_DUMP() for diagnostic output. Reading
the uninitialized entries triggers a KMSAN uninit-value report.
Fix this by only iterating over the entries that were actually pushed
onto the stack (from stack[0] up to but not including top), rather than
blindly dumping all MAXTREEHEIGHT slots.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+ba5f49027aace342d24d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ba5f49027aace342d24d
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
fs/jfs/jfs_btree.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_btree.h b/fs/jfs/jfs_btree.h
index a1312322..b6737db2 100644
--- a/fs/jfs/jfs_btree.h
+++ b/fs/jfs/jfs_btree.h
@@ -130,10 +130,12 @@ struct btstack {
static inline void BT_STACK_DUMP(struct btstack *btstack)
{
int i;
+ int depth = btstack->top - btstack->stack;
+
printk("btstack dump:\n");
- for (i = 0; i < MAXTREEHEIGHT; i++)
+ for (i = 0; i < depth; i++)
printk(KERN_ERR "bn = %Lx, index = %d\n",
(long long)btstack->stack[i].bn,
btstack->stack[i].index);
}
--
2.39.2
next prev parent reply other threads:[~2026-04-17 10:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-06 3:08 [syzbot] [jfs?] KMSAN: uninit-value in BT_STACK_DUMP syzbot
2025-05-06 13:00 ` [syzbot] [PATCH] " syzbot
2025-05-06 14:20 ` [syzbot] " syzbot
2025-05-06 17:20 ` [RFC PATCH] jfs: Use zero initializer for btstack I Hsin Cheng
2025-09-23 17:47 ` Forwarded: KMSAN: uninit-value in BT_STACK_DUMP syzbot
2026-04-17 10:12 ` syzbot [this message]
2026-04-17 16:20 ` Forwarded: Re: [syzbot] " syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69e20772.a00a0220.1cdc.0008.GAE@google.com \
--to=syzbot+ba5f49027aace342d24d@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.