From: syzbot <syzbot+93f4402297a457fc6895@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] hfsplus: initialize subfolders field when HAS_FOLDER_COUNT is
Date: Fri, 17 Apr 2026 03:12:12 -0700 [thread overview]
Message-ID: <69e2077c.a00a0220.1cdc.000a.GAE@google.com> (raw)
In-Reply-To: <0000000000001db56d06076f6861@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] hfsplus: initialize subfolders field when HAS_FOLDER_COUNT is
Author: tristmd@gmail.com
From: Tristan Madani <tristan@talencesecurity.com>
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
not set
When reading a folder inode from disk, the subfolders field is only
initialized if the on-disk entry has the HFSPLUS_HAS_FOLDER_COUNT flag
set:
if (folder->flags & cpu_to_be16(HFSPLUS_HAS_FOLDER_COUNT)) {
HFSPLUS_I(inode)->subfolders =
be32_to_cpu(folder->subfolders);
}
If the flag is not set, subfolders is left with stale data from the
slab allocator. The slab constructor (hfsplus_init_once) does set
subfolders = 0, but slab constructors only run on first allocation from
a fresh page -- they do not run on slab object reuse.
This uninitialized field is later read by hfsplus_subfolders_inc() and
hfsplus_subfolders_dec() during directory operations, which KMSAN flags
as a use of uninitialized memory.
Fix this by explicitly setting subfolders to 0 when the folder count
flag is not present on the on-disk entry.
Reported-by: syzbot+93f4402297a457fc6895@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=93f4402297a457fc6895
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
fs/hfsplus/inode.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -530,6 +530,8 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd)
if (folder->flags & cpu_to_be16(HFSPLUS_HAS_FOLDER_COUNT)) {
HFSPLUS_I(inode)->subfolders =
be32_to_cpu(folder->subfolders);
+ } else {
+ HFSPLUS_I(inode)->subfolders = 0;
}
inode->i_op = &hfsplus_dir_inode_operations;
inode->i_fop = &hfsplus_dir_operations;
--
2.43.0
next prev parent reply other threads:[~2026-04-17 10:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-11 11:48 [syzbot] [hfs?] KMSAN: uninit-value in hfsplus_rename_cat syzbot
2024-12-12 8:22 ` [syzbot] Re: KMSAN: uninit-value in hfsplus_rename_cat() syzbot
2026-04-17 10:12 ` syzbot [this message]
2026-04-17 16:20 ` Forwarded: Re: [syzbot] KMSAN: uninit-value in hfsplus_cat_read_inode syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69e2077c.a00a0220.1cdc.000a.GAE@google.com \
--to=syzbot+93f4402297a457fc6895@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.