[syzbot] [jfs?] KMSAN: uninit-value in diFree

[syzbot] [jfs?] KMSAN: uninit-value in diFree

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    6537cfb395f3 Merge tag 'sound-6.14-rc4' of git://git.kerne..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=103bc7f8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8cf1217edc1cc7da
dashboard link: https://syzkaller.appspot.com/bug?extid=df6cdcb35904203d2b6d
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=131d2fdf980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16321498580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0b4a6e38bb6d/disk-6537cfb3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/96b70942c42c/vmlinux-6537cfb3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fd3dc281a360/bzImage-6537cfb3.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f4c577f978b2/mount_1.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=14d09ae4580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com

ERROR: (device loop0): diUpdatePMap: the iag is outside the map
ERROR: (device loop0): remounting filesystem as read-only
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
 hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
 print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
 diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876
 jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156
 evict+0x723/0xd10 fs/inode.c:796
 iput_final fs/inode.c:1946 [inline]
 iput+0x97b/0xdb0 fs/inode.c:1972
 txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x6b9/0xef0 kernel/kthread.c:464
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4121 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 __kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320
 kmalloc_noprof include/linux/slab.h:901 [inline]
 diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105
 jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176
 jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523
 get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636
 get_tree_bdev+0x37/0x50 fs/super.c:1659
 jfs_get_tree+0x34/0x40 fs/jfs/super.c:635
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
 path_mount+0x742/0x1f10 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 113 Comm: jfsCommit Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [jfs?] KMSAN: uninit-value in diFree

[Edward Adam Davis]

#syz test

diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index a360b24ed320..ff32b614a09b 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -134,6 +134,8 @@ int diMount(struct inode *ipimap)
 		imap->im_agctl[index].numfree =
 		    le32_to_cpu(dinom_le->in_agctl[index].numfree);
 	}
+	imap->im_diskblock = 0;
+	imap->im_maxag = 0;
 
 	/* release the buffer. */
 	release_metapage(mp);

[PATCH] jfs: set diskblock and maxag to zero when creating imap

[Edward Adam Davis]

syzbot reported a uninit-value in diFree. [1]

When print_hex_dump() is called to print the first 32 bytes of imap, the
first 8 members in struct dinomap are the first 32 bytes of imap, because
in_diskblock and in_maxag are not initialized when imap is created.

When creating imap, set in_diskblock and in_maxag to 0 to prevent this
issue from happening.

[1]
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
 hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
 print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
 diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876
 jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156
 evict+0x723/0xd10 fs/inode.c:796
 iput_final fs/inode.c:1946 [inline]
 iput+0x97b/0xdb0 fs/inode.c:1972
 txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x6b9/0xef0 kernel/kthread.c:464
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4121 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 __kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320
 kmalloc_noprof include/linux/slab.h:901 [inline]
 diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105
 jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176
 jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523
 get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636
 get_tree_bdev+0x37/0x50 fs/super.c:1659
 jfs_get_tree+0x34/0x40 fs/jfs/super.c:635
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
 path_mount+0x742/0x1f10 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83

Reported-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=df6cdcb35904203d2b6d
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/jfs/jfs_imap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index a360b24ed320..ff32b614a09b 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -134,6 +134,8 @@ int diMount(struct inode *ipimap)
 		imap->im_agctl[index].numfree =
 		    le32_to_cpu(dinom_le->in_agctl[index].numfree);
 	}
+	imap->im_diskblock = 0;
+	imap->im_maxag = 0;
 
 	/* release the buffer. */
 	release_metapage(mp);
-- 
2.43.0

Re: [syzbot] [jfs?] KMSAN: uninit-value in diFree

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in diFree

ERROR: (device loop0): diUpdatePMap: the iag is outside the map
ERROR: (device loop0): remounting filesystem as read-only
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
 hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
 print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
 diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:878
 jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156
 evict+0x723/0xd10 fs/inode.c:796
 iput_final fs/inode.c:1946 [inline]
 iput+0x97b/0xdb0 fs/inode.c:1972
 txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x6b9/0xef0 kernel/kthread.c:464
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4121 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 __kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320
 kmalloc_noprof include/linux/slab.h:901 [inline]
 diMount+0x61/0x850 fs/jfs/jfs_imap.c:105
 jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176
 jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523
 get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636
 get_tree_bdev+0x37/0x50 fs/super.c:1659
 jfs_get_tree+0x34/0x40 fs/jfs/super.c:635
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
 path_mount+0x742/0x1f10 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 113 Comm: jfsCommit Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
=====================================================


Tested on:

commit:         6537cfb3 Merge tag 'sound-6.14-rc4' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=103f2fdf980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8cf1217edc1cc7da
dashboard link: https://syzkaller.appspot.com/bug?extid=df6cdcb35904203d2b6d
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13f49ae4580000

Re: [PATCH] jfs: set diskblock and maxag to zero when creating imap

[Dave Kleikamp]

On 2/19/25 8:08AM, Edward Adam Davis wrote:
> syzbot reported a uninit-value in diFree. [1]
> 
> When print_hex_dump() is called to print the first 32 bytes of imap, the
> first 8 members in struct dinomap are the first 32 bytes of imap, because
> in_diskblock and in_maxag are not initialized when imap is created.
> 
> When creating imap, set in_diskblock and in_maxag to 0 to prevent this
> issue from happening.

Thanks for the patch, but I received two patches to fix this today, and 
I am opting for the other one which uses kzalloc to zero the structure.

Shaggy

> 
> [1]
> BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
>   hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
>   print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
>   diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876
>   jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156
>   evict+0x723/0xd10 fs/inode.c:796
>   iput_final fs/inode.c:1946 [inline]
>   iput+0x97b/0xdb0 fs/inode.c:1972
>   txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367
>   txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
>   jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733
>   kthread+0x6b9/0xef0 kernel/kthread.c:464
>   ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> 
> Uninit was created at:
>   slab_post_alloc_hook mm/slub.c:4121 [inline]
>   slab_alloc_node mm/slub.c:4164 [inline]
>   __kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320
>   kmalloc_noprof include/linux/slab.h:901 [inline]
>   diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105
>   jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176
>   jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523
>   get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636
>   get_tree_bdev+0x37/0x50 fs/super.c:1659
>   jfs_get_tree+0x34/0x40 fs/jfs/super.c:635
>   vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
>   do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
>   path_mount+0x742/0x1f10 fs/namespace.c:3887
>   do_mount fs/namespace.c:3900 [inline]
>   __do_sys_mount fs/namespace.c:4111 [inline]
>   __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
>   __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
>   x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
> 
> Reported-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=df6cdcb35904203d2b6d
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>   fs/jfs/jfs_imap.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
> index a360b24ed320..ff32b614a09b 100644
> --- a/fs/jfs/jfs_imap.c
> +++ b/fs/jfs/jfs_imap.c
> @@ -134,6 +134,8 @@ int diMount(struct inode *ipimap)
>   		imap->im_agctl[index].numfree =
>   		    le32_to_cpu(dinom_le->in_agctl[index].numfree);
>   	}
> +	imap->im_diskblock = 0;
> +	imap->im_maxag = 0;
>   
>   	/* release the buffer. */
>   	release_metapage(mp);

Re: [syzbot] [jfs?] KMSAN: uninit-value in diFree

[Edward Adam Davis]

#syz test

diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index a360b24ed320..0cedaccb7218 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -134,6 +134,10 @@ int diMount(struct inode *ipimap)
 		imap->im_agctl[index].numfree =
 		    le32_to_cpu(dinom_le->in_agctl[index].numfree);
 	}
+	imap->im_diskblock = 0;
+	imap->im_maxag = 0;
+	imap->im_enuminos = 0;
+	imap->im_enumfree = 0;
 
 	/* release the buffer. */
 	release_metapage(mp);
diff --git a/fs/jfs/jfs_imap.h b/fs/jfs/jfs_imap.h
index dd7409febe28..9af1da2e4591 100644
--- a/fs/jfs/jfs_imap.h
+++ b/fs/jfs/jfs_imap.h
@@ -144,6 +144,8 @@ struct inomap {
  */
 #define	im_diskblock	im_imap.in_diskblock
 #define	im_maxag	im_imap.in_maxag
+#define	im_enuminos	im_imap.in_numinos
+#define	im_enumfree	im_imap.in_numfree
 
 extern int diFree(struct inode *);
 extern int diAlloc(struct inode *, bool, struct inode *);
-- 
2.43.0

Re: [syzbot] [jfs?] KMSAN: uninit-value in diFree

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com
Tested-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com

Tested on:

commit:         6537cfb3 Merge tag 'sound-6.14-rc4' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17ddb5b0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8cf1217edc1cc7da
dashboard link: https://syzkaller.appspot.com/bug?extid=df6cdcb35904203d2b6d
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=169b27f8580000

Note: testing is done by a robot and is best-effort only.

[PATCH V2] jfs: Initialized first 8 members of the dinomap when creating imap

[Edward Adam Davis]

syzbot reported a uninit-value in diFree. [1]

When print_hex_dump() is called to print the first 32 bytes of imap, the
first 8 members in struct dinomap are the first 32 bytes of imap, because
in_numinos, in_numfree, in_diskblock and in_maxag are not initialized when
imap is created.

When creating imap, set in_numinos, in_numfree, in_diskblock and in_maxag
to 0 to prevent this issue from happening.

[1]
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
 hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
 print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
 diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876
 jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156
 evict+0x723/0xd10 fs/inode.c:796
 iput_final fs/inode.c:1946 [inline]
 iput+0x97b/0xdb0 fs/inode.c:1972
 txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x6b9/0xef0 kernel/kthread.c:464
 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4121 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 __kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320
 kmalloc_noprof include/linux/slab.h:901 [inline]
 diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105
 jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176
 jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523
 get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636
 get_tree_bdev+0x37/0x50 fs/super.c:1659
 jfs_get_tree+0x34/0x40 fs/jfs/super.c:635
 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
 path_mount+0x742/0x1f10 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83

Reported-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=df6cdcb35904203d2b6d
Tested-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: add missing others two fields of dinomap

 fs/jfs/jfs_imap.c | 4 ++++
 fs/jfs/jfs_imap.h | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index a360b24ed320..0cedaccb7218 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -134,6 +134,10 @@ int diMount(struct inode *ipimap)
 		imap->im_agctl[index].numfree =
 		    le32_to_cpu(dinom_le->in_agctl[index].numfree);
 	}
+	imap->im_diskblock = 0;
+	imap->im_maxag = 0;
+	imap->im_enuminos = 0;
+	imap->im_enumfree = 0;
 
 	/* release the buffer. */
 	release_metapage(mp);
diff --git a/fs/jfs/jfs_imap.h b/fs/jfs/jfs_imap.h
index dd7409febe28..9af1da2e4591 100644
--- a/fs/jfs/jfs_imap.h
+++ b/fs/jfs/jfs_imap.h
@@ -144,6 +144,8 @@ struct inomap {
  */
 #define	im_diskblock	im_imap.in_diskblock
 #define	im_maxag	im_imap.in_maxag
+#define	im_enuminos	im_imap.in_numinos
+#define	im_enumfree	im_imap.in_numfree
 
 extern int diFree(struct inode *);
 extern int diAlloc(struct inode *, bool, struct inode *);
-- 
2.43.0

Re: [PATCH V2] jfs: Initialized first 8 members of the dinomap when creating imap

[Dave Kleikamp]

On 2/20/25 4:56AM, Edward Adam Davis wrote:
> syzbot reported a uninit-value in diFree. [1]
> 
> When print_hex_dump() is called to print the first 32 bytes of imap, the
> first 8 members in struct dinomap are the first 32 bytes of imap, because
> in_numinos, in_numfree, in_diskblock and in_maxag are not initialized when
> imap is created.
> 
> When creating imap, set in_numinos, in_numfree, in_diskblock and in_maxag
> to 0 to prevent this issue from happening.

I appreciate the patch, but I'm accepting a different patch to fix the 
problem:

https://sourceforge.net/p/jfs/mailman/message/59132063/

Shaggy

> 
> [1]
> BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
>   hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171
>   print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
>   diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876
>   jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156
>   evict+0x723/0xd10 fs/inode.c:796
>   iput_final fs/inode.c:1946 [inline]
>   iput+0x97b/0xdb0 fs/inode.c:1972
>   txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367
>   txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
>   jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733
>   kthread+0x6b9/0xef0 kernel/kthread.c:464
>   ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148
>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> 
> Uninit was created at:
>   slab_post_alloc_hook mm/slub.c:4121 [inline]
>   slab_alloc_node mm/slub.c:4164 [inline]
>   __kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320
>   kmalloc_noprof include/linux/slab.h:901 [inline]
>   diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105
>   jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176
>   jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523
>   get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636
>   get_tree_bdev+0x37/0x50 fs/super.c:1659
>   jfs_get_tree+0x34/0x40 fs/jfs/super.c:635
>   vfs_get_tree+0xb1/0x5a0 fs/super.c:1814
>   do_new_mount+0x71f/0x15e0 fs/namespace.c:3560
>   path_mount+0x742/0x1f10 fs/namespace.c:3887
>   do_mount fs/namespace.c:3900 [inline]
>   __do_sys_mount fs/namespace.c:4111 [inline]
>   __se_sys_mount+0x71f/0x800 fs/namespace.c:4088
>   __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088
>   x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
> 
> Reported-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=df6cdcb35904203d2b6d
> Tested-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> V1 -> V2: add missing others two fields of dinomap
> 
>   fs/jfs/jfs_imap.c | 4 ++++
>   fs/jfs/jfs_imap.h | 2 ++
>   2 files changed, 6 insertions(+)
> 
> diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
> index a360b24ed320..0cedaccb7218 100644
> --- a/fs/jfs/jfs_imap.c
> +++ b/fs/jfs/jfs_imap.c
> @@ -134,6 +134,10 @@ int diMount(struct inode *ipimap)
>   		imap->im_agctl[index].numfree =
>   		    le32_to_cpu(dinom_le->in_agctl[index].numfree);
>   	}
> +	imap->im_diskblock = 0;
> +	imap->im_maxag = 0;
> +	imap->im_enuminos = 0;
> +	imap->im_enumfree = 0;
>   
>   	/* release the buffer. */
>   	release_metapage(mp);
> diff --git a/fs/jfs/jfs_imap.h b/fs/jfs/jfs_imap.h
> index dd7409febe28..9af1da2e4591 100644
> --- a/fs/jfs/jfs_imap.h
> +++ b/fs/jfs/jfs_imap.h
> @@ -144,6 +144,8 @@ struct inomap {
>    */
>   #define	im_diskblock	im_imap.in_diskblock
>   #define	im_maxag	im_imap.in_maxag
> +#define	im_enuminos	im_imap.in_numinos
> +#define	im_enumfree	im_imap.in_numfree
>   
>   extern int diFree(struct inode *);
>   extern int diAlloc(struct inode *, bool, struct inode *);

Re: [PATCH V2] jfs: Initialized first 8 members of the dinomap when creating imap

[Edward Adam Davis]

> > syzbot reported a uninit-value in diFree. [1]
> > 
> > When print_hex_dump() is called to print the first 32 bytes of imap, the
> > first 8 members in struct dinomap are the first 32 bytes of imap, because
> > in_numinos, in_numfree, in_diskblock and in_maxag are not initialized when
> > imap is created.
> > 
> > When creating imap, set in_numinos, in_numfree, in_diskblock and in_maxag
> > to 0 to prevent this issue from happening.
> 
> I appreciate the patch, but I'm accepting a different patch to fix the 
> problem:
I am very disappointed with your choice. The design of "KMSAN: uninit-value X"
is used to find improper data usage and defects in the program. If you directly
use functions such as kzmalloc to clear the memory to 0, you will lose a valuable
asset--KMSAN uninit-value.

BR,
Edward