[syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    e84d960149e7 Merge tag 'for-6.19-rc5-tag' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16784b9a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=158fdb9a580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=170153fa580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2d9623942f5a/disk-e84d9601.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/61b0e15f8560/vmlinux-e84d9601.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8b71c88680c4/bzImage-e84d9601.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7023ce628e6e/mount_2.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=130153fa580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
 txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
 xtTruncate+0x1002/0x5050 fs/jfs/jfs_xtree.c:2337
 jfs_truncate_nolock+0x223/0x670 fs/jfs/inode.c:396
 jfs_truncate fs/jfs/inode.c:420 [inline]
 jfs_write_failed+0x207/0x3c0 fs/jfs/inode.c:295
 jfs_write_end+0xcc/0x110 fs/jfs/inode.c:322
 generic_perform_write+0x999/0x1050 mm/filemap.c:4335
 __generic_file_write_iter+0x213/0x460 mm/filemap.c:4431
 generic_file_write_iter+0x131/0x980 mm/filemap.c:4457
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0xbe2/0x15d0 fs/read_write.c:686
 ksys_pwrite64 fs/read_write.c:793 [inline]
 __do_sys_pwrite64 fs/read_write.c:801 [inline]
 __se_sys_pwrite64 fs/read_write.c:798 [inline]
 __x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:798
 x64_sys_call+0xbaf/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:19
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 __alloc_frozen_pages_noprof+0x421/0xab0 mm/page_alloc.c:5263
 alloc_pages_mpol+0x328/0x860 mm/mempolicy.c:2486
 alloc_frozen_pages_noprof mm/mempolicy.c:2557 [inline]
 alloc_pages_noprof+0x102/0x280 mm/mempolicy.c:2577
 vm_area_alloc_pages mm/vmalloc.c:3649 [inline]
 __vmalloc_area_node mm/vmalloc.c:3863 [inline]
 __vmalloc_node_range_noprof+0xa94/0x2d90 mm/vmalloc.c:4051
 __vmalloc_node_noprof mm/vmalloc.c:4111 [inline]
 vmalloc_noprof+0xce/0x140 mm/vmalloc.c:4146
 txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297
 init_jfs_fs+0x1b2/0xcb0 fs/jfs/super.c:977
 do_one_initcall+0x22b/0xad0 init/main.c:1378
 do_initcall_level+0x157/0x2e0 init/main.c:1440
 do_initcalls+0x176/0x310 init/main.c:1456
 do_basic_setup+0x1d/0x30 init/main.c:1475
 kernel_init_freeable+0x214/0x430 init/main.c:1688
 kernel_init+0x2f/0x5e0 init/main.c:1578
 ret_from_fork+0x208/0x710 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

CPU: 1 UID: 0 PID: 6025 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] jfs: fix KMSAN warning in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Syzbot reported a KMSAN uninit-value warning in txLock when accessing
jfs_ip->atlhead:

  BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659

This occurs because the jfs_inode_info structure is allocated from a
slab cache but not fully initialized, leaving fields like atlhead,
atltail, and anon_inode_list with garbage values from previously freed
inodes.

When txLock() attempts to traverse the anonymous transaction lock list
by reading jfs_ip->atlhead, it accesses uninitialized memory, triggering
the KMSAN warning.

Fix this by zeroing the entire jfs_inode_info structure in
jfs_alloc_inode(). This is consistent with how other filesystems handle
inode allocation and ensures all fields start with known values,
preventing this and potential similar bugs.

Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/jfs/super.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index 3cfb86c5a36e..236fe8d42542 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -105,9 +105,7 @@ static struct inode *jfs_alloc_inode(struct super_block *sb)
 	jfs_inode = alloc_inode_sb(sb, jfs_inode_cachep, GFP_NOFS);
 	if (!jfs_inode)
 		return NULL;
-#ifdef CONFIG_QUOTA
-	memset(&jfs_inode->i_dquot, 0, sizeof(jfs_inode->i_dquot));
-#endif
+	memset(jfs_inode, 0, sizeof(struct jfs_inode_info));
 	return &jfs_inode->vfs_inode;
 }
 
-- 
2.43.0

Forwarded: [PATCH] jfs: fix KMSAN warning in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git maste

Syzbot reported a KMSAN uninit-value warning in txLock when accessing
the global TxLock array:

  BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659

The issue occurs because txInit() allocates the TxLock array using
vmalloc(), which does not zero the allocated memory. When txLock()
traverses the transaction lock list by accessing elements in this array
(via lid_to_tlock()), it reads uninitialized 'next' pointers, triggering
the KMSAN warning.

The uninitialized memory originates from:
  vmalloc_noprof+0xce/0x140 mm/vmalloc.c:4146
  txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297

Fix this by using vzalloc() instead of vmalloc() to ensure the TxLock
array is zero-initialized. This guarantees that all tlock structures
start with valid initial values, particularly the 'next' field which is
used for list traversal.

Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/jfs/jfs_txnmgr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index c16578af3a77..4c72103a0b46 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -294,7 +294,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
-- 
2.43.0

Forwarded: [PATCH] jfs: fix KMSAN warning in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Syzbot reported a KMSAN uninit-value warning in txLock when accessing
the global TxLock array:

  BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659

The issue occurs because txInit() allocates the TxLock array using
vmalloc(), which does not zero the allocated memory. When txLock()
traverses the transaction lock list by accessing elements in this array
(via lid_to_tlock()), it reads uninitialized 'next' pointers, triggering
the KMSAN warning.

The uninitialized memory originates from:
  vmalloc_noprof+0xce/0x140 mm/vmalloc.c:4146
  txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297

Fix this by using vzalloc() instead of vmalloc() to ensure the TxLock
array is zero-initialized. This guarantees that all tlock structures
start with valid initial values, particularly the 'next' field which is
used for list traversal.

Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/jfs/jfs_txnmgr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index c16578af3a77..4c72103a0b46 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -294,7 +294,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
-- 
2.43.0

Forwarded: [PATCH] jfs: fix uninit-value in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: fix uninit-value in txLock
Author: tristmd@gmail.com

From: Tristan Madani <tristan@talencesecurity.com>

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


txInit() allocates the TxLock array with vmalloc(), which does not zero
memory. The initialization loop only sets the .next field of each tlock
entry to chain them on the freelist. All other fields, including .tid,
.flag, .type, .mp, .ip, and the .lock[] overlay area, remain
uninitialized.

When txLock() looks up a tlock via lid_to_tlock(lid), it reads
tlck->tid to determine whether the page is already locked by the
requesting transaction. If this tlock entry was never previously
allocated and freed (txLockFree only sets .tid and .next), the .tid
field contains uninitialized vmalloc data, which KMSAN flags as a
use of uninitialized memory.

Fix this by replacing vmalloc() with vzalloc() so that all tlock fields
are zero-initialized at allocation time. This ensures .tid == 0 (the
anonymous/free state) for every tlock entry from the start, consistent
with what txLockFree() sets on deallocation.

Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_txnmgr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index c16578af3a77..4c72103a0b46 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
--
2.43.0

Forwarded: [PATCH v2] jfs: fix uninit-value and assert crash in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH v2] jfs: fix uninit-value and assert crash in txLock
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

From: Tristan Madani <tristan@talencesecurity.com>
Date: Thu, 17 Apr 2026
Subject: [PATCH v2] jfs: fix uninit-value and assert crash in txLock

Two bugs in txLock():

1) txInit() allocates the TxLock array with vmalloc(), which does not
   zero memory. The initialization loop only sets .next, leaving .tid
   uninitialized. When txLock() reads tlck->tid it hits uninitialized
   vmalloc data. Fix: vmalloc -> vzalloc.

2) The anonymous tlock list walk uses assert(last) inside a for-loop.
   On a corrupted filesystem image the list can be inconsistent, causing
   last == 0 before finding the target lid. This triggers BUG() via
   the assert macro. Fix: replace assert with graceful error + goto
   grantLock.

Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_txnmgr.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index 083dbbb0c..ec6217a2c 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
@@ -660,7 +660,10 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp,
 			for (last = jfs_ip->atlhead;
 			     lid_to_tlock(last)->next != lid;
 			     last = lid_to_tlock(last)->next) {
-				assert(last);
+				if (!last) {
+					jfs_err("txLock: lid %d not found in atl list", lid);
+					goto grantLock;
+				}
 			}
 			lid_to_tlock(last)->next = tlck->next;
 			if (jfs_ip->atltail == lid)
-- 
2.43.0

Forwarded: Re: [syzbot] KMSAN: uninit-value in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] KMSAN: uninit-value in txLock
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From 8cb6363dbe6d297ef3b9051425b83f630d9b93e9 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@talencesecurity.com>
Date: Fri, 17 Apr 2026 16:15:13 +0000
Subject: [PATCH] jfs: fix uninit-value in txLock by zero-initializing TxLock
 array
txInit() allocates the TxLock array via vmalloc(), which does not
zero memory. The init loop only sets .next for freelist chaining,
leaving all other fields (including .tid) uninitialized. When
txLock() reads tlck->tid for a tlock that was never previously
allocated and freed, KMSAN reports uninit-value.
Additionally, the assert(last) in the anonymous tlock list walk
can trigger a BUG_ON when a corrupted filesystem image produces
an inconsistent tlock list. Replace with a graceful error path.
Fix both issues:
1. Replace vmalloc() with vzalloc() so all tlock fields start zeroed
2. Replace assert(last) with a graceful error recovery
Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_txnmgr.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index 083dbbb..ec6217a 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
@@ -660,7 +660,10 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp,
 			for (last = jfs_ip->atlhead;
 			     lid_to_tlock(last)->next != lid;
 			     last = lid_to_tlock(last)->next) {
-				assert(last);
+				if (!last) {
+					jfs_err("txLock: lid %d not found in atl list", lid);
+					goto grantLock;
+				}
 			}
 			lid_to_tlock(last)->next = tlck->next;
 			if (jfs_ip->atltail == lid)
-- 
2.47.3

Forwarded: Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/fs/jfs/jfs_metapage.c b/fs/jfs/jfs_metapage.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_metapage.c
+++ b/fs/jfs/jfs_metapage.c
@@ -174,14 +174,10 @@ static inline struct metapage *alloc_metapage(gfp_t gfp_mask)
 {
 	struct metapage *mp = mempool_alloc(metapage_mempool, gfp_mask);

-	if (mp) {
-		mp->lid = 0;
-		mp->lsn = 0;
-		mp->data = NULL;
-		mp->clsn = 0;
-		mp->log = NULL;
+	if (mp) {
+		memset(mp, 0, sizeof(*mp));
 		init_waitqueue_head(&mp->wait);
-	}
+	}
 	return mp;
 }

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
@@ -660,7 +660,10 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp,
 			for (last = jfs_ip->atlhead;
 			     lid_to_tlock(last)->next != lid;
 			     last = lid_to_tlock(last)->next) {
-				assert(last);
+				if (!last) {
+					jfs_err("txLock: lid %d not found in atl list", lid);
+					goto grantLock;
+				}
 			}
 			lid_to_tlock(last)->next = tlck->next;
 			if (jfs_ip->atltail == lid)

Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/maste: failed to run ["git" "fetch" "--force" "f569e972c8e9057ee9c286220c83a480ebf30cc5" "maste"]: exit status 128


Tested on:

commit:         [unknown 
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git maste
kernel config:  https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1114ff9a580000

Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in __mark_inode_dirty

loop0: detected capacity change from 0 to 32768
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000001381f067 P4D 800000001381f067 PUD 0 
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6507 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:__list_del_entry_valid include/linux/list.h:127 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:223 [inline]
RIP: 0010:list_move include/linux/list.h:306 [inline]
RIP: 0010:inode_io_list_move_locked+0x152/0x8d0 fs/fs-writeback.c:122
Code: 00 00 00 4d 8b b4 24 e8 00 00 00 48 89 7d a8 e8 54 34 cc ff 4c 8b 28 44 8b 3a 4d 85 ed 0f 85 bc 03 00 00 49 81 c4 e0 00 00 00 <49> 8b 1e 4c 89 f7 e8 33 34 cc ff 48 8b 00 48 85 c0 74 12 48 89 d9
RSP: 0018:ffff88803945b8c8 EFLAGS: 00010286
RAX: ffff88801ae0d7c8 RBX: 0000000000000000 RCX: 0000000000087a41
RDX: ffff88801b20d7c8 RSI: 0000000000000001 RDI: ffff88801b60d7c8
RBP: ffff88803945b930 R08: ffffea000000000f R09: 0000000000000000
R10: ffff88801ae0d760 R11: ffffffff844dab90 R12: ffff88801b60d7c0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f249ec6e6c0(0000) GS:ffff8881aadec000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f37a000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __mark_inode_dirty+0x878/0x1050 fs/fs-writeback.c:2668
 generic_update_time fs/inode.c:2158 [inline]
 inode_update_time fs/inode.c:2171 [inline]
 file_update_time_flags+0x9e7/0xa60 fs/inode.c:2398
 file_update_time+0x30/0x40 fs/inode.c:2419
 __generic_file_write_iter+0x124/0x460 mm/filemap.c:4412
 generic_file_write_iter+0x131/0x980 mm/filemap.c:4457
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0xbe1/0x15c0 fs/read_write.c:686
 ksys_pwrite64 fs/read_write.c:793 [inline]
 __do_sys_pwrite64 fs/read_write.c:801 [inline]
 __se_sys_pwrite64 fs/read_write.c:798 [inline]
 __x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:798
 x64_sys_call+0xbaf/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:19
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f249dd9aef9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f249ec6e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007f249e005fa0 RCX: 00007f249dd9aef9
RDX: 00000000200000c1 RSI: 00002000000000c0 RDI: 0000000000000004
RBP: 00007f249de2fee0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000009000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f249e006038 R14: 00007f249e005fa0 R15: 00007fff32808dd8
 </TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid include/linux/list.h:127 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:223 [inline]
RIP: 0010:list_move include/linux/list.h:306 [inline]
RIP: 0010:inode_io_list_move_locked+0x152/0x8d0 fs/fs-writeback.c:122
Code: 00 00 00 4d 8b b4 24 e8 00 00 00 48 89 7d a8 e8 54 34 cc ff 4c 8b 28 44 8b 3a 4d 85 ed 0f 85 bc 03 00 00 49 81 c4 e0 00 00 00 <49> 8b 1e 4c 89 f7 e8 33 34 cc ff 48 8b 00 48 85 c0 74 12 48 89 d9
RSP: 0018:ffff88803945b8c8 EFLAGS: 00010286
RAX: ffff88801ae0d7c8 RBX: 0000000000000000 RCX: 0000000000087a41
RDX: ffff88801b20d7c8 RSI: 0000000000000001 RDI: ffff88801b60d7c8
RBP: ffff88803945b930 R08: ffffea000000000f R09: 0000000000000000
R10: ffff88801ae0d760 R11: ffffffff844dab90 R12: ffff88801b60d7c0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f249ec6e6c0(0000) GS:ffff8881aadec000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f37a000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 4d 8b             	add    %cl,-0x75(%rbp)
   5:	b4 24                	mov    $0x24,%ah
   7:	e8 00 00 00 48       	call   0x4800000c
   c:	89 7d a8             	mov    %edi,-0x58(%rbp)
   f:	e8 54 34 cc ff       	call   0xffcc3468
  14:	4c 8b 28             	mov    (%rax),%r13
  17:	44 8b 3a             	mov    (%rdx),%r15d
  1a:	4d 85 ed             	test   %r13,%r13
  1d:	0f 85 bc 03 00 00    	jne    0x3df
  23:	49 81 c4 e0 00 00 00 	add    $0xe0,%r12
* 2a:	49 8b 1e             	mov    (%r14),%rbx <-- trapping instruction
  2d:	4c 89 f7             	mov    %r14,%rdi
  30:	e8 33 34 cc ff       	call   0xffcc3468
  35:	48 8b 00             	mov    (%rax),%rax
  38:	48 85 c0             	test   %rax,%rax
  3b:	74 12                	je     0x4f
  3d:	48 89 d9             	mov    %rbx,%rcx


Tested on:

commit:         c072629f Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b857fc580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=62c21fde37118981
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=147797fc580000

Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in txLock

BUG at fs/jfs/jfs_txnmgr.c:662 assert(last)
------------[ cut here ]------------
kernel BUG at fs/jfs/jfs_txnmgr.c:662!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 0 UID: 0 PID: 6674 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:txLock+0x144c/0x2900 fs/jfs/jfs_txnmgr.c:662
Code: c7 80 20 03 00 00 00 00 00 00 48 c7 c7 d5 c9 d1 91 48 c7 c6 76 86 aa 91 ba 96 02 00 00 48 c7 c1 b6 ff be 91 e8 d5 ae c7 fc 90 <0f> 0b 48 83 7d b8 00 0f 85 df 0f 00 00 4c 8b 6d 90 41 0f b7 5d 00
RSP: 0018:ffff888046c5b458 EFLAGS: 00010286
RAX: 000000000000002b RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: ffff888046c5b548 R08: ffffea000000000f R09: 0000000000000000
R10: ffff888237b1f028 R11: ffff88823f26ad60 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fb5748466c0(0000) GS:ffff8881aacec000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000022000 CR3: 0000000049288000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 xtTruncate+0xffd/0x5210 fs/jfs/jfs_xtree.c:2337
 jfs_truncate_nolock+0x223/0x670 fs/jfs/inode.c:396
 jfs_truncate fs/jfs/inode.c:420 [inline]
 jfs_write_failed+0x207/0x3c0 fs/jfs/inode.c:295
 jfs_write_end+0xcc/0x110 fs/jfs/inode.c:322
 generic_perform_write+0x99f/0x1050 mm/filemap.c:4335
 __generic_file_write_iter+0x213/0x460 mm/filemap.c:4431
 generic_file_write_iter+0x131/0x980 mm/filemap.c:4457
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0xbe1/0x15c0 fs/read_write.c:686
 ksys_pwrite64 fs/read_write.c:793 [inline]
 __do_sys_pwrite64 fs/read_write.c:801 [inline]
 __se_sys_pwrite64 fs/read_write.c:798 [inline]
 __x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:798
 x64_sys_call+0xbaf/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:19
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb57399aef9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb574846028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007fb573c05fa0 RCX: 00007fb57399aef9
RDX: 00000000200000c1 RSI: 00002000000000c0 RDI: 0000000000000004
RBP: 00007fb573a2fee0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000009000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb573c06038 R14: 00007fb573c05fa0 R15: 00007ffc81835368
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:txLock+0x144c/0x2900 fs/jfs/jfs_txnmgr.c:662
Code: c7 80 20 03 00 00 00 00 00 00 48 c7 c7 d5 c9 d1 91 48 c7 c6 76 86 aa 91 ba 96 02 00 00 48 c7 c1 b6 ff be 91 e8 d5 ae c7 fc 90 <0f> 0b 48 83 7d b8 00 0f 85 df 0f 00 00 4c 8b 6d 90 41 0f b7 5d 00
RSP: 0018:ffff888046c5b458 EFLAGS: 00010286
RAX: 000000000000002b RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: ffff888046c5b548 R08: ffffea000000000f R09: 0000000000000000
R10: ffff888237b1f028 R11: ffff88823f26ad60 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fb5748466c0(0000) GS:ffff8881aacec000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000022000 CR3: 0000000049288000 CR4: 00000000003526f0


Tested on:

commit:         c072629f Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15128bfa580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=62c21fde37118981
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17cf97fc580000

Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in txLock

BUG at fs/jfs/jfs_txnmgr.c:663 assert(last)
------------[ cut here ]------------
kernel BUG at fs/jfs/jfs_txnmgr.c:663!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6659 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:txLock+0x144c/0x2900 fs/jfs/jfs_txnmgr.c:663
Code: c7 80 20 03 00 00 00 00 00 00 48 c7 c7 1b 47 1e 92 48 c7 c6 f0 5c f6 91 ba 97 02 00 00 48 c7 c1 a7 04 0b 92 e8 b5 34 b7 fc 90 <0f> 0b 48 83 7d b8 00 0f 85 df 0f 00 00 4c 8b 6d 90 41 0f b7 5d 00
RSP: 0018:ffff888049143458 EFLAGS: 00010286
RAX: 000000000000002b RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffff888049143548 R08: ffffea000000000f R09: 0000000000000000
R10: ffff888237c8d028 R11: ffff88823f257df0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fa63e6d76c0(0000) GS:ffff8881aa95c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000022000 CR3: 0000000013ce2000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 xtTruncate+0xffd/0x5210 fs/jfs/jfs_xtree.c:2337
 jfs_truncate_nolock+0x223/0x670 fs/jfs/inode.c:396
 jfs_truncate fs/jfs/inode.c:420 [inline]
 jfs_write_failed+0x207/0x3c0 fs/jfs/inode.c:295
 jfs_write_end+0xcc/0x110 fs/jfs/inode.c:322
 generic_perform_write+0x99f/0x1050 mm/filemap.c:4345
 __generic_file_write_iter+0x213/0x460 mm/filemap.c:4441
 generic_file_write_iter+0x131/0x980 mm/filemap.c:4467
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0xbe1/0x15c0 fs/read_write.c:688
 ksys_pwrite64 fs/read_write.c:795 [inline]
 __do_sys_pwrite64 fs/read_write.c:803 [inline]
 __se_sys_pwrite64 fs/read_write.c:800 [inline]
 __x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:800
 x64_sys_call+0xbef/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:19
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa63d79aef9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa63e6d7028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007fa63da05fa0 RCX: 00007fa63d79aef9
RDX: 00000000200000c1 RSI: 00002000000000c0 RDI: 0000000000000004
RBP: 00007fa63d82fee0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000009000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa63da06038 R14: 00007fa63da05fa0 R15: 00007ffeee193088
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:txLock+0x144c/0x2900 fs/jfs/jfs_txnmgr.c:663
Code: c7 80 20 03 00 00 00 00 00 00 48 c7 c7 1b 47 1e 92 48 c7 c6 f0 5c f6 91 ba 97 02 00 00 48 c7 c1 a7 04 0b 92 e8 b5 34 b7 fc 90 <0f> 0b 48 83 7d b8 00 0f 85 df 0f 00 00 4c 8b 6d 90 41 0f b7 5d 00
RSP: 0018:ffff888049143458 EFLAGS: 00010286
RAX: 000000000000002b RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffff888049143548 R08: ffffea000000000f R09: 0000000000000000
R10: ffff888237c8d028 R11: ffff88823f257df0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fa63e6d76c0(0000) GS:ffff8881aa95c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000022000 CR3: 0000000013ce2000 CR4: 00000000003526f0


Tested on:

commit:         43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=11e641ba580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=572950cdd18a910f
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17da41ba580000

Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to copy syz-executor to VM: scp failed: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-executor" "root@10.128.1.121:./syz-executor"]
Executing: program /usr/bin/ssh host 10.128.1.121, user root, command sftp
debug1: OpenSSH_10.0p2 Debian-7, OpenSSL 3.5.4 30 Sep 2025
debug1: Reading configuration data /dev/null
debug1: Connecting to 10.128.1.121 [10.128.1.121] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_10.0p2 Debian-7
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9
debug1: compat_banner: match: OpenSSH_9.9 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.128.1.121:22 as 'root'
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: mlkem768x25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:EAvWV3GG8odMD+k20F251zjwXNDbyLo/P7N2oY0DvFQ
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
Warning: Permanently added '10.128.1.121' (ED25519) to the list of known hosts.
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: Sending SSH2_MSG_EXT_INFO
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: kex_ext_info_check_ver: publickey-hostbound@openssh.com=<0>
debug1: kex_ext_info_check_ver: ping@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
Authenticated to 10.128.1.121 ([10.128.1.121]:22) using "none".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending subsystem: sftp
debug1: pledge: fork




syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2251183982=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.26.0'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at d6526ea3e6
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d6526ea3e6ad9081c902859bbb80f9f840377cb4\"
/usr/bin/ld: /tmp/ccVJ4Reh.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=572950cdd18a910f
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12cc6f16580000

Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in txLock

ip: ffff8880139c57b8: 139c57b0 ffff8880 00000000 00000000
ip: ffff8880139c57c8: 00000000 00000000 00000000 00000000
ip: ffff8880139c57d8: 00000000 00000000
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xe86/0xeb0 lib/hexdump.c:172
 hex_dump_to_buffer+0xe86/0xeb0 lib/hexdump.c:172
 print_hex_dump+0x10d/0x330 lib/hexdump.c:277
 txLock+0xe8f/0x29d0 fs/jfs/jfs_txnmgr.c:832
 xtInsert+0xd25/0x1530 fs/jfs/jfs_xtree.c:645
 extAlloc+0x12ec/0x17e0 fs/jfs/jfs_extent.c:150
 jfs_get_block+0x610/0xe30 fs/jfs/inode.c:254
 get_more_blocks fs/direct-io.c:648 [inline]
 do_direct_IO fs/direct-io.c:936 [inline]
 __blockdev_direct_IO+0x281f/0x6100 fs/direct-io.c:1243
 blockdev_direct_IO include/linux/fs.h:3133 [inline]
 jfs_direct_IO+0x12b/0x3f0 fs/jfs/inode.c:339
 generic_file_direct_write+0x2bc/0x730 mm/filemap.c:4258
 __generic_file_write_iter+0x25b/0x460 mm/filemap.c:4427
 generic_file_write_iter+0x131/0x980 mm/filemap.c:4467
 iter_file_splice_write+0x12d8/0x20c0 fs/splice.c:736
 do_splice_from fs/splice.c:936 [inline]
 direct_splice_actor+0x31a/0x7d0 fs/splice.c:1159
 splice_direct_to_actor+0x9a3/0x1560 fs/splice.c:1103
 do_splice_direct_actor fs/splice.c:1202 [inline]
 do_splice_direct+0x1e0/0x350 fs/splice.c:1228
 do_sendfile+0x9fc/0x1130 fs/read_write.c:1372
 __do_sys_sendfile64 fs/read_write.c:1433 [inline]
 __se_sys_sendfile64+0x1e3/0x280 fs/read_write.c:1419
 __x64_sys_sendfile64+0xbd/0x120 fs/read_write.c:1419
 x64_sys_call+0x3aa4/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:41
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 hex_dump_to_buffer+0xe7f/0xeb0 lib/hexdump.c:174
 print_hex_dump+0x10d/0x330 lib/hexdump.c:277
 txLock+0xe8f/0x29d0 fs/jfs/jfs_txnmgr.c:832
 xtInsert+0xd25/0x1530 fs/jfs/jfs_xtree.c:645
 extAlloc+0x12ec/0x17e0 fs/jfs/jfs_extent.c:150
 jfs_get_block+0x610/0xe30 fs/jfs/inode.c:254
 get_more_blocks fs/direct-io.c:648 [inline]
 do_direct_IO fs/direct-io.c:936 [inline]
 __blockdev_direct_IO+0x281f/0x6100 fs/direct-io.c:1243
 blockdev_direct_IO include/linux/fs.h:3133 [inline]
 jfs_direct_IO+0x12b/0x3f0 fs/jfs/inode.c:339
 generic_file_direct_write+0x2bc/0x730 mm/filemap.c:4258
 __generic_file_write_iter+0x25b/0x460 mm/filemap.c:4427
 generic_file_write_iter+0x131/0x980 mm/filemap.c:4467
 iter_file_splice_write+0x12d8/0x20c0 fs/splice.c:736
 do_splice_from fs/splice.c:936 [inline]
 direct_splice_actor+0x31a/0x7d0 fs/splice.c:1159
 splice_direct_to_actor+0x9a3/0x1560 fs/splice.c:1103
 do_splice_direct_actor fs/splice.c:1202 [inline]
 do_splice_direct+0x1e0/0x350 fs/splice.c:1228
 do_sendfile+0x9fc/0x1130 fs/read_write.c:1372
 __do_sys_sendfile64 fs/read_write.c:1433 [inline]
 __se_sys_sendfile64+0x1e3/0x280 fs/read_write.c:1419
 __x64_sys_sendfile64+0xbd/0x120 fs/read_write.c:1419
 x64_sys_call+0x3aa4/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:41
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4576 [inline]
 slab_alloc_node mm/slub.c:4898 [inline]
 kmem_cache_alloc_noprof+0x373/0x1250 mm/slub.c:4905
 mempool_alloc_slab+0x36/0x50 mm/mempool.c:722
 mempool_alloc_noprof+0x19d/0x3c0 mm/mempool.c:566
 alloc_metapage fs/jfs/jfs_metapage.c:264 [inline]
 __get_metapage+0xa20/0x1840 fs/jfs/jfs_metapage.c:761
 xtSplitRoot+0x164/0x1560 fs/jfs/jfs_xtree.c:1242
 xtSplitUp+0x8c2/0x2ea0 fs/jfs/jfs_xtree.c:785
 xtInsert+0x77a/0x1530 fs/jfs/jfs_xtree.c:608
 extAlloc+0x12ec/0x17e0 fs/jfs/jfs_extent.c:150
 jfs_get_block+0x610/0xe30 fs/jfs/inode.c:254
 get_more_blocks fs/direct-io.c:648 [inline]
 do_direct_IO fs/direct-io.c:936 [inline]
 __blockdev_direct_IO+0x281f/0x6100 fs/direct-io.c:1243
 blockdev_direct_IO include/linux/fs.h:3133 [inline]
 jfs_direct_IO+0x12b/0x3f0 fs/jfs/inode.c:339
 generic_file_direct_write+0x2bc/0x730 mm/filemap.c:4258
 __generic_file_write_iter+0x25b/0x460 mm/filemap.c:4427
 generic_file_write_iter+0x131/0x980 mm/filemap.c:4467
 iter_file_splice_write+0x12d8/0x20c0 fs/splice.c:736
 do_splice_from fs/splice.c:936 [inline]
 direct_splice_actor+0x31a/0x7d0 fs/splice.c:1159
 splice_direct_to_actor+0x9a3/0x1560 fs/splice.c:1103
 do_splice_direct_actor fs/splice.c:1202 [inline]
 do_splice_direct+0x1e0/0x350 fs/splice.c:1228
 do_sendfile+0x9fc/0x1130 fs/read_write.c:1372
 __do_sys_sendfile64 fs/read_write.c:1433 [inline]
 __se_sys_sendfile64+0x1e3/0x280 fs/read_write.c:1419
 __x64_sys_sendfile64+0xbd/0x120 fs/read_write.c:1419
 x64_sys_call+0x3aa4/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:41
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 6587 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
=====================================================


Tested on:

commit:         d662a710 Merge tag 'dmaengine-7.1-rc1' of git://git.ke..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14daa4ce580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5aa0042346eface8
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=171624ce580000

Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/jfs/jfs_metapage.c
Hunk #1 FAILED at 174.
1 out of 1 hunk FAILED
checking file fs/jfs/jfs_txnmgr.c



Tested on:

commit:         59bd5ae0 Merge tag 'for-v7.1' of git://git.kernel.org/..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17599a6a580000