[syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    e84d960149e7 Merge tag 'for-6.19-rc5-tag' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16784b9a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=158fdb9a580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=170153fa580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2d9623942f5a/disk-e84d9601.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/61b0e15f8560/vmlinux-e84d9601.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8b71c88680c4/bzImage-e84d9601.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7023ce628e6e/mount_2.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=130153fa580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
 txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
 xtTruncate+0x1002/0x5050 fs/jfs/jfs_xtree.c:2337
 jfs_truncate_nolock+0x223/0x670 fs/jfs/inode.c:396
 jfs_truncate fs/jfs/inode.c:420 [inline]
 jfs_write_failed+0x207/0x3c0 fs/jfs/inode.c:295
 jfs_write_end+0xcc/0x110 fs/jfs/inode.c:322
 generic_perform_write+0x999/0x1050 mm/filemap.c:4335
 __generic_file_write_iter+0x213/0x460 mm/filemap.c:4431
 generic_file_write_iter+0x131/0x980 mm/filemap.c:4457
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0xbe2/0x15d0 fs/read_write.c:686
 ksys_pwrite64 fs/read_write.c:793 [inline]
 __do_sys_pwrite64 fs/read_write.c:801 [inline]
 __se_sys_pwrite64 fs/read_write.c:798 [inline]
 __x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:798
 x64_sys_call+0xbaf/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:19
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 __alloc_frozen_pages_noprof+0x421/0xab0 mm/page_alloc.c:5263
 alloc_pages_mpol+0x328/0x860 mm/mempolicy.c:2486
 alloc_frozen_pages_noprof mm/mempolicy.c:2557 [inline]
 alloc_pages_noprof+0x102/0x280 mm/mempolicy.c:2577
 vm_area_alloc_pages mm/vmalloc.c:3649 [inline]
 __vmalloc_area_node mm/vmalloc.c:3863 [inline]
 __vmalloc_node_range_noprof+0xa94/0x2d90 mm/vmalloc.c:4051
 __vmalloc_node_noprof mm/vmalloc.c:4111 [inline]
 vmalloc_noprof+0xce/0x140 mm/vmalloc.c:4146
 txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297
 init_jfs_fs+0x1b2/0xcb0 fs/jfs/super.c:977
 do_one_initcall+0x22b/0xad0 init/main.c:1378
 do_initcall_level+0x157/0x2e0 init/main.c:1440
 do_initcalls+0x176/0x310 init/main.c:1456
 do_basic_setup+0x1d/0x30 init/main.c:1475
 kernel_init_freeable+0x214/0x430 init/main.c:1688
 kernel_init+0x2f/0x5e0 init/main.c:1578
 ret_from_fork+0x208/0x710 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

CPU: 1 UID: 0 PID: 6025 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] jfs: fix KMSAN warning in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Syzbot reported a KMSAN uninit-value warning in txLock when accessing
jfs_ip->atlhead:

  BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659

This occurs because the jfs_inode_info structure is allocated from a
slab cache but not fully initialized, leaving fields like atlhead,
atltail, and anon_inode_list with garbage values from previously freed
inodes.

When txLock() attempts to traverse the anonymous transaction lock list
by reading jfs_ip->atlhead, it accesses uninitialized memory, triggering
the KMSAN warning.

Fix this by zeroing the entire jfs_inode_info structure in
jfs_alloc_inode(). This is consistent with how other filesystems handle
inode allocation and ensures all fields start with known values,
preventing this and potential similar bugs.

Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/jfs/super.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index 3cfb86c5a36e..236fe8d42542 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -105,9 +105,7 @@ static struct inode *jfs_alloc_inode(struct super_block *sb)
 	jfs_inode = alloc_inode_sb(sb, jfs_inode_cachep, GFP_NOFS);
 	if (!jfs_inode)
 		return NULL;
-#ifdef CONFIG_QUOTA
-	memset(&jfs_inode->i_dquot, 0, sizeof(jfs_inode->i_dquot));
-#endif
+	memset(jfs_inode, 0, sizeof(struct jfs_inode_info));
 	return &jfs_inode->vfs_inode;
 }
 
-- 
2.43.0

Forwarded: [PATCH] jfs: fix KMSAN warning in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git maste

Syzbot reported a KMSAN uninit-value warning in txLock when accessing
the global TxLock array:

  BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659

The issue occurs because txInit() allocates the TxLock array using
vmalloc(), which does not zero the allocated memory. When txLock()
traverses the transaction lock list by accessing elements in this array
(via lid_to_tlock()), it reads uninitialized 'next' pointers, triggering
the KMSAN warning.

The uninitialized memory originates from:
  vmalloc_noprof+0xce/0x140 mm/vmalloc.c:4146
  txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297

Fix this by using vzalloc() instead of vmalloc() to ensure the TxLock
array is zero-initialized. This guarantees that all tlock structures
start with valid initial values, particularly the 'next' field which is
used for list traversal.

Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/jfs/jfs_txnmgr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index c16578af3a77..4c72103a0b46 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -294,7 +294,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
-- 
2.43.0

Forwarded: [PATCH] jfs: fix KMSAN warning in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Syzbot reported a KMSAN uninit-value warning in txLock when accessing
the global TxLock array:

  BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659

The issue occurs because txInit() allocates the TxLock array using
vmalloc(), which does not zero the allocated memory. When txLock()
traverses the transaction lock list by accessing elements in this array
(via lid_to_tlock()), it reads uninitialized 'next' pointers, triggering
the KMSAN warning.

The uninitialized memory originates from:
  vmalloc_noprof+0xce/0x140 mm/vmalloc.c:4146
  txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297

Fix this by using vzalloc() instead of vmalloc() to ensure the TxLock
array is zero-initialized. This guarantees that all tlock structures
start with valid initial values, particularly the 'next' field which is
used for list traversal.

Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/jfs/jfs_txnmgr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index c16578af3a77..4c72103a0b46 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -294,7 +294,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
-- 
2.43.0

Forwarded: [PATCH] jfs: fix uninit-value in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: fix uninit-value in txLock
Author: tristmd@gmail.com

From: Tristan Madani <tristan@talencesecurity.com>

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


txInit() allocates the TxLock array with vmalloc(), which does not zero
memory. The initialization loop only sets the .next field of each tlock
entry to chain them on the freelist. All other fields, including .tid,
.flag, .type, .mp, .ip, and the .lock[] overlay area, remain
uninitialized.

When txLock() looks up a tlock via lid_to_tlock(lid), it reads
tlck->tid to determine whether the page is already locked by the
requesting transaction. If this tlock entry was never previously
allocated and freed (txLockFree only sets .tid and .next), the .tid
field contains uninitialized vmalloc data, which KMSAN flags as a
use of uninitialized memory.

Fix this by replacing vmalloc() with vzalloc() so that all tlock fields
are zero-initialized at allocation time. This ensures .tid == 0 (the
anonymous/free state) for every tlock entry from the start, consistent
with what txLockFree() sets on deallocation.

Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_txnmgr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index c16578af3a77..4c72103a0b46 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
--
2.43.0

Forwarded: [PATCH v2] jfs: fix uninit-value and assert crash in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH v2] jfs: fix uninit-value and assert crash in txLock
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

From: Tristan Madani <tristan@talencesecurity.com>
Date: Thu, 17 Apr 2026
Subject: [PATCH v2] jfs: fix uninit-value and assert crash in txLock

Two bugs in txLock():

1) txInit() allocates the TxLock array with vmalloc(), which does not
   zero memory. The initialization loop only sets .next, leaving .tid
   uninitialized. When txLock() reads tlck->tid it hits uninitialized
   vmalloc data. Fix: vmalloc -> vzalloc.

2) The anonymous tlock list walk uses assert(last) inside a for-loop.
   On a corrupted filesystem image the list can be inconsistent, causing
   last == 0 before finding the target lid. This triggers BUG() via
   the assert macro. Fix: replace assert with graceful error + goto
   grantLock.

Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_txnmgr.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index 083dbbb0c..ec6217a2c 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
@@ -660,7 +660,10 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp,
 			for (last = jfs_ip->atlhead;
 			     lid_to_tlock(last)->next != lid;
 			     last = lid_to_tlock(last)->next) {
-				assert(last);
+				if (!last) {
+					jfs_err("txLock: lid %d not found in atl list", lid);
+					goto grantLock;
+				}
 			}
 			lid_to_tlock(last)->next = tlck->next;
 			if (jfs_ip->atltail == lid)
-- 
2.43.0

Forwarded: Re: [syzbot] KMSAN: uninit-value in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] KMSAN: uninit-value in txLock
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From 8cb6363dbe6d297ef3b9051425b83f630d9b93e9 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@talencesecurity.com>
Date: Fri, 17 Apr 2026 16:15:13 +0000
Subject: [PATCH] jfs: fix uninit-value in txLock by zero-initializing TxLock
 array
txInit() allocates the TxLock array via vmalloc(), which does not
zero memory. The init loop only sets .next for freelist chaining,
leaving all other fields (including .tid) uninitialized. When
txLock() reads tlck->tid for a tlock that was never previously
allocated and freed, KMSAN reports uninit-value.
Additionally, the assert(last) in the anonymous tlock list walk
can trigger a BUG_ON when a corrupted filesystem image produces
an inconsistent tlock list. Replace with a graceful error path.
Fix both issues:
1. Replace vmalloc() with vzalloc() so all tlock fields start zeroed
2. Replace assert(last) with a graceful error recovery
Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_txnmgr.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index 083dbbb..ec6217a 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
@@ -660,7 +660,10 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp,
 			for (last = jfs_ip->atlhead;
 			     lid_to_tlock(last)->next != lid;
 			     last = lid_to_tlock(last)->next) {
-				assert(last);
+				if (!last) {
+					jfs_err("txLock: lid %d not found in atl list", lid);
+					goto grantLock;
+				}
 			}
 			lid_to_tlock(last)->next = tlck->next;
 			if (jfs_ip->atltail == lid)
-- 
2.47.3

Forwarded: Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/fs/jfs/jfs_metapage.c b/fs/jfs/jfs_metapage.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_metapage.c
+++ b/fs/jfs/jfs_metapage.c
@@ -174,14 +174,10 @@ static inline struct metapage *alloc_metapage(gfp_t gfp_mask)
 {
 	struct metapage *mp = mempool_alloc(metapage_mempool, gfp_mask);

-	if (mp) {
-		mp->lid = 0;
-		mp->lsn = 0;
-		mp->data = NULL;
-		mp->clsn = 0;
-		mp->log = NULL;
+	if (mp) {
+		memset(mp, 0, sizeof(*mp));
 		init_waitqueue_head(&mp->wait);
-	}
+	}
 	return mp;
 }

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
@@ -660,7 +660,10 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp,
 			for (last = jfs_ip->atlhead;
 			     lid_to_tlock(last)->next != lid;
 			     last = lid_to_tlock(last)->next) {
-				assert(last);
+				if (!last) {
+					jfs_err("txLock: lid %d not found in atl list", lid);
+					goto grantLock;
+				}
 			}
 			lid_to_tlock(last)->next = tlck->next;
 			if (jfs_ip->atltail == lid)