[syzbot] [hfs?] KMSAN: uninit-value in hfsplus_bnode_find

[syzbot] [hfs?] KMSAN: uninit-value in hfsplus_bnode_find

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d60bc1401583 Merge tag 'pwrseq-updates-for-v7.1-rc1' of gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16cbe8ce580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6b03ae1ea24aea48
dashboard link: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13fe84ce580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11d5feba580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0751271be83e/disk-d60bc140.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f53e11b04b29/vmlinux-d60bc140.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4c57f9a8e1f1/bzImage-d60bc140.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/438dc293e7d9/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+217eb327242d08197efb@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 1024
hfsplus: requested invalid offset: NODE: id 0, type 0x1, height 0, node_size 1, offset 4294967295
=====================================================
BUG: KMSAN: uninit-value in hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
 hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
 hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
 hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
 get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
 get_tree_bdev+0x38/0x50 fs/super.c:1717
 hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3763 [inline]
 do_new_mount+0x885/0x1dd0 fs/namespace.c:3839
 path_mount+0x7a2/0x20b0 fs/namespace.c:4159
 do_mount fs/namespace.c:4172 [inline]
 __do_sys_mount fs/namespace.c:4361 [inline]
 __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338
 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338
 x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable data.i created at:
 hfsplus_bnode_read_u16 fs/hfsplus/bnode.c:58 [inline]
 hfsplus_bnode_find+0xd6f/0x1600 fs/hfsplus/bnode.c:583
 hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382

CPU: 0 UID: 0 PID: 6044 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [hfs?] KMSAN: uninit-value in hfsplus_bnode_find

[Edward Adam Davis]

#syz test

diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index 250a226336ea..56a046ba4d54 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -576,7 +576,10 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)
 		goto node_error;
 	}
 
-	rec_off = tree->node_size - 2;
+	if (tree->node_size < 2)
+		goto node_error;
+	else
+		rec_off = tree->node_size - 2;
 	off = hfs_bnode_read_u16(node, rec_off);
 	if (off != sizeof(struct hfs_bnode_desc))
 		goto node_error;

Re: [syzbot] [hfs?] KMSAN: uninit-value in hfsplus_bnode_find

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt

=====================================================
BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xe3/0x120 include/linux/irq-entry-common.h:472
 irqentry_exit_to_kernel_mode_preempt+0xe3/0x120 include/linux/irq-entry-common.h:472
 irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline]
 irqentry_exit+0x77/0x710 kernel/entry/common.c:164
 sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061
 asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697
 smap_save mm/kmsan/instrumentation.c:93 [inline]
 get_shadow_origin_ptr mm/kmsan/instrumentation.c:35 [inline]
 __msan_metadata_ptr_for_load_4+0x11/0x40 mm/kmsan/instrumentation.c:93
 do_csum lib/checksum.c:64 [inline]
 ip_fast_csum+0x1e6/0x3f0 lib/checksum.c:99
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:842 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
 nsim_dev_trap_report_work+0x8c0/0x1430 drivers/net/netdevsim/dev.c:922
 process_one_work kernel/workqueue.c:3288 [inline]
 process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3371
 worker_thread+0xee4/0x1590 kernel/workqueue.c:3452
 kthread+0x53f/0x600 kernel/kthread.c:436
 ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4545 [inline]
 slab_alloc_node mm/slub.c:4866 [inline]
 __do_kmalloc_node mm/slub.c:5259 [inline]
 __kmalloc_node_track_caller_noprof+0x4f6/0x1750 mm/slub.c:5368
 kmalloc_reserve net/core/skbuff.c:635 [inline]
 __alloc_skb+0x90d/0x1190 net/core/skbuff.c:713
 alloc_skb include/linux/skbuff.h:1383 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:819 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
 nsim_dev_trap_report_work+0x3f2/0x1430 drivers/net/netdevsim/dev.c:922
 process_one_work kernel/workqueue.c:3288 [inline]
 process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3371
 worker_thread+0xee4/0x1590 kernel/workqueue.c:3452
 kthread+0x53f/0x600 kernel/kthread.c:436
 ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

CPU: 0 UID: 0 PID: 134 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events_unbound nsim_dev_trap_report_work
=====================================================


Tested on:

commit:         91a4855d Merge tag 'net-next-7.1' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14f418ce580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9f67daa5723e634c
dashboard link: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=170efb02580000

[PATCH] hfsplus: Add a sanity check for catalog btree node size

[Edward Adam Davis]

Syzbot reported a uninit-value bug in [1], during the file system mounting
process, specifically while loading the catalog, a corrupted node_size
value of 1 caused the rec_off argument passed to hfs_bnode_read_u16()
(within hfs_bnode_find()) to be excessively large. Consequently, the
function failed to return a valid value to initialize the off variable,
triggering the bug [1].

To prevent similar issues, a check for the catalog btree node size has
been added within the hfsplus_btree_open() function.

[1]
BUG: KMSAN: uninit-value in hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
 hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
 hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
 hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
 get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
 get_tree_bdev+0x38/0x50 fs/super.c:1717
 hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]

Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
Reported-by: syzbot+217eb327242d08197efb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/hfsplus/btree.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 761c74ccd653..61050ffe425e 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -337,6 +337,11 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
 			pr_err("invalid catalog btree flag\n");
 			goto fail_page;
 		}
+		if (tree->node_size < 2) {
+			pr_err("invalid catalog btree node size %u\n",
+				tree->node_size);
+			goto fail_page;
+		}
 
 		if (test_bit(HFSPLUS_SB_HFSX, &HFSPLUS_SB(sb)->flags) &&
 		    (head->key_type == HFSPLUS_KEY_BINARY))
-- 
2.43.0

Re: [PATCH] hfsplus: Add a sanity check for catalog btree node size

[Viacheslav Dubeyko]

On Wed, 2026-04-15 at 16:29 +0800, Edward Adam Davis wrote:
> Syzbot reported a uninit-value bug in [1], during the file system mounting
> process, specifically while loading the catalog, a corrupted node_size
> value of 1 caused the rec_off argument passed to hfs_bnode_read_u16()
> (within hfs_bnode_find()) to be excessively large. Consequently, the
> function failed to return a valid value to initialize the off variable,
> triggering the bug [1].
> 
> To prevent similar issues, a check for the catalog btree node size has
> been added within the hfsplus_btree_open() function.
> 
> [1]
> BUG: KMSAN: uninit-value in hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
>  hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
>  hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
>  hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
>  get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
>  get_tree_bdev+0x38/0x50 fs/super.c:1717
>  hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
>  vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
>  fc_mount fs/namespace.c:1193 [inline]
> 
> Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
> Reported-by: syzbot+217eb327242d08197efb@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  fs/hfsplus/btree.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
> index 761c74ccd653..61050ffe425e 100644
> --- a/fs/hfsplus/btree.c
> +++ b/fs/hfsplus/btree.c
> @@ -337,6 +337,11 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
>  			pr_err("invalid catalog btree flag\n");
>  			goto fail_page;
>  		}
> +		if (tree->node_size < 2) {

Every node starts from BTree node descriptor: struct hfs_bnode_desc. So, the
size of node cannot be lesser than that. However, technical specification
declares that: "The node size (which is expressed in bytes) must be power of
two, from 512 through 32,768, inclusive.". So, we can add more smart check here.

And, maybe, it makes sense to check the node size value at the places of using
it. What do you think?

But we have this check of node_size in hfs_btree_open() [1]:

	size = tree->node_size;
	if (!is_power_of_2(size))
		goto fail_page;

If node size is 1, for example, then this check should fail to execute the
hfs_btree_open(). How, finally, do we have node_size == 1 during the
hfs_bnode_find()? I don't quite follow.

Thanks,
Slava.

> +			pr_err("invalid catalog btree node size %u\n",
> +				tree->node_size);
> +			goto fail_page;
> +		}
>  
>  		if (test_bit(HFSPLUS_SB_HFSX, &HFSPLUS_SB(sb)->flags) &&
>  		    (head->key_type == HFSPLUS_KEY_BINARY))

[1] https://elixir.bootlin.com/linux/v7.0/source/fs/hfsplus/btree.c#L232

Re: [PATCH] hfsplus: Add a sanity check for catalog btree node size

[Edward Adam Davis]

On Wed, 15 Apr 2026 15:32:59 -0700, Viacheslav Dubeyko wrote:
> > Syzbot reported a uninit-value bug in [1], during the file system mounting
> > process, specifically while loading the catalog, a corrupted node_size
> > value of 1 caused the rec_off argument passed to hfs_bnode_read_u16()
> > (within hfs_bnode_find()) to be excessively large. Consequently, the
> > function failed to return a valid value to initialize the off variable,
> > triggering the bug [1].
> >
> > To prevent similar issues, a check for the catalog btree node size has
> > been added within the hfsplus_btree_open() function.
> >
> > [1]
> > BUG: KMSAN: uninit-value in hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
> >  hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
> >  hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
> >  hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
> >  get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
> >  get_tree_bdev+0x38/0x50 fs/super.c:1717
> >  hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
> >  vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
> >  fc_mount fs/namespace.c:1193 [inline]
> >
> > Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
> > Reported-by: syzbot+217eb327242d08197efb@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
> > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> > ---
> >  fs/hfsplus/btree.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
> > index 761c74ccd653..61050ffe425e 100644
> > --- a/fs/hfsplus/btree.c
> > +++ b/fs/hfsplus/btree.c
> > @@ -337,6 +337,11 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
> >  			pr_err("invalid catalog btree flag\n");
> >  			goto fail_page;
> >  		}
> > +		if (tree->node_size < 2) {
> 
> Every node starts from BTree node descriptor: struct hfs_bnode_desc. So, the
> size of node cannot be lesser than that. However, technical specification
> declares that: "The node size (which is expressed in bytes) must be power of
> two, from 512 through 32,768, inclusive.". So, we can add more smart check here.
Perhaps it could be adjusted as follows:
diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 61050ffe425e..287cef5b5c56 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -370,6 +370,8 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
        }
 
        size = tree->node_size;
+       if (size < sb->s_blocksize || size > HFSPLUS_NODE_MXSZ)
+               goto fail_page;
        if (!is_power_of_2(size))
                goto fail_page;
        if (!tree->node_count)

> 
> And, maybe, it makes sense to check the node size value at the places of using
> it. What do you think?
> 
> But we have this check of node_size in hfs_btree_open() [1]:
> 
> 	size = tree->node_size;
> 	if (!is_power_of_2(size))
> 		goto fail_page;
> 
> If node size is 1, for example, then this check should fail to execute the
> hfs_btree_open(). How, finally, do we have node_size == 1 during the
> hfs_bnode_find()? I don't quite follow.
You overlooked that 2 to the power of 0 is 1.

Edward
BR