From: syzbot <syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] jfs: fix uninit-value in txLock
Date: Fri, 17 Apr 2026 03:11:52 -0700 [thread overview]
Message-ID: <69e20768.050a0220.1de265.000c.GAE@google.com> (raw)
In-Reply-To: <69727142.050a0220.706b.0027.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] jfs: fix uninit-value in txLock
Author: tristmd@gmail.com
From: Tristan Madani <tristan@talencesecurity.com>
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
txInit() allocates the TxLock array with vmalloc(), which does not zero
memory. The initialization loop only sets the .next field of each tlock
entry to chain them on the freelist. All other fields, including .tid,
.flag, .type, .mp, .ip, and the .lock[] overlay area, remain
uninitialized.
When txLock() looks up a tlock via lid_to_tlock(lid), it reads
tlck->tid to determine whether the page is already locked by the
requesting transaction. If this tlock entry was never previously
allocated and freed (txLockFree only sets .tid and .next), the .tid
field contains uninitialized vmalloc data, which KMSAN flags as a
use of uninitialized memory.
Fix this by replacing vmalloc() with vzalloc() so that all tlock fields
are zero-initialized at allocation time. This ensures .tid == 0 (the
anonymous/free state) for every tlock entry from the start, consistent
with what txLockFree() sets on deallocation.
Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
fs/jfs/jfs_txnmgr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index c16578af3a77..4c72103a0b46 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
* tlock id = 0 is reserved.
*/
size = sizeof(struct tlock) * nTxLock;
- TxLock = vmalloc(size);
+ TxLock = vzalloc(size);
if (TxLock == NULL) {
vfree(TxBlock);
return -ENOMEM;
--
2.43.0
next prev parent reply other threads:[~2026-04-17 10:11 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-22 18:49 [syzbot] [jfs?] KMSAN: uninit-value in txLock syzbot
2026-01-23 5:12 ` Forwarded: [PATCH] jfs: fix KMSAN warning " syzbot
2026-01-23 5:31 ` syzbot
2026-01-23 5:33 ` syzbot
2026-04-17 10:11 ` syzbot [this message]
2026-04-17 13:30 ` Forwarded: [PATCH v2] jfs: fix uninit-value and assert crash " syzbot
2026-04-17 16:19 ` Forwarded: Re: [syzbot] KMSAN: uninit-value " syzbot
2026-04-17 19:11 ` Forwarded: Re: [syzbot] [jfs?] " syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69e20768.050a0220.1de265.000c.GAE@google.com \
--to=syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox