From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5769B35F607 for ; Fri, 17 Apr 2026 10:11:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.72 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776420714; cv=none; b=jJe5SfZQYYgmEfiUPkTA0gsgTvTBRtWEMV/laanlmhrS79Ncp/yqAfoGmwwyjTv03N4cw+r3tvmqjxFxMX5jhTOhEfrmtzrEnZrxZE+FT+M9g+qP8OHDja9Vv5yyTF/sars15FoS05qZn2dCwBlddXLP1Ff0JUEvPR40oAOiPNE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776420714; c=relaxed/simple; bh=YwEwNTOtQWRfb0X0BCKK+bI3fElLYWghxm4NvEm/Pus=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=Q0AFOHa+1LQOnFBda/EntSR94Y8DILb9i6I1qUCSDV8VgoSi2FffB0ihLDH27FY4v+HsCAHJ1Y41cTTT8ZuxK7aCkzDVrCyIIk+12zTICdFn/07om2K5Vdap7y/LXYVsgFNOTzeibW+fZEqi/YueFtlHYimiG7Gp5uvg47cMH9Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-688b73cc616so249671eaf.0 for ; Fri, 17 Apr 2026 03:11:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776420712; x=1777025512; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=6Y0Y0cR70JZgSEaZ5BUFlfUOIO2sRp9P8QJJOJ29LNQ=; b=BnLEGDxSZlPdiju7dMbUJdgKL+D+kTmrku3sx8Tp8y+XspGrnDKZWxshR9ItLbvraz KMZO6+L6Xo55pdolir6P6ZiuLdD0fKeCrooyBOPTaDi2XDQZUZyl9Xgj2+YFXmQfiXVm yzKiOXkIf59LbSYsFKv9SyWvmwpRPftkg8FKzg4opEg61kmwRthDIypQl5BiZodJwot9 IUpF/ZAfGN7+o6CC5THy4+GXIpHEisUpQXBF+8UQG+YA/DkSpWpenb7SVt/23GY4cvQb AFroolNGtnZTDDjWKqqPTO9GIbTcEX3diDEeP3tonDD6UNvl/UQprB71kRPGeFbBQbX/ zcUw== X-Gm-Message-State: AOJu0YwPCM4pUcJEJtvMh09uS9XyzgKpuzbKi8+Y/oJy47TboXP3Jb+3 F8PVdB7io+rvh2XgNA5zDApdDUT5p3ULZ+s67fhk9Jsu8/vVuyYZopnENAouHhrCSsMtOkz7Av0 ccemQQZcAFYwQMQglw22lhiI3BOEcaVml9/WRHTBNlsvOSndxtOQrJSv02f0= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:1607:b0:683:43f2:503b with SMTP id 006d021491bc7-69462edfe3amr934618eaf.37.1776420712441; Fri, 17 Apr 2026 03:11:52 -0700 (PDT) Date: Fri, 17 Apr 2026 03:11:52 -0700 In-Reply-To: <69727142.050a0220.706b.0027.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69e20768.050a0220.1de265.000c.GAE@google.com> Subject: Forwarded: [PATCH] jfs: fix uninit-value in txLock From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] jfs: fix uninit-value in txLock Author: tristmd@gmail.com From: Tristan Madani #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master txInit() allocates the TxLock array with vmalloc(), which does not zero memory. The initialization loop only sets the .next field of each tlock entry to chain them on the freelist. All other fields, including .tid, .flag, .type, .mp, .ip, and the .lock[] overlay area, remain uninitialized. When txLock() looks up a tlock via lid_to_tlock(lid), it reads tlck->tid to determine whether the page is already locked by the requesting transaction. If this tlock entry was never previously allocated and freed (txLockFree only sets .tid and .next), the .tid field contains uninitialized vmalloc data, which KMSAN flags as a use of uninitialized memory. Fix this by replacing vmalloc() with vzalloc() so that all tlock fields are zero-initialized at allocation time. This ensures .tid == 0 (the anonymous/free state) for every tlock entry from the start, consistent with what txLockFree() sets on deallocation. Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Tristan Madani --- fs/jfs/jfs_txnmgr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c index c16578af3a77..4c72103a0b46 100644 --- a/fs/jfs/jfs_txnmgr.c +++ b/fs/jfs/jfs_txnmgr.c @@ -295,7 +295,7 @@ int txInit(void) * tlock id = 0 is reserved. */ size = sizeof(struct tlock) * nTxLock; - TxLock = vmalloc(size); + TxLock = vzalloc(size); if (TxLock == NULL) { vfree(TxBlock); return -ENOMEM; -- 2.43.0