From: syzbot <syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH v2] jfs: fix uninit-value and assert crash in txLock
Date: Fri, 17 Apr 2026 06:30:15 -0700 [thread overview]
Message-ID: <69e235e7.050a0220.1de265.0023.GAE@google.com> (raw)
In-Reply-To: <69727142.050a0220.706b.0027.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH v2] jfs: fix uninit-value and assert crash in txLock
Author: tristmd@gmail.com
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
From: Tristan Madani <tristan@talencesecurity.com>
Date: Thu, 17 Apr 2026
Subject: [PATCH v2] jfs: fix uninit-value and assert crash in txLock
Two bugs in txLock():
1) txInit() allocates the TxLock array with vmalloc(), which does not
zero memory. The initialization loop only sets .next, leaving .tid
uninitialized. When txLock() reads tlck->tid it hits uninitialized
vmalloc data. Fix: vmalloc -> vzalloc.
2) The anonymous tlock list walk uses assert(last) inside a for-loop.
On a corrupted filesystem image the list can be inconsistent, causing
last == 0 before finding the target lid. This triggers BUG() via
the assert macro. Fix: replace assert with graceful error + goto
grantLock.
Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
fs/jfs/jfs_txnmgr.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index 083dbbb0c..ec6217a2c 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
* tlock id = 0 is reserved.
*/
size = sizeof(struct tlock) * nTxLock;
- TxLock = vmalloc(size);
+ TxLock = vzalloc(size);
if (TxLock == NULL) {
vfree(TxBlock);
return -ENOMEM;
@@ -660,7 +660,10 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp,
for (last = jfs_ip->atlhead;
lid_to_tlock(last)->next != lid;
last = lid_to_tlock(last)->next) {
- assert(last);
+ if (!last) {
+ jfs_err("txLock: lid %d not found in atl list", lid);
+ goto grantLock;
+ }
}
lid_to_tlock(last)->next = tlck->next;
if (jfs_ip->atltail == lid)
--
2.43.0
next prev parent reply other threads:[~2026-04-17 13:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-22 18:49 [syzbot] [jfs?] KMSAN: uninit-value in txLock syzbot
2026-01-23 5:12 ` Forwarded: [PATCH] jfs: fix KMSAN warning " syzbot
2026-01-23 5:31 ` syzbot
2026-01-23 5:33 ` syzbot
2026-04-17 10:11 ` Forwarded: [PATCH] jfs: fix uninit-value " syzbot
2026-04-17 13:30 ` syzbot [this message]
2026-04-17 16:19 ` Forwarded: Re: [syzbot] KMSAN: " syzbot
2026-04-17 19:11 ` Forwarded: Re: [syzbot] [jfs?] " syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69e235e7.050a0220.1de265.0023.GAE@google.com \
--to=syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox