From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oi1-f199.google.com (mail-oi1-f199.google.com [209.85.167.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D94E28850E for ; Fri, 17 Apr 2026 16:19:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.199 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776442780; cv=none; b=rdMLXjxCy63u5qXDpuJf3TmSEnCiPG8rrwIL5PGNjD0+H+E8fMH4P131/JTR/9/cur8pHUl2N3TnpkSSw8YQWFEHN1DXllP/PArgcJCAFLtn2X0C5Kmoo0aHusO8TiIj2C7D2qwZ8p+GYUDhpz0fzzSgV8Y6sYglgHXMM04aj44= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776442780; c=relaxed/simple; bh=trlj/jl0Rwon+NV/qj04AiDyHYD0lS3j2CLA3Njcs3A=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=XuUjXOSs8v/G+agRva/qqOetwT8M6mbis00TDrPAeYbX2GXK6p2A3D82zhFzwvnwcVo64VMMDfz4bOlCSaXtWoJM3ZYfL7MsFVi8hcVyUlD6xHloMRx6Bary4ZYsHAL+drxnyTHwkungJgn9xW5LL9AoUnJEdSnYspImXgW4kNw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.167.199 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oi1-f199.google.com with SMTP id 5614622812f47-46ee4a74741so768761b6e.1 for ; Fri, 17 Apr 2026 09:19:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776442778; x=1777047578; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0TtfqR/tZNAMZ9JZYCJuqY8aebVk4G7RCewt7A1vHpQ=; b=U5hNd0L/EvvpSY9kMl8XXVDTYgOG3tKf1dU0xi4+FUi6dBc/AZ6CyoZHgwweIwVQF2 3gdEeJdSdgGuk0Runm6N/efl4+1zJkZcrYS3jEFy5Hpd+KlCrI6ZPwkhNgg+PWrPAPhP zFsjQuhSCfZ4V1KR0gYYALyQfQTXfaU8hqPZ6Caj6oS76jm8Kp+dregx/6XB42cxPpO1 tHLBufA/9XL3LfuMTWCYSB7Avp6xnKpOr9PiNkIyM1m9X+IM/92DsTBWnks67H3K5bK5 oN9ZaKwHGz6tWWWOoSIT6KRdP6Sez7RL/Xke4Yty94oUFm4Ov2mqK00kKf8waFp4rtV7 RPxA== X-Gm-Message-State: AOJu0YztYOSwNNzgMgW1ThlQ/0yAPQojXgp93CHwRjgAN/HwsZUA7daT ySH1RiukBJmVUgio5ag6sIRGCF59dGW+QvvgX6R6DrnIuu6UoGBoyaF0xlSr+LkGAo8kODzhyjK 7QiczV3JqlE4v5eq2QL40IdO9k+Lx5Z3n15vZu9Bwm54CSxJx9G6XD29myeA= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:16a4:b0:68a:d414:b428 with SMTP id 006d021491bc7-69462f56000mr1723891eaf.59.1776442778048; Fri, 17 Apr 2026 09:19:38 -0700 (PDT) Date: Fri, 17 Apr 2026 09:19:38 -0700 In-Reply-To: <69727142.050a0220.706b.0027.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69e25d9a.a00a0220.1bd0ca.0006.GAE@google.com> Subject: Forwarded: Re: [syzbot] KMSAN: uninit-value in txLock From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [syzbot] KMSAN: uninit-value in txLock Author: tristmd@gmail.com #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master >>From 8cb6363dbe6d297ef3b9051425b83f630d9b93e9 Mon Sep 17 00:00:00 2001 From: Tristan Madani Date: Fri, 17 Apr 2026 16:15:13 +0000 Subject: [PATCH] jfs: fix uninit-value in txLock by zero-initializing TxLock array txInit() allocates the TxLock array via vmalloc(), which does not zero memory. The init loop only sets .next for freelist chaining, leaving all other fields (including .tid) uninitialized. When txLock() reads tlck->tid for a tlock that was never previously allocated and freed, KMSAN reports uninit-value. Additionally, the assert(last) in the anonymous tlock list walk can trigger a BUG_ON when a corrupted filesystem image produces an inconsistent tlock list. Replace with a graceful error path. Fix both issues: 1. Replace vmalloc() with vzalloc() so all tlock fields start zeroed 2. Replace assert(last) with a graceful error recovery Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec Signed-off-by: Tristan Madani --- fs/jfs/jfs_txnmgr.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c index 083dbbb..ec6217a 100644 --- a/fs/jfs/jfs_txnmgr.c +++ b/fs/jfs/jfs_txnmgr.c @@ -295,7 +295,7 @@ int txInit(void) * tlock id = 0 is reserved. */ size = sizeof(struct tlock) * nTxLock; - TxLock = vmalloc(size); + TxLock = vzalloc(size); if (TxLock == NULL) { vfree(TxBlock); return -ENOMEM; @@ -660,7 +660,10 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp, for (last = jfs_ip->atlhead; lid_to_tlock(last)->next != lid; last = lid_to_tlock(last)->next) { - assert(last); + if (!last) { + jfs_err("txLock: lid %d not found in atl list", lid); + goto grantLock; + } } lid_to_tlock(last)->next = tlck->next; if (jfs_ip->atltail == lid) -- 2.47.3