From: syzbot <syzbot+ba5f49027aace342d24d@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: Re: [syzbot] KMSAN: uninit-value in BT_STACK_DUMP
Date: Fri, 17 Apr 2026 09:20:25 -0700 [thread overview]
Message-ID: <69e25dc9.050a0220.1de265.0028.GAE@google.com> (raw)
In-Reply-To: <68197d2b.050a0220.23d401.2859.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] KMSAN: uninit-value in BT_STACK_DUMP
Author: tristmd@gmail.com
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From 1f2ecf89a062d7428650e0529613f47930961464 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@talencesecurity.com>
Date: Fri, 17 Apr 2026 16:15:15 +0000
Subject: [PATCH] jfs: fix uninit-value in BT_STACK_DUMP by limiting loop to
actual depth
BT_STACK_DUMP iterates over MAXTREEHEIGHT entries, but only
entries between stack and top are initialized. Reading beyond
top accesses uninitialized stack memory, triggering KMSAN.
Fix by computing the actual depth and using it as the loop bound.
Reported-by: syzbot+ba5f49027aace342d24d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ba5f49027aace342d24d
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
fs/jfs/jfs_btree.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_btree.h b/fs/jfs/jfs_btree.h
index ce055ef..26dd5ac 100644
--- a/fs/jfs/jfs_btree.h
+++ b/fs/jfs/jfs_btree.h
@@ -131,8 +131,10 @@ struct btstack {
static inline void BT_STACK_DUMP(struct btstack *btstack)
{
int i;
+ int depth = btstack->top - btstack->stack;
+
printk("btstack dump:\n");
- for (i = 0; i < MAXTREEHEIGHT; i++)
+ for (i = 0; i < depth; i++)
printk(KERN_ERR "bn = %Lx, index = %d\n",
(long long)btstack->stack[i].bn,
btstack->stack[i].index);
--
2.47.3
prev parent reply other threads:[~2026-04-17 16:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-06 3:08 [syzbot] [jfs?] KMSAN: uninit-value in BT_STACK_DUMP syzbot
2025-05-06 13:00 ` [syzbot] [PATCH] " syzbot
2025-05-06 14:20 ` [syzbot] " syzbot
2025-05-06 17:20 ` [RFC PATCH] jfs: Use zero initializer for btstack I Hsin Cheng
2025-09-23 17:47 ` Forwarded: KMSAN: uninit-value in BT_STACK_DUMP syzbot
2026-04-17 10:12 ` Forwarded: [PATCH] jfs: zero-initialize btstack to fix KMSAN " syzbot
2026-04-17 16:20 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69e25dc9.050a0220.1de265.0028.GAE@google.com \
--to=syzbot+ba5f49027aace342d24d@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox