[PATCH AUTOSEL 6.19-6.18] fs: init flags_valid before calling vfs_fileattr_get

[Sasha Levin]

From: Edward Adam Davis <eadavis@xxxxxx>

[ Upstream commit cb184dd19154fc486fa3d9e02afe70a97e54e055 ]

syzbot reported a uninit-value bug in [1].

Similar to the "*get" context where the kernel's internal file_kattr
structure is initialized before calling vfs_fileattr_get(), we should
use the same mechanism when using fa.

[1]
BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
 fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
 vfs_fileattr_get fs/file_attr.c:94 [inline]
 __do_sys_file_getattr fs/file_attr.c:416 [inline]

Local variable fa.i created at:
 __do_sys_file_getattr fs/file_attr.c:380 [inline]
 __se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372

Reported-by: syzbot+7c31755f2cea07838b0c@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=7c31755f2cea07838b0c
Tested-by: syzbot+7c31755f2cea07838b0c@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
Link: https://patch.msgid.link/tencent_B6C4583771D76766D71362A368696EC3B605@xxxxxx
Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---

LLM Generated explanations, may be completely bogus:

This confirms the bug: `fuse_fileattr_get()` reads `fa->flags_valid`
(line 517), but in the `file_getattr` syscall, `fa` was declared
uninitialized. The `flags_valid` field could contain any stack garbage,
leading to the KMSAN report. The fix initializes it to `{ .flags_valid =
true }`, matching the pattern used by `ioctl_getflags()` at line 313.

## Analysis

**What the commit fixes:** An uninitialized memory read (KMSAN uninit-
value) in the `file_getattr` syscall path. The `struct file_kattr fa`
variable is declared on the stack without initialization, then passed to
`vfs_fileattr_get()` which calls filesystem-specific `fileattr_get()`
implementations. The FUSE implementation (`fuse_fileattr_get`) reads
`fa->flags_valid` before writing to it, triggering use of uninitialized
memory.

**Bug severity:** This is a real bug reportable by KMSAN. The
uninitialized `flags_valid` field determines which code path is taken in
`fuse_fileattr_get()` (line 517). If `flags_valid` happens to be false
(zero), the fuse driver takes the wrong code path (xattr-based instead
of ioctl-based), potentially returning incorrect or garbage data to
userspace.

**Fix quality:** The fix is a one-line change - initializing the struct
with `{ .flags_valid = true }`. This exactly matches the existing
pattern at line 313 (`ioctl_getflags`), making it obviously correct. The
`/* hint only */` comment also matches.

**Scope:** Only the 6.19 stable tree is affected. The `file_getattr`
syscall was introduced in commit `be7efb2d20d67` which first appeared in
v6.17-rc1. The code was moved to `fs/file_attr.c` as part of that
series. Older stable trees (6.12.y, 6.6.y, 5.15.y, etc.) don't have this
syscall and are unaffected.

**Risk:** Extremely low. The change only adds initialization of a single
struct field, matching an existing pattern in the same file.

**Stable criteria check:**
- Obviously correct: Yes, matches existing pattern
- Fixes a real bug: Yes, KMSAN-detected uninit read, syzbot-reported
- Small and contained: Yes, one-line change
- No new features: Correct
- Tested: Yes, syzbot Tested-by tag

## Verification

- Read `fs/file_attr.c:380` - confirmed `struct file_kattr fa;` is
  uninitialized in `file_getattr` syscall
- Read `fs/file_attr.c:313` - confirmed `ioctl_getflags` uses `{
  .flags_valid = true }` (the pattern the fix replicates)
- Read `fs/file_attr.c:82-94` - confirmed `vfs_fileattr_get()` passes
  `fa` directly to filesystem's `fileattr_get` callback without
  initializing it
- Read `fs/fuse/ioctl.c:517` - confirmed `fuse_fileattr_get` reads
  `fa->flags_valid` before writing, triggering the KMSAN report
- `git tag --contains be7efb2d20d67` showed the syscall was introduced
  in v6.17-rc1 (not v6.19-rc1 as might be assumed)
- `git show v6.19.6:fs/file_attr.c` confirmed the fix is NOT yet in
  6.19.6 stable
- `git log v6.12.75 -- fs/file_attr.c` returned empty, confirming older
  stable trees don't have this file/code

**YES**

 fs/file_attr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/file_attr.c b/fs/file_attr.c
index 13cdb31a3e947..4889cf59b2562 100644
--- a/fs/file_attr.c
+++ b/fs/file_attr.c
@@ -377,7 +377,7 @@ SYSCALL_DEFINE5(file_getattr, int, dfd, const char __user *, filename,
 	struct filename *name __free(putname) = NULL;
 	unsigned int lookup_flags = 0;
 	struct file_attr fattr;
-	struct file_kattr fa;
+	struct file_kattr fa = { .flags_valid = true }; /* hint only */
 	int error;
 
 	BUILD_BUG_ON(sizeof(struct file_attr) < FILE_ATTR_SIZE_VER0);
-- 
2.51.0