Forwarded: [PATCH] jfs: fix uninit-value in txLock

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.

***

Subject: [PATCH] jfs: fix uninit-value in txLock
Author: tristmd@xxxxxxxxx

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


txInit() allocates the TxLock array with vmalloc(), which does not zero
memory. The initialization loop only sets the .next field of each tlock
entry to chain them on the freelist. All other fields, including .tid,
.flag, .type, .mp, .ip, and the .lock[] overlay area, remain
uninitialized.

When txLock() looks up a tlock via lid_to_tlock(lid), it reads
tlck->tid to determine whether the page is already locked by the
requesting transaction. If this tlock entry was never previously
allocated and freed (txLockFree only sets .tid and .next), the .tid
field contains uninitialized vmalloc data, which KMSAN flags as a
use of uninitialized memory.

Fix this by replacing vmalloc() with vzalloc() so that all tlock fields
are zero-initialized at allocation time. This ensures .tid == 0 (the
anonymous/free state) for every tlock entry from the start, consistent
with what txLockFree() sets on deallocation.

Reported-by: syzbot+d3a57c32b9112d7b01ec@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
 fs/jfs/jfs_txnmgr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index c16578af3a77..4c72103a0b46 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
--
2.43.0