Forwarded: Re: [syzbot] KMSAN: uninit-value in txLock
From: syzbot
Date: Fri Apr 17 2026 - 12:21:59 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.
***
Subject: Re: [syzbot] KMSAN: uninit-value in txLock
Author: tristmd@xxxxxxxxx
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From 8cb6363dbe6d297ef3b9051425b83f630d9b93e9 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 17 Apr 2026 16:15:13 +0000
Subject: [PATCH] jfs: fix uninit-value in txLock by zero-initializing TxLock
array
txInit() allocates the TxLock array via vmalloc(), which does not
zero memory. The init loop only sets .next for freelist chaining,
leaving all other fields (including .tid) uninitialized. When
txLock() reads tlck->tid for a tlock that was never previously
allocated and freed, KMSAN reports uninit-value.
Additionally, the assert(last) in the anonymous tlock list walk
can trigger a BUG_ON when a corrupted filesystem image produces
an inconsistent tlock list. Replace with a graceful error path.
Fix both issues:
1. Replace vmalloc() with vzalloc() so all tlock fields start zeroed
2. Replace assert(last) with a graceful error recovery
Reported-by: syzbot+d3a57c32b9112d7b01ec@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
fs/jfs/jfs_txnmgr.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index 083dbbb..ec6217a 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
* tlock id = 0 is reserved.
*/
size = sizeof(struct tlock) * nTxLock;
- TxLock = vmalloc(size);
+ TxLock = vzalloc(size);
if (TxLock == NULL) {
vfree(TxBlock);
return -ENOMEM;
@@ -660,7 +660,10 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp,
for (last = jfs_ip->atlhead;
lid_to_tlock(last)->next != lid;
last = lid_to_tlock(last)->next) {
- assert(last);
+ if (!last) {
+ jfs_err("txLock: lid %d not found in atl list", lid);
+ goto grantLock;
+ }
}
lid_to_tlock(last)->next = tlck->next;
if (jfs_ip->atltail == lid)
--
2.47.3