Forwarded: Re: [syzbot] KMSAN: uninit-value in BT_STACK_DUMP

Next message: Tejun Heo: "Re: [PATCH for-7.1-fixes 1/2] rhashtable: add no_sync_grow option"
Previous message: syzbot: "Re: [syzbot] kernel BUG in __ocfs2_page_mkwrite"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: syzbot

Date: Fri Apr 17 2026 - 12:25:43 EST

For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.

***

Subject: Re: [syzbot] KMSAN: uninit-value in BT_STACK_DUMP
Author: tristmd@xxxxxxxxx

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From 1f2ecf89a062d7428650e0529613f47930961464 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 17 Apr 2026 16:15:15 +0000
Subject: [PATCH] jfs: fix uninit-value in BT_STACK_DUMP by limiting loop to
actual depth
BT_STACK_DUMP iterates over MAXTREEHEIGHT entries, but only
entries between stack and top are initialized. Reading beyond
top accesses uninitialized stack memory, triggering KMSAN.
Fix by computing the actual depth and using it as the loop bound.
Reported-by: syzbot+ba5f49027aace342d24d@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=ba5f49027aace342d24d
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
fs/jfs/jfs_btree.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_btree.h b/fs/jfs/jfs_btree.h
index ce055ef..26dd5ac 100644
--- a/fs/jfs/jfs_btree.h
+++ b/fs/jfs/jfs_btree.h
@@ -131,8 +131,10 @@ struct btstack {
static inline void BT_STACK_DUMP(struct btstack *btstack)
{
int i;
+ int depth = btstack->top - btstack->stack;
+
printk("btstack dump:\n");
- for (i = 0; i < MAXTREEHEIGHT; i++)
+ for (i = 0; i < depth; i++)
printk(KERN_ERR "bn = %Lx, index = %d\n",
(long long)btstack->stack[i].bn,
btstack->stack[i].index);
--
2.47.3