[PATCH] jfs: fix uninit-value read in BT_STACK_DUMP

Next message: Tristan Madani: "[PATCH] hfsplus: fix uninit-value in hfsplus_rename_cat"
Previous message: Tristan Madani: "[PATCH] jfs: validate l2nbperpage in diMount to prevent shift-out-of-bounds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Sat Apr 18 2026 - 09:11:03 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

BT_STACK_DUMP() iterates over MAXTREEHEIGHT entries in the btstack
regardless of how many entries were actually pushed. This reads
uninitialized stack entries beyond the current depth.

Fix by computing the actual depth from btstack->top and limiting the
loop to only initialized entries.

Reported-by: syzbot+ba5f49027aace342d24d@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
fs/jfs/jfs_btree.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_btree.h b/fs/jfs/jfs_btree.h
index ce055ef50cd35..26dd5acddcfeb 100644
--- a/fs/jfs/jfs_btree.h
+++ b/fs/jfs/jfs_btree.h
@@ -131,8 +131,10 @@ struct btstack {
static inline void BT_STACK_DUMP(struct btstack *btstack)
{
int i;
+ int depth = btstack->top - btstack->stack;
+
printk("btstack dump:\n");
- for (i = 0; i < MAXTREEHEIGHT; i++)
+ for (i = 0; i < depth; i++)
printk(KERN_ERR "bn = %Lx, index = %d\n",
(long long)btstack->stack[i].bn,
btstack->stack[i].index);
--
2.47.3