[syzbot] [hfs?] KMSAN: uninit-value in hfsplus_bnode_find
3 views
Skip to first unread message
syzbot
Apr 14, 2026, 7:20:51 PM (17 hours ago) Apr 14
to fran...@vivo.com, glau...@physik.fu-berlin.de, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sl...@dubeyko.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d60bc1401583 Merge tag 'pwrseq-updates-for-v7.1-rc1' of gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16cbe8ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6b03ae1ea24aea48
dashboard link: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13fe84ce580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11d5feba580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0751271be83e/disk-d60bc140.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f53e11b04b29/vmlinux-d60bc140.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4c57f9a8e1f1/bzImage-d60bc140.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/438dc293e7d9/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
hfsplus: requested invalid offset: NODE: id 0, type 0x1, height 0, node_size 1, offset 4294967295
=====================================================
BUG: KMSAN: uninit-value in hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
get_tree_bdev+0x38/0x50 fs/super.c:1717
hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3763 [inline]
do_new_mount+0x885/0x1dd0 fs/namespace.c:3839
path_mount+0x7a2/0x20b0 fs/namespace.c:4159
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount+0x704/0x7f0 fs/namespace.c:4338
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4338
x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable data.i created at:
hfsplus_bnode_read_u16 fs/hfsplus/bnode.c:58 [inline]
hfsplus_bnode_find+0xd6f/0x1600 fs/hfsplus/bnode.c:583
hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
CPU: 0 UID: 0 PID: 6044 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d60bc1401583 Merge tag 'pwrseq-updates-for-v7.1-rc1' of gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16cbe8ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6b03ae1ea24aea48
dashboard link: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13fe84ce580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11d5feba580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0751271be83e/disk-d60bc140.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f53e11b04b29/vmlinux-d60bc140.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4c57f9a8e1f1/bzImage-d60bc140.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/438dc293e7d9/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
hfsplus: requested invalid offset: NODE: id 0, type 0x1, height 0, node_size 1, offset 4294967295
=====================================================
BUG: KMSAN: uninit-value in hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
get_tree_bdev+0x38/0x50 fs/super.c:1717
hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3763 [inline]
do_new_mount+0x885/0x1dd0 fs/namespace.c:3839
path_mount+0x7a2/0x20b0 fs/namespace.c:4159
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount+0x704/0x7f0 fs/namespace.c:4338
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4338
x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable data.i created at:
hfsplus_bnode_read_u16 fs/hfsplus/bnode.c:58 [inline]
hfsplus_bnode_find+0xd6f/0x1600 fs/hfsplus/bnode.c:583
hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
CPU: 0 UID: 0 PID: 6044 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Edward Adam Davis
Apr 14, 2026, 8:52:35 PM (16 hours ago) Apr 14
to syzbot+217eb3...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index 250a226336ea..56a046ba4d54 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -576,7 +576,10 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)
goto node_error;
}
- rec_off = tree->node_size - 2;
+ if (tree->node_size < 2)
+ goto node_error;
+ else
+ rec_off = tree->node_size - 2;
off = hfs_bnode_read_u16(node, rec_off);
if (off != sizeof(struct hfs_bnode_desc))
goto node_error;
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index 250a226336ea..56a046ba4d54 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -576,7 +576,10 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)
goto node_error;
}
- rec_off = tree->node_size - 2;
+ if (tree->node_size < 2)
+ goto node_error;
+ else
+ rec_off = tree->node_size - 2;
off = hfs_bnode_read_u16(node, rec_off);
if (off != sizeof(struct hfs_bnode_desc))
goto node_error;
syzbot
12:10 AM (13 hours ago) 12:10 AM
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt
=====================================================
BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xe3/0x120 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode_preempt+0xe3/0x120 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline]
irqentry_exit+0x77/0x710 kernel/entry/common.c:164
sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697
smap_save mm/kmsan/instrumentation.c:93 [inline]
get_shadow_origin_ptr mm/kmsan/instrumentation.c:35 [inline]
__msan_metadata_ptr_for_load_4+0x11/0x40 mm/kmsan/instrumentation.c:93
do_csum lib/checksum.c:64 [inline]
ip_fast_csum+0x1e6/0x3f0 lib/checksum.c:99
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:842 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
nsim_dev_trap_report_work+0x8c0/0x1430 drivers/net/netdevsim/dev.c:922
process_one_work kernel/workqueue.c:3288 [inline]
process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3371
worker_thread+0xee4/0x1590 kernel/workqueue.c:3452
kthread+0x53f/0x600 kernel/kthread.c:436
ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4545 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_node_track_caller_noprof+0x4f6/0x1750 mm/slub.c:5368
kmalloc_reserve net/core/skbuff.c:635 [inline]
__alloc_skb+0x90d/0x1190 net/core/skbuff.c:713
alloc_skb include/linux/skbuff.h:1383 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:819 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
nsim_dev_trap_report_work+0x3f2/0x1430 drivers/net/netdevsim/dev.c:922
process_one_work kernel/workqueue.c:3288 [inline]
process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3371
worker_thread+0xee4/0x1590 kernel/workqueue.c:3452
kthread+0x53f/0x600 kernel/kthread.c:436
ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
CPU: 0 UID: 0 PID: 134 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT(full)
=====================================================
Tested on:
commit: 91a4855d Merge tag 'net-next-7.1' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14f418ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9f67daa5723e634c
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt
=====================================================
BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xe3/0x120 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode_preempt+0xe3/0x120 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline]
irqentry_exit+0x77/0x710 kernel/entry/common.c:164
sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697
smap_save mm/kmsan/instrumentation.c:93 [inline]
get_shadow_origin_ptr mm/kmsan/instrumentation.c:35 [inline]
__msan_metadata_ptr_for_load_4+0x11/0x40 mm/kmsan/instrumentation.c:93
do_csum lib/checksum.c:64 [inline]
ip_fast_csum+0x1e6/0x3f0 lib/checksum.c:99
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:842 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
nsim_dev_trap_report_work+0x8c0/0x1430 drivers/net/netdevsim/dev.c:922
process_one_work kernel/workqueue.c:3288 [inline]
process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3371
worker_thread+0xee4/0x1590 kernel/workqueue.c:3452
kthread+0x53f/0x600 kernel/kthread.c:436
ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4545 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_node_track_caller_noprof+0x4f6/0x1750 mm/slub.c:5368
kmalloc_reserve net/core/skbuff.c:635 [inline]
__alloc_skb+0x90d/0x1190 net/core/skbuff.c:713
alloc_skb include/linux/skbuff.h:1383 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:819 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
nsim_dev_trap_report_work+0x3f2/0x1430 drivers/net/netdevsim/dev.c:922
process_one_work kernel/workqueue.c:3288 [inline]
process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3371
worker_thread+0xee4/0x1590 kernel/workqueue.c:3452
kthread+0x53f/0x600 kernel/kthread.c:436
ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
CPU: 0 UID: 0 PID: 134 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events_unbound nsim_dev_trap_report_work
=====================================================
Tested on:
commit: 91a4855d Merge tag 'net-next-7.1' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14f418ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9f67daa5723e634c
dashboard link: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=170efb02580000
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Edward Adam Davis
4:29 AM (8 hours ago) 4:29 AM
to syzbot+217eb3...@syzkaller.appspotmail.com, fran...@vivo.com, glau...@physik.fu-berlin.de, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sl...@dubeyko.com, syzkall...@googlegroups.com
Syzbot reported a uninit-value bug in [1], during the file system mounting
process, specifically while loading the catalog, a corrupted node_size
value of 1 caused the rec_off argument passed to hfs_bnode_read_u16()
(within hfs_bnode_find()) to be excessively large. Consequently, the
function failed to return a valid value to initialize the off variable,
triggering the bug [1].
To prevent similar issues, a check for the catalog btree node size has
been added within the hfsplus_btree_open() function.
[1]
Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/hfsplus/btree.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 761c74ccd653..61050ffe425e 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -337,6 +337,11 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
pr_err("invalid catalog btree flag\n");
goto fail_page;
+ tree->node_size);
+ goto fail_page;
+ }
if (test_bit(HFSPLUS_SB_HFSX, &HFSPLUS_SB(sb)->flags) &&
(head->key_type == HFSPLUS_KEY_BINARY))
--
2.43.0
process, specifically while loading the catalog, a corrupted node_size
value of 1 caused the rec_off argument passed to hfs_bnode_read_u16()
(within hfs_bnode_find()) to be excessively large. Consequently, the
function failed to return a valid value to initialize the off variable,
triggering the bug [1].
To prevent similar issues, a check for the catalog btree node size has
been added within the hfsplus_btree_open() function.
[1]
BUG: KMSAN: uninit-value in hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
get_tree_bdev+0x38/0x50 fs/super.c:1717
hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
get_tree_bdev+0x38/0x50 fs/super.c:1717
hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/hfsplus/btree.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 761c74ccd653..61050ffe425e 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -337,6 +337,11 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
pr_err("invalid catalog btree flag\n");
goto fail_page;
}
+ if (tree->node_size < 2) {
+ pr_err("invalid catalog btree node size %u\n",
+ if (tree->node_size < 2) {
+ tree->node_size);
+ goto fail_page;
+ }
if (test_bit(HFSPLUS_SB_HFSX, &HFSPLUS_SB(sb)->flags) &&
(head->key_type == HFSPLUS_KEY_BINARY))
--
2.43.0
Reply all
Reply to author
Forward
0 new messages