[syzbot] [hfs?] KMSAN: uninit-value in hfsplus_bnode_find

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: d60bc1401583 Merge tag 'pwrseq-updates-for-v7.1-rc1' of gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16cbe8ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6b03ae1ea24aea48
dashboard link: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13fe84ce580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11d5feba580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0751271be83e/disk-d60bc140.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f53e11b04b29/vmlinux-d60bc140.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4c57f9a8e1f1/bzImage-d60bc140.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/438dc293e7d9/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 1024
hfsplus: requested invalid offset: NODE: id 0, type 0x1, height 0, node_size 1, offset 4294967295
=====================================================
BUG: KMSAN: uninit-value in hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
get_tree_bdev+0x38/0x50 fs/super.c:1717
hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3763 [inline]
do_new_mount+0x885/0x1dd0 fs/namespace.c:3839
path_mount+0x7a2/0x20b0 fs/namespace.c:4159
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount+0x704/0x7f0 fs/namespace.c:4338
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4338
x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable data.i created at:
hfsplus_bnode_read_u16 fs/hfsplus/bnode.c:58 [inline]
hfsplus_bnode_find+0xd6f/0x1600 fs/hfsplus/bnode.c:583
hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382

CPU: 0 UID: 0 PID: 6044 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

#syz test

diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index 250a226336ea..56a046ba4d54 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -576,7 +576,10 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)
goto node_error;
}

- rec_off = tree->node_size - 2;
+ if (tree->node_size < 2)
+ goto node_error;
+ else
+ rec_off = tree->node_size - 2;
off = hfs_bnode_read_u16(node, rec_off);
if (off != sizeof(struct hfs_bnode_desc))
goto node_error;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt

=====================================================
BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xe3/0x120 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode_preempt+0xe3/0x120 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline]
irqentry_exit+0x77/0x710 kernel/entry/common.c:164
sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697
smap_save mm/kmsan/instrumentation.c:93 [inline]
get_shadow_origin_ptr mm/kmsan/instrumentation.c:35 [inline]
__msan_metadata_ptr_for_load_4+0x11/0x40 mm/kmsan/instrumentation.c:93
do_csum lib/checksum.c:64 [inline]
ip_fast_csum+0x1e6/0x3f0 lib/checksum.c:99
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:842 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
nsim_dev_trap_report_work+0x8c0/0x1430 drivers/net/netdevsim/dev.c:922
process_one_work kernel/workqueue.c:3288 [inline]
process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3371
worker_thread+0xee4/0x1590 kernel/workqueue.c:3452
kthread+0x53f/0x600 kernel/kthread.c:436
ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was created at:
slab_post_alloc_hook mm/slub.c:4545 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_node_track_caller_noprof+0x4f6/0x1750 mm/slub.c:5368
kmalloc_reserve net/core/skbuff.c:635 [inline]
__alloc_skb+0x90d/0x1190 net/core/skbuff.c:713
alloc_skb include/linux/skbuff.h:1383 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:819 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
nsim_dev_trap_report_work+0x3f2/0x1430 drivers/net/netdevsim/dev.c:922
process_one_work kernel/workqueue.c:3288 [inline]
process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3371
worker_thread+0xee4/0x1590 kernel/workqueue.c:3452
kthread+0x53f/0x600 kernel/kthread.c:436
ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

CPU: 0 UID: 0 PID: 134 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026

Workqueue: events_unbound nsim_dev_trap_report_work
=====================================================


Tested on:

commit: 91a4855d Merge tag 'net-next-7.1' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14f418ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9f67daa5723e634c

dashboard link: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=170efb02580000

[Edward Adam Davis]

Syzbot reported a uninit-value bug in [1], during the file system mounting
process, specifically while loading the catalog, a corrupted node_size
value of 1 caused the rec_off argument passed to hfs_bnode_read_u16()
(within hfs_bnode_find()) to be excessively large. Consequently, the
function failed to return a valid value to initialize the off variable,
triggering the bug [1].

To prevent similar issues, a check for the catalog btree node size has
been added within the hfsplus_btree_open() function.

[1]

BUG: KMSAN: uninit-value in hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
get_tree_bdev+0x38/0x50 fs/super.c:1717
hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]

Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/hfsplus/btree.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 761c74ccd653..61050ffe425e 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -337,6 +337,11 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
pr_err("invalid catalog btree flag\n");
goto fail_page;

}
+ if (tree->node_size < 2) {

+ pr_err("invalid catalog btree node size %u\n",
+ tree->node_size);
+ goto fail_page;
+ }

if (test_bit(HFSPLUS_SB_HFSX, &HFSPLUS_SB(sb)->flags) &&
(head->key_type == HFSPLUS_KEY_BINARY))
--
2.43.0

[Edward Adam Davis]

> Every node starts from BTree node descriptor: struct hfs_bnode_desc. So, the
> size of node cannot be lesser than that. However, technical specification
> declares that: "The node size (which is expressed in bytes) must be power of
> two, from 512 through 32,768, inclusive.". So, we can add more smart check here.
Perhaps it could be adjusted as follows:
diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 61050ffe425e..287cef5b5c56 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -370,6 +370,8 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
}

size = tree->node_size;
+ if (size < sb->s_blocksize || size > HFSPLUS_NODE_MXSZ)
+ goto fail_page;
if (!is_power_of_2(size))
goto fail_page;
if (!tree->node_count)

>
> And, maybe, it makes sense to check the node size value at the places of using
> it. What do you think?
>
> But we have this check of node_size in hfs_btree_open() [1]:
>
> size = tree->node_size;
> if (!is_power_of_2(size))
> goto fail_page;
>
> If node size is 1, for example, then this check should fail to execute the
> hfs_btree_open(). How, finally, do we have node_size == 1 during the
> hfs_bnode_find()? I don't quite follow.
You overlooked that 2 to the power of 0 is 1.

Edward
BR

[Viacheslav Dubeyko]

Every node starts from BTree node descriptor: struct hfs_bnode_desc. So, the
size of node cannot be lesser than that. However, technical specification
declares that: "The node size (which is expressed in bytes) must be power of
two, from 512 through 32,768, inclusive.". So, we can add more smart check here.

And, maybe, it makes sense to check the node size value at the places of using
it. What do you think?

But we have this check of node_size in hfs_btree_open() [1]:

size = tree->node_size;
if (!is_power_of_2(size))
goto fail_page;

If node size is 1, for example, then this check should fail to execute the
hfs_btree_open(). How, finally, do we have node_size == 1 during the
hfs_bnode_find()? I don't quite follow.

Thanks,
Slava.

> + pr_err("invalid catalog btree node size %u\n",
> + tree->node_size);
> + goto fail_page;
> + }
>
> if (test_bit(HFSPLUS_SB_HFSX, &HFSPLUS_SB(sb)->flags) &&
> (head->key_type == HFSPLUS_KEY_BINARY))

[1] https://elixir.bootlin.com/linux/v7.0/source/fs/hfsplus/btree.c#L232

[Edward Adam Davis]

Syzbot reported an uninit-value bug in [1] with a corrupted HFS+ image,

during the file system mounting process, specifically while loading the
catalog, a corrupted node_size value of 1 caused the rec_off argument
passed to hfs_bnode_read_u16() (within hfs_bnode_find()) to be excessively
large. Consequently, the function failed to return a valid value to
initialize the off variable, triggering the bug [1].

Every node starts from BTree node descriptor: struct hfs_bnode_desc.
So, the size of node cannot be lesser than that. However, technical
specification declares that: "The node size (which is expressed in bytes)

must be power of two, from 512 through 32,768, inclusive." Add a check
for btree node size base on technical specification.

[1]
BUG: KMSAN: uninit-value in hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_bnode_find+0x141c/0x1600 fs/hfsplus/bnode.c:584
hfsplus_btree_open+0x169a/0x1e40 fs/hfsplus/btree.c:382
hfsplus_fill_super+0x111f/0x2770 fs/hfsplus/super.c:553
get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694
get_tree_bdev+0x38/0x50 fs/super.c:1717
hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:709
vfs_get_tree+0xb3/0x5d0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]

Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---

v1 -> v2: change check base on technical specification

fs/hfsplus/btree.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 761c74ccd653..857705c3fe0d 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -365,6 +365,8 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)

}

size = tree->node_size;
+ if (size < sb->s_blocksize || size > HFSPLUS_NODE_MXSZ)
+ goto fail_page;
if (!is_power_of_2(size))
goto fail_page;
if (!tree->node_count)

--
2.43.0

[Viacheslav Dubeyko]

Technically speaking, you are right that b-tree node size should be aligned on
logical block size. However, I am not sure that mkfs.hfsplus restricts the
creation of volume with b-tree's node size smaller than logical block size but
still in the required range of sizes.

Maybe, we need to declare the constant of HFSPLUS_NODE_MINSZ (512) and to check
this constant instead of logical block size. What do you think?

Thanks,
Slava.

[Edward Adam Davis]

Hmm, that's much safer.

Edward
BR

[Edward Adam Davis]

v2 -> v3: using const min size

fs/hfsplus/btree.c | 2 ++
include/linux/hfs_common.h | 1 +
2 files changed, 3 insertions(+)

diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 761c74ccd653..394542a47e60 100644

--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -365,6 +365,8 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
}

size = tree->node_size;

+ if (size < HFSPLUS_NODE_MINSZ || size > HFSPLUS_NODE_MXSZ)

+ goto fail_page;
if (!is_power_of_2(size))
goto fail_page;
if (!tree->node_count)

diff --git a/include/linux/hfs_common.h b/include/linux/hfs_common.h
index 07dfc39630ab..45fb4c9ff9f5 100644
--- a/include/linux/hfs_common.h
+++ b/include/linux/hfs_common.h
@@ -513,6 +513,7 @@ struct hfs_btree_header_rec {
/* HFS+ BTree misc info */
#define HFSPLUS_TREE_HEAD 0
#define HFSPLUS_NODE_MXSZ 32768
+#define HFSPLUS_NODE_MINSZ 512
#define HFSPLUS_ATTR_TREE_NODE_SIZE 8192
#define HFSPLUS_BTREE_HDR_NODE_RECS_COUNT 3
#define HFSPLUS_BTREE_HDR_MAP_REC_INDEX 2 /* Map (bitmap) record in Header node */
--
2.43.0

[Viacheslav Dubeyko]

Looks good. Thanks a lot for the fix.

Reviewed-by: Viacheslav Dubeyko <sl...@dubeyko.com>

Thanks,
Slava.

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] hfsplus: initialize data in hfs_bnode_read_u16 and
Author: tri...@gmail.com

From: Tristan Madani <tri...@talencesecurity.com>

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

hfs_bnode_read_u8

hfs_bnode_read_u16() and hfs_bnode_read_u8() declare a local variable
on the stack and pass it to hfs_bnode_read() to be filled. However,
when the requested offset is invalid (e.g. from a corrupted filesystem
image), hfs_bnode_read() returns early via the is_bnode_offset_valid()
check without writing to the buffer, leaving the local variable
uninitialized.

The callers then use the uninitialized value via be16_to_cpu() or
directly, which KMSAN flags as a use of uninitialized memory.

This is triggered during hfsplus_bnode_find() when mounting a crafted
HFS+ image with node_size=1 and invalid offsets.

Fix this by zero-initializing the local variables so that an invalid
read returns 0 rather than stack garbage.

Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: sta...@vger.kernel.org
Signed-off-by: Tristan Madani <tri...@talencesecurity.com>
---
fs/hfsplus/bnode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -98,14 +98,14 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
u16 hfs_bnode_read_u16(struct hfs_bnode *node, int off)
{
- __be16 data;
+ __be16 data = 0;
/* TODO: optimize later... */
hfs_bnode_read(node, &data, off, 2);
return be16_to_cpu(data);
}

u8 hfs_bnode_read_u8(struct hfs_bnode *node, int off)
{
- u8 data;
+ u8 data = 0;
/* TODO: optimize later... */
hfs_bnode_read(node, &data, off, 1);
return data;
--
2.43.0

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/hfsplus/bnode.c
Hunk #1 FAILED at 98.
1 out of 1 hunk FAILED



Tested on:

commit: 43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=6b03ae1ea24aea48

dashboard link: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=14d04702580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] KMSAN: uninit-value in hfs_bnode_read_u16
Author: tri...@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

>From 22a2a76dffd13b9a5bf3e41e13382714f3ffb459 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tri...@talencesecurity.com>
Date: Fri, 17 Apr 2026 16:15:17 +0000

Subject: [PATCH] hfsplus: initialize data in hfs_bnode_read_u16 and

hfs_bnode_read_u8
hfs_bnode_read_u16() and hfs_bnode_read_u8() declare local data
variables without initialization. If hfs_bnode_read() fails to
fully populate them (e.g., due to a corrupted node), the stale
stack values are returned, triggering KMSAN uninit-value.
Zero-initialize both variables.

Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb

Signed-off-by: Tristan Madani <tri...@talencesecurity.com>
---
fs/hfsplus/bnode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c

index f8b5a8a..3579008 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -55,7 +55,7 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, u32 off, u32 len)

u16 hfs_bnode_read_u16(struct hfs_bnode *node, u32 off)

{
- __be16 data;
+ __be16 data = 0;
/* TODO: optimize later... */
hfs_bnode_read(node, &data, off, 2);
return be16_to_cpu(data);

@@ -63,7 +63,7 @@ u16 hfs_bnode_read_u16(struct hfs_bnode *node, u32 off)

u8 hfs_bnode_read_u8(struct hfs_bnode *node, u32 off)

{
- u8 data;
+ u8 data = 0;
/* TODO: optimize later... */
hfs_bnode_read(node, &data, off, 1);
return data;
--

2.47.3

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt

=====================================================

BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline]
irqentry_exit+0x7b/0x760 kernel/entry/common.c:164

sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697

__sanitizer_cov_trace_pc+0x0/0x70

nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:842 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
nsim_dev_trap_report_work+0x8c0/0x1430 drivers/net/netdevsim/dev.c:922

process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385
worker_thread+0xee4/0x1590 kernel/workqueue.c:3466

kthread+0x53f/0x600 kernel/kthread.c:436
ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was created at:

slab_post_alloc_hook mm/slub.c:4576 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_node_track_caller_noprof+0x4f6/0x1750 mm/slub.c:5403

kmalloc_reserve net/core/skbuff.c:635 [inline]
__alloc_skb+0x90d/0x1190 net/core/skbuff.c:713
alloc_skb include/linux/skbuff.h:1383 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:819 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:876 [inline]
nsim_dev_trap_report_work+0x3f2/0x1430 drivers/net/netdevsim/dev.c:922

process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0xb65/0x1e40 kernel/workqueue.c:3385
worker_thread+0xee4/0x1590 kernel/workqueue.c:3466

kthread+0x53f/0x600 kernel/kthread.c:436
ret_from_fork+0x20f/0x8d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

CPU: 0 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events_unbound nsim_dev_trap_report_work
=====================================================


Tested on:

commit: 59bd5ae0 Merge tag 'for-v7.1' of git://git.kernel.org/..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=15ba6f16580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dd34a4e3f8a96df8
dashboard link: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb

compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=10e24702580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [hfs?] KMSAN: uninit-value in hfs_bnode_read_u16
Author: tri...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

>From fa9693d02a6d2e2fda72504085400c761d5eec1f Mon Sep 17 00:00:00 2001
From: Tristan Madani <tri...@talencesecurity.com>
Date: Sat, 18 Apr 2026 13:39:03 +0000
Subject: [PATCH] hfsplus: zero-initialize buffer in hfs_bnode_read

hfs_bnode_read() can return early without initializing the output
buffer when the offset is invalid or the requested length is
corrected to zero by check_and_correct_requested_length(). Callers
such as hfs_bnode_read_u16() pass stack-allocated buffers and use the
result unconditionally, leading to KMSAN uninit-value reports.

Rather than initializing at each individual call site, zero the buffer
at the start of hfs_bnode_read() before any validation checks. This
ensures the buffer is always in a known state regardless of which
early-return path is taken.

Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
Tested-by: syzbot+217eb3...@syzkaller.appspotmail.com

Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: sta...@vger.kernel.org

Signed-off-by: Tristan Madani <tri...@talencesecurity.com>
---

fs/hfsplus/bnode.c | 2 ++

1 file changed, 2 insertions(+)

diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index f8b5a8ae58ff5..14d1af2c7ba93 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -25,6 +25,8 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, u32 off, u32 len)
struct page **pagep;
u32 l;

+ memset(buf, 0, len);
+
if (!is_bnode_offset_valid(node, off))
return;

--
2.47.3

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt

=====================================================
BUG: KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode_preempt+0xb0/0xc0 include/linux/irq-entry-common.h:472
irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:547 [inline]
irqentry_exit+0x7b/0x760 kernel/entry/common.c:164
sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1061
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697

smap_save mm/kmsan/instrumentation.c:93 [inline]
get_shadow_origin_ptr mm/kmsan/instrumentation.c:35 [inline]
__msan_metadata_ptr_for_load_4+0x11/0x40 mm/kmsan/instrumentation.c:93
do_csum lib/checksum.c:64 [inline]
ip_fast_csum+0x1e6/0x3f0 lib/checksum.c:99

CPU: 0 UID: 0 PID: 67 Comm: kworker/u8:4 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events_unbound nsim_dev_trap_report_work
=====================================================


Tested on:

commit: 8541d8f7 Merge tag 'mtd/for-7.1' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=129a64ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=916f2f67e70d1263

dashboard link: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=11b264ce580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [hfs?] KMSAN: uninit-value in hfsplus_bnode_find

Author: tri...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

>From 481707e6b354ae2f36603d68c63364b56d6ee6b6 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tri...@talencesecurity.com>
Date: Thu, 30 Apr 2026 22:38:32 +0000
Subject: [PATCH 1/3] hfs/hfsplus: fix u32 overflow in
check_and_correct_requested_length

check_and_correct_requested_length() compares (off + len) against
node_size using u32 arithmetic. When the caller passes a large len
value (e.g. from an underflowed subtraction in hfs_brec_remove()),
off + len can wrap past 2^32 and produce a small result, causing the
bounds check to pass when it should fail.

For example, with off=14 and len=0xFFFFFFF2 (underflowed from
data_off - keyoffset - size in hfs_brec_remove), off + len wraps to 6,
which is less than a typical node_size of 512, so the check passes and
the subsequent memmove reads ~4GB past the node buffer.

Fix this by comparing len against (node_size - off) instead. Since
is_bnode_offset_valid() already guarantees off < node_size before this
point, the subtraction cannot underflow.

Reported-by: syzbot+6df204...@syzkaller.appspotmail.com
Reported-by: syzbot+e76bf3...@syzkaller.appspotmail.com
Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")

Cc: sta...@vger.kernel.org
Signed-off-by: Tristan Madani <tri...@talencesecurity.com>
---

fs/hfs/bnode.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 13d58c51fc46b..c00645a4a5733 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -41,7 +41,7 @@ u32 check_and_correct_requested_length(struct hfs_bnode *node, u32 off, u32 len)

node_size = node->tree->node_size;

- if ((off + len) > node_size) {
+ if (len > node_size - off) {
u32 new_len = node_size - off;

pr_err("requested length has been corrected: "
diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
index 3545b8dbf11c5..10b2dda3f8044 100644
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -600,7 +600,7 @@ u32 check_and_correct_requested_length(struct hfs_bnode *node, u32 off, u32 len)

node_size = node->tree->node_size;

- if ((off + len) > node_size) {
+ if (len > node_size - off) {
u32 new_len = node_size - off;

pr_err("requested length has been corrected: "
--
2.47.3


>From 5eb857d2b6469a9857ce436345e8e18c5791c3ef Mon Sep 17 00:00:00 2001
From: Tristan Madani <tri...@talencesecurity.com>
Date: Thu, 30 Apr 2026 22:39:00 +0000
Subject: [PATCH 2/3] hfs/hfsplus: initialize data buffer in hfs_bnode_read_u16
and hfs_bnode_read_u8

hfs_bnode_read_u16() and hfs_bnode_read_u8() declare local data buffers
without initialization, then pass them to hfs_bnode_read(). If
is_bnode_offset_valid() fails inside hfs_bnode_read(), the function
returns early without writing to the buffer, leaving it uninitialized.
The caller then returns the garbage value to its caller.

This triggers KMSAN uninit-value reports when a corrupted HFS+ image
has a node_size of 1, causing rec_off to underflow in hfs_bnode_find()
and the subsequent hfs_bnode_read_u16() to operate on an invalid offset.

Zero-initialize both buffers so that callers get a deterministic zero
value when the underlying read fails.

Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")

Cc: sta...@vger.kernel.org
Signed-off-by: Tristan Madani <tri...@talencesecurity.com>
---

fs/hfs/bnode.c | 4 ++--
fs/hfsplus/bnode.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index c00645a4a5733..08307faea7a68 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -97,7 +97,7 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, u32 off, u32 len)

u16 hfs_bnode_read_u16(struct hfs_bnode *node, u32 off)
{
- __be16 data;
+ __be16 data = 0;

// optimize later...

hfs_bnode_read(node, &data, off, 2);
return be16_to_cpu(data);

@@ -105,7 +105,7 @@ u16 hfs_bnode_read_u16(struct hfs_bnode *node, u32 off)

u8 hfs_bnode_read_u8(struct hfs_bnode *node, u32 off)
{
- u8 data;
+ u8 data = 0;

// optimize later...

hfs_bnode_read(node, &data, off, 1);
return data;

diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index f8b5a8ae58ff5..35790085b5b2e 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Author: tri...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

>From fa9693d02a6d2e2fda72504085400c761d5eec1f Mon Sep 17 00:00:00 2001
From: Tristan Madani <tri...@talencesecurity.com>

Date: Sat, 18 Apr 2026 13:39:03 +0000
Subject: [PATCH] hfsplus: zero-initialize buffer in hfs_bnode_read

hfs_bnode_read() can return early without initializing the output
buffer when the offset is invalid or the requested length is
corrected to zero by check_and_correct_requested_length(). Callers
such as hfs_bnode_read_u16() pass stack-allocated buffers and use the
result unconditionally, leading to KMSAN uninit-value reports.

Rather than initializing at each individual call site, zero the buffer
at the start of hfs_bnode_read() before any validation checks. This
ensures the buffer is always in a known state regardless of which
early-return path is taken.

Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
Tested-by: syzbot+217eb3...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

Cc: sta...@vger.kernel.org
Signed-off-by: Tristan Madani <tri...@talencesecurity.com>
---

fs/hfsplus/bnode.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index f8b5a8ae58ff5..14d1af2c7ba93 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] KMSAN: uninit-value in hfs_bnode_read

Author: tri...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

>From 9844dc36acf6c4c44348a5ea5ece3367423b0519 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tri...@talencesecurity.com>
Date: Tue, 5 May 2026 11:08:43 +0000
Subject: [PATCH v2 2/2] hfs/hfsplus: zero-initialize buffer in hfs_bnode_read

hfs_bnode_read() can return early without writing to the output buffer
when is_bnode_offset_valid() fails or when check_and_correct_requested_
length() corrects the length to zero. Callers such as hfs_bnode_read_
u16() and hfs_bnode_read_u8() pass stack-allocated buffers and use the

result unconditionally, leading to KMSAN uninit-value reports.

Rather than initializing at each individual call site, zero the buffer
at the start of hfs_bnode_read() before any validation checks. This

ensures all callers in both hfs and hfsplus get a deterministic zero
value regardless of which early-return path is taken.

Reported-by: syzbot+217eb3...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=217eb327242d08197efb
Tested-by: syzbot+217eb3...@syzkaller.appspotmail.com
Fixes: a431930c9bac ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")

Cc: sta...@vger.kernel.org
Signed-off-by: Tristan Madani <tri...@talencesecurity.com>
---

fs/hfs/bnode.c | 2 ++
fs/hfsplus/bnode.c | 2 ++
2 files changed, 4 insertions(+)

diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 9571f33b91085..25cef62fbba6d 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -64,6 +64,8 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, u32 off, u32 len)
u32 bytes_read;
u32 bytes_to_read;