[syzbot] [hfs?] KMSAN: uninit-value in hfsplus_strcasecmp (2)
5 views
Skip to first unread message
syzbot
Jan 19, 2026, 4:34:34āÆPMĀ (2 days ago)Ā Jan 19
to fran...@vivo.com, glau...@physik.fu-berlin.de, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sl...@dubeyko.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 603c05a1639f Merge tag 'nfs-for-6.19-2' of git://git.linux..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=178b339a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=157be39a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12625a3a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f5064e5f9c76/disk-603c05a1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c466bcf334e3/vmlinux-603c05a1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4e1318b36fb1/bzImage-603c05a1.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a0364f040b52/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d80abb...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
=====================================================
BUG: KMSAN: uninit-value in case_fold fs/hfsplus/unicode.c:26 [inline]
BUG: KMSAN: uninit-value in hfsplus_strcasecmp+0x63a/0x980 fs/hfsplus/unicode.c:67
case_fold fs/hfsplus/unicode.c:26 [inline]
hfsplus_strcasecmp+0x63a/0x980 fs/hfsplus/unicode.c:67
hfsplus_cat_case_cmp_key+0xb9/0x190 fs/hfsplus/catalog.c:26
hfs_find_rec_by_key+0xae/0x240 fs/hfsplus/bfind.c:89
__hfsplus_brec_find+0x274/0x840 fs/hfsplus/bfind.c:124
hfsplus_brec_find+0x4ec/0xa10 fs/hfsplus/bfind.c:190
hfsplus_find_cat+0x3b0/0x4f0 fs/hfsplus/catalog.c:220
hfsplus_iget+0x815/0xc30 fs/hfsplus/super.c:96
hfsplus_fill_super+0x1550/0x2580 fs/hfsplus/super.c:548
get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1691
get_tree_bdev+0x38/0x50 fs/super.c:1714
hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:680
vfs_get_tree+0xb3/0x5c0 fs/super.c:1751
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount+0x879/0x1700 fs/namespace.c:3712
path_mount+0x749/0x1fb0 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount+0x6f7/0x7e0 fs/namespace.c:4201
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4201
x64_sys_call+0x38cb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
hfsplus_cat_build_key_uni fs/hfsplus/catalog.c:77 [inline]
hfsplus_find_cat+0x356/0x4f0 fs/hfsplus/catalog.c:217
hfsplus_iget+0x815/0xc30 fs/hfsplus/super.c:96
hfsplus_fill_super+0x1550/0x2580 fs/hfsplus/super.c:548
get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1691
get_tree_bdev+0x38/0x50 fs/super.c:1714
hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:680
vfs_get_tree+0xb3/0x5c0 fs/super.c:1751
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount+0x879/0x1700 fs/namespace.c:3712
path_mount+0x749/0x1fb0 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount+0x6f7/0x7e0 fs/namespace.c:4201
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4201
x64_sys_call+0x38cb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable tmp created at:
hfsplus_find_cat+0x43/0x4f0 fs/hfsplus/catalog.c:197
hfsplus_iget+0x815/0xc30 fs/hfsplus/super.c:96
CPU: 1 UID: 0 PID: 6037 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 603c05a1639f Merge tag 'nfs-for-6.19-2' of git://git.linux..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=178b339a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=157be39a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12625a3a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f5064e5f9c76/disk-603c05a1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c466bcf334e3/vmlinux-603c05a1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4e1318b36fb1/bzImage-603c05a1.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a0364f040b52/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d80abb...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
=====================================================
BUG: KMSAN: uninit-value in case_fold fs/hfsplus/unicode.c:26 [inline]
BUG: KMSAN: uninit-value in hfsplus_strcasecmp+0x63a/0x980 fs/hfsplus/unicode.c:67
case_fold fs/hfsplus/unicode.c:26 [inline]
hfsplus_strcasecmp+0x63a/0x980 fs/hfsplus/unicode.c:67
hfsplus_cat_case_cmp_key+0xb9/0x190 fs/hfsplus/catalog.c:26
hfs_find_rec_by_key+0xae/0x240 fs/hfsplus/bfind.c:89
__hfsplus_brec_find+0x274/0x840 fs/hfsplus/bfind.c:124
hfsplus_brec_find+0x4ec/0xa10 fs/hfsplus/bfind.c:190
hfsplus_find_cat+0x3b0/0x4f0 fs/hfsplus/catalog.c:220
hfsplus_iget+0x815/0xc30 fs/hfsplus/super.c:96
hfsplus_fill_super+0x1550/0x2580 fs/hfsplus/super.c:548
get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1691
get_tree_bdev+0x38/0x50 fs/super.c:1714
hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:680
vfs_get_tree+0xb3/0x5c0 fs/super.c:1751
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount+0x879/0x1700 fs/namespace.c:3712
path_mount+0x749/0x1fb0 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount+0x6f7/0x7e0 fs/namespace.c:4201
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4201
x64_sys_call+0x38cb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
hfsplus_cat_build_key_uni fs/hfsplus/catalog.c:77 [inline]
hfsplus_find_cat+0x356/0x4f0 fs/hfsplus/catalog.c:217
hfsplus_iget+0x815/0xc30 fs/hfsplus/super.c:96
hfsplus_fill_super+0x1550/0x2580 fs/hfsplus/super.c:548
get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1691
get_tree_bdev+0x38/0x50 fs/super.c:1714
hfsplus_get_tree+0x35/0x40 fs/hfsplus/super.c:680
vfs_get_tree+0xb3/0x5c0 fs/super.c:1751
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount+0x879/0x1700 fs/namespace.c:3712
path_mount+0x749/0x1fb0 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount+0x6f7/0x7e0 fs/namespace.c:4201
__x64_sys_mount+0xe4/0x150 fs/namespace.c:4201
x64_sys_call+0x38cb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable tmp created at:
hfsplus_find_cat+0x43/0x4f0 fs/hfsplus/catalog.c:197
hfsplus_iget+0x815/0xc30 fs/hfsplus/super.c:96
CPU: 1 UID: 0 PID: 6037 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jan 19, 2026, 11:33:47āÆPMĀ (2 days ago)Ā Jan 19
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] hfsplus: fix uninit-value in hfsplus_strcasecmp
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp() during
filesystem mount operations. The root cause is that hfsplus_find_cat()
declares a local hfsplus_cat_entry variable without initialization before
passing it to hfs_brec_read().
If hfs_brec_read() doesn't completely fill the entire structure (e.g., when
the on-disk data is shorter than sizeof(hfsplus_cat_entry)), the padding
bytes in tmp.thread.nodeName remain uninitialized. These uninitialized
bytes are then copied by hfsplus_cat_build_key_uni() into the search key,
and subsequently accessed by hfsplus_strcasecmp() during catalog lookups,
triggering the KMSAN warning.
Fix this by zeroing the tmp variable before use to ensure all padding
bytes are initialized.
Reported-by: syzbot+d80abb...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/hfsplus/catalog.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
index 02c1eee4a4b8..9c75d1736427 100644
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -199,6 +199,7 @@ int hfsplus_find_cat(struct super_block *sb, u32 cnid,
u16 type;
hfsplus_cat_build_key_with_cnid(sb, fd->search_key, cnid);
+ memset(&tmp, 0, sizeof(tmp));
err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
if (err)
return err;
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] hfsplus: fix uninit-value in hfsplus_strcasecmp
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp() during
filesystem mount operations. The root cause is that hfsplus_find_cat()
declares a local hfsplus_cat_entry variable without initialization before
passing it to hfs_brec_read().
If hfs_brec_read() doesn't completely fill the entire structure (e.g., when
the on-disk data is shorter than sizeof(hfsplus_cat_entry)), the padding
bytes in tmp.thread.nodeName remain uninitialized. These uninitialized
bytes are then copied by hfsplus_cat_build_key_uni() into the search key,
and subsequently accessed by hfsplus_strcasecmp() during catalog lookups,
triggering the KMSAN warning.
Fix this by zeroing the tmp variable before use to ensure all padding
bytes are initialized.
Reported-by: syzbot+d80abb...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/hfsplus/catalog.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
index 02c1eee4a4b8..9c75d1736427 100644
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -199,6 +199,7 @@ int hfsplus_find_cat(struct super_block *sb, u32 cnid,
u16 type;
hfsplus_cat_build_key_with_cnid(sb, fd->search_key, cnid);
+ memset(&tmp, 0, sizeof(tmp));
err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
if (err)
return err;
--
2.43.0
syzbot
Jan 20, 2026, 12:05:05āÆAMĀ (yesterday)Ā Jan 20
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d80abb...@syzkaller.appspotmail.com
Tested-by: syzbot+d80abb...@syzkaller.appspotmail.com
Tested on:
commit: 24d479d2 Linux 6.19-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13b44d22580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d80abb...@syzkaller.appspotmail.com
Tested-by: syzbot+d80abb...@syzkaller.appspotmail.com
Tested on:
commit: 24d479d2 Linux 6.19-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13b44d22580000
kernel config: https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=16444d22580000
dashboard link: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Note: testing is done by a robot and is best-effort only.
syzbot
12:15āÆAMĀ (6 hours ago)Ā 12:15āÆAM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] hfsplus: add debug printk to show uninitialized values in case_fold
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
This is a debug patch to demonstrate the uninit-value bug reported by
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
syzbot. Added printk in case_fold() to show what uninitialized values
are being read from the unicode array and used as array indices.
This patch intentionally does NOT include the fix (no initialization of
tmp variable) to demonstrate the bug behavior.
Link: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
fs/hfsplus/unicode.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/fs/hfsplus/unicode.c b/fs/hfsplus/unicode.c
index d3a142f4518b..418806c27943 100644
--- a/fs/hfsplus/unicode.c
+++ b/fs/hfsplus/unicode.c
@@ -11,7 +11,6 @@
#include <linux/types.h>
#include <linux/nls.h>
-
#include <kunit/visibility.h>
#include "hfsplus_fs.h"
@@ -22,12 +21,18 @@
static inline u16 case_fold(u16 c)
{
u16 tmp;
-
+ pr_alert("CASE_FOLD: Input c=0x%04x, c>>8=0x%02x (this is array index!)\n", c, c >> 8);
tmp = hfsplus_case_fold_table[c >> 8];
- if (tmp)
+ pr_alert("CASE_FOLD: table[0x%02x]=0x%04x\n", c >> 8, tmp);
+
+ if (tmp) {
+ pr_alert("CASE_FOLD: Second lookup: table[0x%04x + 0x%02x]\n",tmp, c & 0xff);
tmp = hfsplus_case_fold_table[tmp + (c & 0xff)];
- else
+ } else {
tmp = c;
+ }
+ pr_alert("CASE_FOLD: Final result=0x%04x\n", tmp);
+
return tmp;
}
--
2.43.0
syzbot
12:18āÆAMĀ (6 hours ago)Ā 12:18āÆAM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master: failed to run ["git" "checkout" "FETCH_HEAD" "--force"]: exit status 128
Tested on:
commit: [unknown
git tree: upstream
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master: failed to run ["git" "checkout" "FETCH_HEAD" "--force"]: exit status 128
Tested on:
commit: [unknown
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=161eee3a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
compiler:
syzbot
12:24āÆAMĀ (6 hours ago)Ā 12:24āÆAM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
12:35āÆAMĀ (6 hours ago)Ā 12:35āÆAM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
12:50āÆAMĀ (6 hours ago)Ā 12:50āÆAM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
1:03āÆAMĀ (6 hours ago)Ā 1:03āÆAM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages