From nobody Thu Apr 9 12:45:29 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4450D224AEF for ; Mon, 9 Mar 2026 02:22:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773022972; cv=none; b=PzbHbD3XkHFFKDkgHo82Z/gdf9C26DRus+/gxr8ejK4YH/nHRPvfNq3ycG07/CVOLpTpgGWMuH8kiyJINMpJdZ0y7nJAXs13VQnKh1xHiuDYBpLf7Y09P1wigwdUYJkCx6F3y6bwZ61Pg7gcmvTqu9B1w4/8+XpCaMSfYVG4Tg0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773022972; c=relaxed/simple; bh=QY92ZT8kIt/iEYqDgvcfPZiPKBlUZ1FPa2zb9N0hQSw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=prixBG9ZzgJrGgfny57e6Wr16Pvb3NKWP6Jd2xwpLIk4/gCMDkvMhKERPx1INmcLdN/BXnM45mrSylghfyNJ24enTe18zJ4d1tkPEr9qiFNNjX/zwHmP2CXf9Ao+gHGA2XvZwNwBJufh6C6Lycw/SOLq9n1CVJqw7GMGEyUxtyY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=tW49woeW; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="tW49woeW" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DB713C116C6; Mon, 9 Mar 2026 02:22:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1773022971; bh=QY92ZT8kIt/iEYqDgvcfPZiPKBlUZ1FPa2zb9N0hQSw=; h=From:To:Cc:Subject:Date:From; b=tW49woeW8nglY7P/8TI6dK5ezHZ82ObEzAZqI72ovrNDowRgNo3VnLkwaPr/Y7jwU 7wIxCydJBblYRk+RDLTkYnjRFh21ci9XdE+dtu/p9O3daeYZT6WBzImRLuDZd14XtO ZJ1TcqobiQmRA26ieK4/ushIe56pJUXFNxMGgEz0vooY4L29b8D9f1XXbCDPZ2FiqT maGM9ufCEimZdoURCIfgfjvE2pfw/UzLIDWl/HNeVM7uVE4KYcv39ER9iAwfRb/Oei VQWzjMMjzf2DF/IaTTxEpPArj7HJXH05IB+jZ3dB1TYR5hBZb3EFvSazjq2EiIlYoW BFremlRuVzcLA== From: Chao Yu To: jaegeuk@kernel.org Cc: linux-f2fs-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org, Chao Yu , stable@kernel.org, syzbot+9aac813cdc456cdd49f8@syzkaller.appspotmail.com Subject: [PATCH] f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer Date: Mon, 9 Mar 2026 02:22:37 +0000 Message-ID: <20260309022237.1680736-1-chao@kernel.org> X-Mailer: git-send-email 2.53.0.473.g4a7958ca14-goog Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot reported a f2fs bug as below: BUG: KMSAN: uninit-value in f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2= fs/node.c:1520 f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_finish_read_bio+0xe1e/0x1d60 fs/f2fs/data.c:177 f2fs_read_end_io+0x6ab/0x2220 fs/f2fs/data.c:-1 bio_endio+0x1006/0x1160 block/bio.c:1792 submit_bio_noacct+0x533/0x2960 block/blk-core.c:891 submit_bio+0x57a/0x620 block/blk-core.c:926 blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline] f2fs_submit_read_bio+0x12c/0x360 fs/f2fs/data.c:557 f2fs_submit_page_bio+0xee2/0x1450 fs/f2fs/data.c:775 read_node_folio+0x384/0x4b0 fs/f2fs/node.c:1481 __get_node_folio+0x5db/0x15d0 fs/f2fs/node.c:1576 f2fs_get_inode_folio+0x40/0x50 fs/f2fs/node.c:1623 do_read_inode fs/f2fs/inode.c:425 [inline] f2fs_iget+0x1209/0x9380 fs/f2fs/inode.c:596 f2fs_fill_super+0x8f5a/0xb2e0 fs/f2fs/super.c:5184 get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694 get_tree_bdev+0x38/0x50 fs/super.c:1717 f2fs_get_tree+0x35/0x40 fs/f2fs/super.c:5436 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3763 [inline] do_new_mount+0x885/0x1dd0 fs/namespace.c:3839 path_mount+0x7a2/0x20b0 fs/namespace.c:4159 do_mount fs/namespace.c:4172 [inline] __do_sys_mount fs/namespace.c:4361 [inline] __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338 x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is: in f2fs_finish_read_bio(), we may access uninit data in folio if we failed to read the data from device into folio, let's add a check condition to avoid such issue. Cc: stable@kernel.org Fixes: 50ac3ecd8e05 ("f2fs: fix to do sanity check on node footer in {read,= write}_end_io") Reported-by: syzbot+9aac813cdc456cdd49f8@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/69a9ca26.a70a0220.305d9a.0= 000.GAE@google.com Signed-off-by: Chao Yu --- fs/f2fs/data.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index 400f0400e13d..cb2332faf5f0 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -173,7 +173,8 @@ static void f2fs_finish_read_bio(struct bio *bio, bool = in_task) while (nr_pages--) dec_page_count(F2FS_F_SB(folio), __read_io_type(folio)); =20 - if (F2FS_F_SB(folio)->node_inode && is_node_folio(folio) && + if (bio->bi_status =3D=3D BLK_STS_OK && + F2FS_F_SB(folio)->node_inode && is_node_folio(folio) && f2fs_sanity_check_node_footer(F2FS_F_SB(folio), folio, folio->index, NODE_TYPE_REGULAR, true)) bio->bi_status =3D BLK_STS_IOERR; --=20 2.49.0