1. Patchew
  2. linux
  3. View series

Forwarded: [PATCH v2] jfs: fix uninit-value and assert crash in txLock

syzbot posted 1 patch 1 month, 4 weeks ago 
fs/jfs/jfs_txnmgr.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
Forwarded: [PATCH v2] jfs: fix uninit-value and assert crash in txLock
Posted by syzbot 1 month, 4 weeks ago 
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH v2] jfs: fix uninit-value and assert crash in txLock
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

From: Tristan Madani <tristan@talencesecurity.com>
Date: Thu, 17 Apr 2026
Subject: [PATCH v2] jfs: fix uninit-value and assert crash in txLock

Two bugs in txLock():

1) txInit() allocates the TxLock array with vmalloc(), which does not
   zero memory. The initialization loop only sets .next, leaving .tid
   uninitialized. When txLock() reads tlck->tid it hits uninitialized
   vmalloc data. Fix: vmalloc -> vzalloc.

2) The anonymous tlock list walk uses assert(last) inside a for-loop.
   On a corrupted filesystem image the list can be inconsistent, causing
   last == 0 before finding the target lid. This triggers BUG() via
   the assert macro. Fix: replace assert with graceful error + goto
   grantLock.

Reported-by: syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_txnmgr.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index 083dbbb0c..ec6217a2c 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -295,7 +295,7 @@ int txInit(void)
 	 * tlock id = 0 is reserved.
 	 */
 	size = sizeof(struct tlock) * nTxLock;
-	TxLock = vmalloc(size);
+	TxLock = vzalloc(size);
 	if (TxLock == NULL) {
 		vfree(TxBlock);
 		return -ENOMEM;
@@ -660,7 +660,10 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp,
 			for (last = jfs_ip->atlhead;
 			     lid_to_tlock(last)->next != lid;
 			     last = lid_to_tlock(last)->next) {
-				assert(last);
+				if (!last) {
+					jfs_err("txLock: lid %d not found in atl list", lid);
+					goto grantLock;
+				}
 			}
 			lid_to_tlock(last)->next = tlck->next;
 			if (jfs_ip->atltail == lid)
-- 
2.43.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.