spotmail.com Signed-off-by: Edward Adam Davis Link: https://patch.msgid.link/tencent_B6C4583771D76766D71362A368696EC3B605@qq.com Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin --- LLM Generated explanations, may be completely bogus: This confirms the bug: `fuse_fileattr_get()` reads `fa->flags_valid` (line 517), but in the `file_getattr` syscall, `fa` was declared uninitialized. The `flags_valid` field could contain any stack garbage, leading to the KMSAN report. The fix initializes it to `{ .flags_valid = true }`, matching the pattern used by `ioctl_getflags()` at line 313. ## Analysis **What the commit fixes:** An uninitialized memory read (KMSAN uninit- value) in the `file_getattr` syscall path. The `struct file_kattr fa` variable is declared on the stack without initialization, then passed to `vfs_fileattr_get()` which calls filesystem-specific `fileattr_get()` implementations. The FUSE implementation (`fuse_fileattr_get`) reads `fa->flags_valid` before writing to it, triggering use of uninitialized memory. **Bug severity:** This is a real bug reportable by KMSAN. The uninitialized `flags_valid` field determines which code path is taken in `fuse_fileattr_get()` (line 517). If `flags_valid` happens to be false (zero), the fuse driver takes the wrong code path (xattr-based instead of ioctl-based), potentially returning incorrect or garbage data to userspace. **Fix quality:** The fix is a one-line change - initializing the struct with `{ .flags_valid = true }`. This exactly matches the existing pattern at line 313 (`ioctl_getflags`), making it obviously correct. The `/* hint only */` comment also matches. **Scope:** Only the 6.19 stable tree is affected. The `file_getattr` syscall was introduced in commit `be7efb2d20d67` which first appeared in v6.17-rc1. The code was moved to `fs/file_attr.c` as part of that series. Older stable trees (6.12.y, 6.6.y, 5.15.y, etc.) don't have this syscall and are unaffected. **Risk:** Extremely low. The change only adds initialization of a single struct field, matching an existing pattern in the same file. **Stable criteria check:** - Obviously correct: Yes, matches existing pattern - Fixes a real bug: Yes, KMSAN-detected uninit read, syzbot-reported - Small and contained: Yes, one-line change - No new features: Correct - Tested: Yes, syzbot Tested-by tag ## Verification - Read `fs/file_attr.c:380` - confirmed `struct file_kattr fa;` is uninitialized in `file_getattr` syscall - Read `fs/file_attr.c:313` - confirmed `ioctl_getflags` uses `{ .flags_valid = true }` (the pattern the fix replicates) - Read `fs/file_attr.c:82-94` - confirmed `vfs_fileattr_get()` passes `fa` directly to filesystem's `fileattr_get` callback without initializing it - Read `fs/fuse/ioctl.c:517` - confirmed `fuse_fileattr_get` reads `fa->flags_valid` before writing, triggering the KMSAN report - `git tag --contains be7efb2d20d67` showed the syscall was introduced in v6.17-rc1 (not v6.19-rc1 as might be assumed) - `git show v6.19.6:fs/file_attr.c` confirmed the fix is NOT yet in 6.19.6 stable - `git log v6.12.75 -- fs/file_attr.c` returned empty, confirming older stable trees don't have this file/code **YES** fs/file_attr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/file_attr.c b/fs/file_attr.c index 13cdb31a3e947..4889cf59b2562 100644 --- a/fs/file_attr.c +++ b/fs/file_attr.c @@ -377,7 +377,7 @@ SYSCALL_DEFINE5(file_getattr, int, dfd, const char __user *, filename, struct filename *name __free(putname) = NULL; unsigned int lookup_flags = 0; struct file_attr fattr; - struct file_kattr fa; + struct file_kattr fa = { .flags_valid = true }; /* hint only */ int error; BUILD_BUG_ON(sizeof(struct file_attr) < FILE_ATTR_SIZE_VER0); -- 2.51.0[PATCH AUTOSEL 6.19-6.18] fs: init flags_valid before calling vfs_fileattr_getSasha Levin undefinedpatches@lists.linux.dev, stable@vger.kernel.org undefined undefined undefined undefined undefined undefined undefined undefined