KMSAN reported an uninitialized value use in
fsnotify_connector_destroy_workfn(), specifically when accessing
`conn->destroy_next`:
BUG: KMSAN: uninit-value in fsnotify_connector_destroy_workfn+0x108/0x160
Uninit was created at:
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_noprof+0x81b/0xec0 mm/slub.c:4204
fsnotify_attach_connector_to_object fs/notify/mark.c:663
The struct fsnotify_mark_connector was allocated using
kmem_cache_alloc(), but the `destroy_next` field was never initialized,
leading to a use of uninitialized memory when the work function later
traversed the destroy list.
Fix this by explicitly initializing `destroy_next` to NULL immediately
after allocation.
Reported-by: syzbot+aaeb1646d01d0358cb2a@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: abinashlalotra <abinashsinghlalotra@xxxxxxxxx>
---
v2: Corrected the syzbot Reported-by email address.
---
fs/notify/mark.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/notify/mark.c b/fs/notify/mark.c
index 798340db69d7..28013046f732 100644
--- a/fs/notify/mark.c
+++ b/fs/notify/mark.c
@@ -665,6 +665,7 @@ static int fsnotify_attach_connector_to_object(fsnotify_connp_t *connp,
return -ENOMEM;
spin_lock_init(&conn->lock);
INIT_HLIST_HEAD(&conn->list);
+ conn->destroy_next = NULL;
conn->flags = 0;
conn->prio = 0;
conn->type = obj_type;
--
2.43.0
