Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp() during filesystem mount operations. The root cause is that hfsplus_find_cat() declares a local hfsplus_cat_entry variable without initialization before passing it to hfs_brec_read(). When the filesystem image is corrupted or malformed (as syzbot fuzzes), hfs_brec_read() may read less data than sizeof(hfsplus_cat_entry). In such cases, the tmp.thread.nodeName.unicode array may only be partially filled, leaving remaining bytes uninitialized. hfsplus_cat_build_key_uni() then copies from this array based on nodeName.length. If the on-disk length field is corrupted or the array wasn't fully written by hfs_brec_read(), uninitialized stack data gets copied into the search key. When hfsplus_strcasecmp() subsequently reads these uninitialized bytes and uses them in case_fold() as an array index into hfsplus_case_fold_table, KMSAN detects the use of uninitialized values. Fix this by initializing tmp to zero, ensuring that even with corrupted filesystem images, no uninitialized data is propagated. Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72 Tested-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Link: https://lore.kernel.org/all/20260120051114.1281285-1-kartikey406@gmail.com/T/ [v1] Signed-off-by: Deepanshu Kartikey --- Changes in v2: - Use structure initialization (= {0}) instead of memset() as suggested by Viacheslav Dubeyko - Improved commit message to clarify how uninitialized data is used --- fs/hfsplus/catalog.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c index 02c1eee4a4b8..56a53d2d437e 100644 --- a/fs/hfsplus/catalog.c +++ b/fs/hfsplus/catalog.c @@ -194,7 +194,7 @@ static int hfsplus_fill_cat_thread(struct super_block *sb, int hfsplus_find_cat(struct super_block *sb, u32 cnid, struct hfs_find_data *fd) { - hfsplus_cat_entry tmp; + hfsplus_cat_entry tmp = {0}; int err; u16 type; -- 2.43.0