media: dvb-core: fix uninit-value in dvb_dmxdev_read_sec

[PATCH] media: dvb-core: fix uninit-value in dvb_dmxdev_read_sec

Posted by Deepanshu Kartikey 1 month, 2 weeks ago

dvb_dmxdev_init() allocates the filter array using vmalloc_array(),
which does not zero-initialize memory. The subsequent init loop only
sets a few fields (dev, buffer.data, state), leaving other fields like
todo, type, and secheader uninitialized. When dvb_demux_read() is
called before the filter is fully configured, it reads these
uninitialized fields, triggering a KMSAN uninit-value warning.

Use vcalloc() instead to zero-initialize the entire allocation.

Reported-by: syzbot+bd7c90de4c9f1f8ab660@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bd7c90de4c9f1f8ab660
Tested-by: syzbot+bd7c90de4c9f1f8ab660@syzkaller.appspotmail.com
Fixes: e4b21577b463 ("media: dvb-core: use vmalloc_array to simplify code")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/media/dvb-core/dmxdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 8c6f5aafda1d..94010c4e4f89 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -1414,7 +1414,7 @@ int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter)
 	if (dmxdev->demux->open(dmxdev->demux) < 0)
 		return -EUSERS;
 
-	dmxdev->filter = vmalloc_array(dmxdev->filternum,
+	dmxdev->filter = vcalloc(dmxdev->filternum,
 				       sizeof(struct dmxdev_filter));
 	if (!dmxdev->filter)
 		return -ENOMEM;
-- 
2.43.0

Re: [PATCH] media: dvb-core: fix uninit-value in dvb_dmxdev_read_sec

Posted by Deepanshu Kartikey 1 month, 1 week ago

On Wed, Feb 11, 2026 at 9:28 AM Deepanshu Kartikey
<kartikey406@gmail.com> wrote:
>
> dvb_dmxdev_init() allocates the filter array using vmalloc_array(),
> which does not zero-initialize memory. The subsequent init loop only
> sets a few fields (dev, buffer.data, state), leaving other fields like
> todo, type, and secheader uninitialized. When dvb_demux_read() is
> called before the filter is fully configured, it reads these
> uninitialized fields, triggering a KMSAN uninit-value warning.
>
> Use vcalloc() instead to zero-initialize the entire allocation.
>
> Reported-by: syzbot+bd7c90de4c9f1f8ab660@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=bd7c90de4c9f1f8ab660
> Tested-by: syzbot+bd7c90de4c9f1f8ab660@syzkaller.appspotmail.com
> Fixes: e4b21577b463 ("media: dvb-core: use vmalloc_array to simplify code")
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> ---
>  drivers/media/dvb-core/dmxdev.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
> index 8c6f5aafda1d..94010c4e4f89 100644
> --- a/drivers/media/dvb-core/dmxdev.c
> +++ b/drivers/media/dvb-core/dmxdev.c
> @@ -1414,7 +1414,7 @@ int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter)
>         if (dmxdev->demux->open(dmxdev->demux) < 0)
>                 return -EUSERS;
>
> -       dmxdev->filter = vmalloc_array(dmxdev->filternum,
> +       dmxdev->filter = vcalloc(dmxdev->filternum,
>                                        sizeof(struct dmxdev_filter));
>         if (!dmxdev->filter)
>                 return -ENOMEM;
> --
> 2.43.0
>


Hi,
Gentle ping on this patch. It's been about 10 days since I sent it.
This fixes a syzbot-reported KMSAN uninit-value bug in
dvb_dmxdev_read_sec() by replacing vmalloc_array() with vcalloc() in
dvb_dmxdev_init().
Please let me know if any changes are needed.

Thanks, Deepanshu Kartikey