For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] media: dvb-core: fix uninit-value in dvbdmx_release_ts_feed()
Author: suunj1331@gmail.com

dvb_dmx_init() allocates feed and filter arrays with vmalloc_array(),
which does not initialize the allocated memory. If an error occurs during
dvb_dmxdev_start_feed() and dvbdmx_release_ts_feed() is called on a feed
that was never properly set up, dvbdmx_release_ts_feed() reads
uninitialized fields from the feed structure, triggering a KMSAN
uninit-value warning.

Fix this by using vcalloc() instead of vmalloc_array() to ensure the
structures are zero-initialized at allocation time.

Reported-by: syzbot+01d4620886bee3db0e74@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=01d4620886bee3db0e74
Fixes: e4b21577b463 ("media: dvb-core: use vmalloc_array to simplify code")
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
---
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

 drivers/media/dvb-core/dvb_demux.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
index 290fc7961647..5c046db122ea 100644
--- a/drivers/media/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb-core/dvb_demux.c
@@ -1244,13 +1244,13 @@ int dvb_dmx_init(struct dvb_demux *dvbdemux)
 
 	dvbdemux->cnt_storage = NULL;
 	dvbdemux->users = 0;
-	dvbdemux->filter = vmalloc_array(dvbdemux->filternum,
+	dvbdemux->filter = vcalloc(dvbdemux->filternum,
 					 sizeof(struct dvb_demux_filter));
 
 	if (!dvbdemux->filter)
 		return -ENOMEM;
 
-	dvbdemux->feed = vmalloc_array(dvbdemux->feednum,
+	dvbdemux->feed = vcalloc(dvbdemux->feednum,
 				       sizeof(struct dvb_demux_feed));
 	if (!dvbdemux->feed) {
 		vfree(dvbdemux->filter);
-- 
2.52.0