[PATCH] HID: hid-steam: fix uninit-value access in steam_get_serial

From: Pei Xiao

Date: Wed Jun 10 2026 - 08:04:22 EST

The reply buffer in steam_get_serial() is allocated on the stack without
initialization. In cases where steam_recv_report() returns a short read or
an error, not all bytes of the buffer are written, leading to subsequent
access of uninitialized memory when checking reply[0], reply[1], reply[2].

Zero-initialize the reply array to prevent KMSAN uninit-value warnings.

Logs:
hid-steam 0003:28DE:1102.0007: unknown main item tag 0x0
hid-steam 0003:28DE:1102.0007: unknown main item tag 0x0
hid-steam 0003:28DE:1102.0007: :
USB HID v7f.fd Device [HID 28de:1102] on usb-dummy_hcd.1-1/input0
=====================================================
BUG: KMSAN: uninit-value in steam_get_serial drivers/hid/hid-steam.c:457 [inline]
BUG: KMSAN: uninit-value in steam_register+0xd83/0x10e0 drivers/hid/hid-steam.c:965
steam_get_serial drivers/hid/hid-steam.c:457 [inline]
steam_register+0xd83/0x10e0 drivers/hid/hid-steam.c:965
steam_probe+0x6f1/0x19b0 drivers/hid/hid-steam.c:1273
__hid_device_probe drivers/hid/hid-core.c:2822 [inline]
hid_device_probe+0x60d/0xb90 drivers/hid/hid-core.c:2859
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x4d5/0xe40 drivers/base/dd.c:709
...

Local variable reply.i created at:
steam_get_serial drivers/hid/hid-steam.c:448 [inline]
steam_register+0x180/0x10e0 drivers/hid/hid-steam.c:965
steam_probe+0x6f1/0x19b0 drivers/hid/hid-steam.c:1273

Reported-by: syzbot+75f3f9bff8c510602d36@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lore.kernel.org/lkml/6a27d055.39669fcc.33b062.008d.GAE@xxxxxxxxxx/
Fixes: c164d6abf384 ("HID: add driver for Valve Steam Controller")
Signed-off-by: Pei Xiao <xiaopei01@xxxxxxxxxx>
---
drivers/hid/hid-steam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c
index 197126d6e081..f65ad1a21c01 100644
--- a/drivers/hid/hid-steam.c
+++ b/drivers/hid/hid-steam.c
@@ -445,7 +445,7 @@ static int steam_get_serial(struct steam_device *steam)
*/
int ret = 0;
u8 cmd[] = {ID_GET_STRING_ATTRIBUTE, sizeof(steam->serial_no), ATTRIB_STR_UNIT_SERIAL};
- u8 reply[3 + STEAM_SERIAL_LEN + 1];
+ u8 reply[3 + STEAM_SERIAL_LEN + 1] = { 0 };

mutex_lock(&steam->report_mutex);
ret = steam_send_report(steam, cmd, sizeof(cmd));
--
2.25.1