Forwarded: [PATCH] media: dvb-core: fix uninit-value in dvb_dmxdev_read_sec
From: syzbot
Date: Tue Feb 10 2026 - 21:24:06 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.
***
Subject: [PATCH] media: dvb-core: fix uninit-value in dvb_dmxdev_read_sec
Author: kartikey406@xxxxxxxxx
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
dvb_dmxdev_init() allocates the filter array using vmalloc_array(),
which does not zero-initialize memory. The subsequent init loop only
sets a few fields (dev, buffer.data, state), leaving other fields like
todo, type, and secheader uninitialized. When dvb_demux_read() is
called before the filter is fully configured, it reads these
uninitialized fields, triggering a KMSAN uninit-value warning.
Use vcalloc() instead to zero-initialize the entire allocation.
Reported-by: syzbot+bd7c90de4c9f1f8ab660@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=bd7c90de4c9f1f8ab660
Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
---
drivers/media/dvb-core/dmxdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 8c6f5aafda1d..94010c4e4f89 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -1414,7 +1414,7 @@ int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter)
if (dmxdev->demux->open(dmxdev->demux) < 0)
return -EUSERS;
- dmxdev->filter = vmalloc_array(dmxdev->filternum,
+ dmxdev->filter = vcalloc(dmxdev->filternum,
sizeof(struct dmxdev_filter));
if (!dmxdev->filter)
return -ENOMEM;
--
2.43.0