* Re: [syzbot] [media?] KMSAN: uninit-value in dvbdmx_release_ts_feed
2026-02-08 1:15 [syzbot] [media?] KMSAN: uninit-value in dvbdmx_release_ts_feed syzbot
@ 2026-02-08 9:05 ` Edward Adam Davis
2026-02-08 9:35 ` syzbot
2026-02-08 9:35 ` [PATCH] media: dvb-core: pesfilter shouldn't be set when feed is uninitialized Edward Adam Davis
2026-02-08 11:09 ` Forwarded: [PATCH] media: dvb-core: fix uninit-value in dvbdmx_release_ts_feed() syzbot
2 siblings, 1 reply; 5+ messages in thread
From: Edward Adam Davis @ 2026-02-08 9:05 UTC (permalink / raw)
To: syzbot+01d4620886bee3db0e74; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
index 290fc7961647..669ce8b95ad5 100644
--- a/drivers/media/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb-core/dvb_demux.c
@@ -670,18 +670,22 @@ static void dvb_demux_feed_add(struct dvb_demux_feed *feed)
spin_unlock_irq(&feed->demux->lock);
}
-static void dvb_demux_feed_del(struct dvb_demux_feed *feed)
+static int dvb_demux_feed_del(struct dvb_demux_feed *feed)
{
+ int ret;
spin_lock_irq(&feed->demux->lock);
if (!(dvb_demux_feed_find(feed))) {
pr_err("%s: feed not in list (type=%x state=%x pid=%x)\n",
__func__, feed->type, feed->state, feed->pid);
+ ret = -EINVAL;
goto out;
}
list_del(&feed->list_head);
+ ret = 0;
out:
spin_unlock_irq(&feed->demux->lock);
+ return ret;
}
static int dmx_ts_feed_set(struct dmx_ts_feed *ts_feed, u16 pid, int ts_type,
@@ -840,6 +844,7 @@ static int dvbdmx_release_ts_feed(struct dmx_demux *dmx,
{
struct dvb_demux *demux = (struct dvb_demux *)dmx;
struct dvb_demux_feed *feed = (struct dvb_demux_feed *)ts_feed;
+ int ret;
mutex_lock(&demux->mutex);
@@ -851,11 +856,12 @@ static int dvbdmx_release_ts_feed(struct dmx_demux *dmx,
feed->state = DMX_STATE_FREE;
feed->filter->state = DMX_STATE_FREE;
- dvb_demux_feed_del(feed);
+ ret = dvb_demux_feed_del(feed);
feed->pid = 0xffff;
- if (feed->ts_type & TS_DECODER && feed->pes_type < DMX_PES_OTHER)
+ if (!ret && feed->ts_type & TS_DECODER &&
+ feed->pes_type < DMX_PES_OTHER)
demux->pesfilter[feed->pes_type] = NULL;
mutex_unlock(&demux->mutex);
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH] media: dvb-core: pesfilter shouldn't be set when feed is uninitialized
2026-02-08 1:15 [syzbot] [media?] KMSAN: uninit-value in dvbdmx_release_ts_feed syzbot
2026-02-08 9:05 ` Edward Adam Davis
@ 2026-02-08 9:35 ` Edward Adam Davis
2026-02-08 11:09 ` Forwarded: [PATCH] media: dvb-core: fix uninit-value in dvbdmx_release_ts_feed() syzbot
2 siblings, 0 replies; 5+ messages in thread
From: Edward Adam Davis @ 2026-02-08 9:35 UTC (permalink / raw)
To: syzbot+01d4620886bee3db0e74
Cc: linux-kernel, linux-media, mchehab, syzkaller-bugs
syzbot reported a uninit-value bug in [1].
When dmx_ts_feed_set() fails, the feed is not properly initialized. This
includes the feed not being added to the demux's feed_list and ts_type,
pes_type, etc., not being set. Under these circumstances, it is illogical
to determine whether to set the pesfilter in dvbdmx_release_ts_feed()
based on the uninitialized members ts_type and pes_type of the feed.
Since dvb_demux_feed_del() checks whether the feed has been successfully
added to the demux's feed_list, it can be confirmed that the feed has
been correctly initialized when it is added to the demux's feed_list.
A return value is added to dvb_demux_feed_del().
When the feed is not added to the feed_list, it is considered that the
feed has not yet been initialized, and when releasing the feed, it will
no longer determine whether to update the pesfilter based on its members.
[1]
BUG: KMSAN: uninit-value in dvbdmx_release_ts_feed+0x198/0x290 drivers/media/dvb-core/dvb_demux.c:858
dvbdmx_release_ts_feed+0x198/0x290 drivers/media/dvb-core/dvb_demux.c:858
dvb_dmxdev_start_feed drivers/media/dvb-core/dmxdev.c:-1 [inline]
dvb_dmxdev_filter_start+0x1187/0x1af0 drivers/media/dvb-core/dmxdev.c:766
Uninit was created at:
dvb_dmx_init+0x121/0x930 drivers/media/dvb-core/dvb_demux.c:1253
vidtv_bridge_dmx_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:334 [inline]
Reported-by: syzbot+01d4620886bee3db0e74@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=01d4620886bee3db0e74
Tested-by: syzbot+01d4620886bee3db0e74@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
drivers/media/dvb-core/dvb_demux.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
index 290fc7961647..669ce8b95ad5 100644
--- a/drivers/media/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb-core/dvb_demux.c
@@ -670,18 +670,22 @@ static void dvb_demux_feed_add(struct dvb_demux_feed *feed)
spin_unlock_irq(&feed->demux->lock);
}
-static void dvb_demux_feed_del(struct dvb_demux_feed *feed)
+static int dvb_demux_feed_del(struct dvb_demux_feed *feed)
{
+ int ret;
spin_lock_irq(&feed->demux->lock);
if (!(dvb_demux_feed_find(feed))) {
pr_err("%s: feed not in list (type=%x state=%x pid=%x)\n",
__func__, feed->type, feed->state, feed->pid);
+ ret = -EINVAL;
goto out;
}
list_del(&feed->list_head);
+ ret = 0;
out:
spin_unlock_irq(&feed->demux->lock);
+ return ret;
}
static int dmx_ts_feed_set(struct dmx_ts_feed *ts_feed, u16 pid, int ts_type,
@@ -840,6 +844,7 @@ static int dvbdmx_release_ts_feed(struct dmx_demux *dmx,
{
struct dvb_demux *demux = (struct dvb_demux *)dmx;
struct dvb_demux_feed *feed = (struct dvb_demux_feed *)ts_feed;
+ int ret;
mutex_lock(&demux->mutex);
@@ -851,11 +856,12 @@ static int dvbdmx_release_ts_feed(struct dmx_demux *dmx,
feed->state = DMX_STATE_FREE;
feed->filter->state = DMX_STATE_FREE;
- dvb_demux_feed_del(feed);
+ ret = dvb_demux_feed_del(feed);
feed->pid = 0xffff;
- if (feed->ts_type & TS_DECODER && feed->pes_type < DMX_PES_OTHER)
+ if (!ret && feed->ts_type & TS_DECODER &&
+ feed->pes_type < DMX_PES_OTHER)
demux->pesfilter[feed->pes_type] = NULL;
mutex_unlock(&demux->mutex);
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Forwarded: [PATCH] media: dvb-core: fix uninit-value in dvbdmx_release_ts_feed()
2026-02-08 1:15 [syzbot] [media?] KMSAN: uninit-value in dvbdmx_release_ts_feed syzbot
2026-02-08 9:05 ` Edward Adam Davis
2026-02-08 9:35 ` [PATCH] media: dvb-core: pesfilter shouldn't be set when feed is uninitialized Edward Adam Davis
@ 2026-02-08 11:09 ` syzbot
2 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2026-02-08 11:09 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] media: dvb-core: fix uninit-value in dvbdmx_release_ts_feed()
Author: suunj1331@gmail.com
dvb_dmx_init() allocates feed and filter arrays with vmalloc_array(),
which does not initialize the allocated memory. If an error occurs during
dvb_dmxdev_start_feed() and dvbdmx_release_ts_feed() is called on a feed
that was never properly set up, dvbdmx_release_ts_feed() reads
uninitialized fields from the feed structure, triggering a KMSAN
uninit-value warning.
Fix this by using vcalloc() instead of vmalloc_array() to ensure the
structures are zero-initialized at allocation time.
Reported-by: syzbot+01d4620886bee3db0e74@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=01d4620886bee3db0e74
Fixes: e4b21577b463 ("media: dvb-core: use vmalloc_array to simplify code")
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
---
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
drivers/media/dvb-core/dvb_demux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c
index 290fc7961647..5c046db122ea 100644
--- a/drivers/media/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb-core/dvb_demux.c
@@ -1244,13 +1244,13 @@ int dvb_dmx_init(struct dvb_demux *dvbdemux)
dvbdemux->cnt_storage = NULL;
dvbdemux->users = 0;
- dvbdemux->filter = vmalloc_array(dvbdemux->filternum,
+ dvbdemux->filter = vcalloc(dvbdemux->filternum,
sizeof(struct dvb_demux_filter));
if (!dvbdemux->filter)
return -ENOMEM;
- dvbdemux->feed = vmalloc_array(dvbdemux->feednum,
+ dvbdemux->feed = vcalloc(dvbdemux->feednum,
sizeof(struct dvb_demux_feed));
if (!dvbdemux->feed) {
vfree(dvbdemux->filter);
--
2.52.0
^ permalink raw reply related [flat|nested] 5+ messages in thread