sdmmc_mem_send_scr() tries to malloc() with M_NOWAIT and returns 0 on
error, which leads to sdmmc_mem_sd_init() passing uninitialized stack
memory to sdmmc_mem_decode_scr().
The diff below makes sdmmc_mem_send_scr() return ENOMEM if malloc fails.
ok?
diff --git a/sys/dev/sdmmc/sdmmc_mem.c b/sys/dev/sdmmc/sdmmc_mem.c
index fae8d63912d..715c412e6ea 100644
--- a/sys/dev/sdmmc/sdmmc_mem.c
+++ b/sys/dev/sdmmc/sdmmc_mem.c
@@ -465,8 +465,10 @@ sdmmc_mem_send_scr(struct sdmmc_softc *sc, uint32_t *scr)
int error = 0;
ptr = malloc(datalen, M_DEVBUF, M_NOWAIT | M_ZERO);
- if (ptr == NULL)
+ if (ptr == NULL) {
+ error = ENOMEM;
goto out;
+ }
memset(&cmd, 0, sizeof(cmd));
cmd.c_data = ptr;
