On Mon, Jan 10, 2022 at 01:12:10PM +0100, Tobias Heider wrote: > sdmmc_mem_send_scr() tries to malloc() with M_NOWAIT and returns 0 on > error, which leads to sdmmc_mem_sd_init() passing uninitialized stack > memory to sdmmc_mem_decode_scr(). > The diff below makes sdmmc_mem_send_scr() return ENOMEM if malloc fails. > > ok?
OK visa@ Isn't there a similar problem with M_NOWAIT in sdmmc_mem_sd_switch()? > diff --git a/sys/dev/sdmmc/sdmmc_mem.c b/sys/dev/sdmmc/sdmmc_mem.c > index fae8d63912d..715c412e6ea 100644 > --- a/sys/dev/sdmmc/sdmmc_mem.c > +++ b/sys/dev/sdmmc/sdmmc_mem.c > @@ -465,8 +465,10 @@ sdmmc_mem_send_scr(struct sdmmc_softc *sc, uint32_t *scr) > int error = 0; > > ptr = malloc(datalen, M_DEVBUF, M_NOWAIT | M_ZERO); > - if (ptr == NULL) > + if (ptr == NULL) { > + error = ENOMEM; > goto out; > + } > > memset(&cmd, 0, sizeof(cmd)); > cmd.c_data = ptr; >