On Mon, Jan 10, 2022 at 03:21:49PM +0100, Tobias Heider wrote:
> On Mon, Jan 10, 2022 at 01:41:53PM +0000, Visa Hankala wrote:
> > On Mon, Jan 10, 2022 at 01:12:10PM +0100, Tobias Heider wrote:
> > > sdmmc_mem_send_scr() tries to malloc() with M_NOWAIT and returns 0 on
> > > error, which leads to sdmmc_mem_sd_init() passing uninitialized stack
> > > memory to sdmmc_mem_decode_scr().
> > > The diff below makes sdmmc_mem_send_scr() return ENOMEM if malloc fails.
> > >
> > > ok?
> >
> > OK visa@
> >
> > Isn't there a similar problem with M_NOWAIT in sdmmc_mem_sd_switch()?
> >
>
> Right, here's an updated diff that fixes both.
Looks better. However, could the error branches return ENOMEM directly
instead of using goto out?
> diff --git a/sys/dev/sdmmc/sdmmc_mem.c b/sys/dev/sdmmc/sdmmc_mem.c
> index fae8d63912d..dfb72ec4bf8 100644
> --- a/sys/dev/sdmmc/sdmmc_mem.c
> +++ b/sys/dev/sdmmc/sdmmc_mem.c
> @@ -465,8 +465,10 @@ sdmmc_mem_send_scr(struct sdmmc_softc *sc, uint32_t *scr)
> int error = 0;
>
> ptr = malloc(datalen, M_DEVBUF, M_NOWAIT | M_ZERO);
> - if (ptr == NULL)
> + if (ptr == NULL) {
> + error = ENOMEM;
> goto out;
> + }
>
> memset(&cmd, 0, sizeof(cmd));
> cmd.c_data = ptr;
> @@ -607,8 +609,10 @@ sdmmc_mem_sd_switch(struct sdmmc_function *sf, int mode,
> int group,
> gsft = (group - 1) << 2;
>
> ptr = malloc(statlen, M_DEVBUF, M_NOWAIT | M_ZERO);
> - if (ptr == NULL)
> + if (ptr == NULL) {
> + error = ENOMEM;
> goto out;
> + }
>
> memset(&cmd, 0, sizeof(cmd));
> cmd.c_data = ptr;
>
