iosys-map: Fix undefined behavior in iosys_map_clear()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The current iosys_map_clear() implementation reads the potentially
uninitialized 'is_iomem' boolean field to decide which union member
to clear. This causes undefined behavior when called on uninitialized
structures, as 'is_iomem' may contain garbage values like 0xFF.

UBSAN detects this as:
UBSAN: invalid-load in include/linux/iosys-map.h:267
load of value 255 is not a valid value for type '_Bool'

Fix by unconditionally clearing the entire structure with memset(),
eliminating the need to read uninitialized data and ensuring all
fields are set to known good values.

Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14639
Fixes: 01fd30da0474 ("dma-buf: Add struct dma-buf-map for storing struct dma_buf.vaddr_ptr")
Signed-off-by: Nitin Gote <nitin.r.gote@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://lore.kernel.org/r/20250718105051.2709487-1-nitin.r.gote@intel.com

authored by

Nitin Gote and committed by

Thomas Zimmermann 8 months ago 5634c8cb 05663d88

+1 -6

1 changed file

expand all

include

linux

iosys-map.h

+1 -6

include/linux/iosys-map.h

··· 264 264 */ 265 265 static inline void iosys_map_clear(struct iosys_map *map) 266 266 { 267 - if (map->is_iomem) { 268 - map->vaddr_iomem = NULL; 269 - map->is_iomem = false; 270 - } else { 271 - map->vaddr = NULL; 272 - } 267 + memset(map, 0, sizeof(*map)); 273 268 } 274 269 275 270 /**