tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

mtd: always initialize 'stats' in struct mtd_oob_ops

As the 'stats' field in struct mtd_oob_ops is used in conditional
expressions, ensure it is always zero-initialized in all such structures
to prevent random stack garbage from being interpreted as a pointer.

Strictly speaking, this problem currently only needs to be fixed for
struct mtd_oob_ops structures subsequently passed to mtd_read_oob().
However, this commit goes a step further and makes all instances of
struct mtd_oob_ops in the tree zero-initialized, in hope of preventing
future problems, e.g. if struct mtd_req_stats gets extended with write
statistics at some point.

Signed-off-by: Michał Kępień <kernel@kempniu.pl>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220629125737.14418-3-kernel@kempniu.pl

authored by

Michał Kępień and committed by
Miquel Raynal 745df179 65394169

+29 -29
+3 -3
drivers/mtd/inftlcore.c
··· 136 136 int inftl_read_oob(struct mtd_info *mtd, loff_t offs, size_t len, 137 137 size_t *retlen, uint8_t *buf) 138 138 { 139 - struct mtd_oob_ops ops; 139 + struct mtd_oob_ops ops = { }; 140 140 int res; 141 141 142 142 ops.mode = MTD_OPS_PLACE_OOB; ··· 156 156 int inftl_write_oob(struct mtd_info *mtd, loff_t offs, size_t len, 157 157 size_t *retlen, uint8_t *buf) 158 158 { 159 - struct mtd_oob_ops ops; 159 + struct mtd_oob_ops ops = { }; 160 160 int res; 161 161 162 162 ops.mode = MTD_OPS_PLACE_OOB; ··· 176 176 static int inftl_write(struct mtd_info *mtd, loff_t offs, size_t len, 177 177 size_t *retlen, uint8_t *buf, uint8_t *oob) 178 178 { 179 - struct mtd_oob_ops ops; 179 + struct mtd_oob_ops ops = { }; 180 180 int res; 181 181 182 182 ops.mode = MTD_OPS_PLACE_OOB;
+3 -3
drivers/mtd/mtdswap.c
··· 323 323 struct mtdswap_oobdata *data, *data2; 324 324 int ret; 325 325 loff_t offset; 326 - struct mtd_oob_ops ops; 326 + struct mtd_oob_ops ops = { }; 327 327 328 328 offset = mtdswap_eb_offset(d, eb); 329 329 ··· 370 370 struct mtdswap_oobdata n; 371 371 int ret; 372 372 loff_t offset; 373 - struct mtd_oob_ops ops; 373 + struct mtd_oob_ops ops = { }; 374 374 375 375 ops.ooboffs = 0; 376 376 ops.oobbuf = (uint8_t *)&n; ··· 878 878 loff_t base, pos; 879 879 unsigned int *p1 = (unsigned int *)d->page_buf; 880 880 unsigned char *p2 = (unsigned char *)d->oob_buf; 881 - struct mtd_oob_ops ops; 881 + struct mtd_oob_ops ops = { }; 882 882 int ret; 883 883 884 884 ops.mode = MTD_OPS_AUTO_OOB;
+2 -2
drivers/mtd/nand/onenand/onenand_base.c
··· 2935 2935 struct onenand_chip *this = mtd->priv; 2936 2936 unsigned char *pbuf = buf; 2937 2937 int ret; 2938 - struct mtd_oob_ops ops; 2938 + struct mtd_oob_ops ops = { }; 2939 2939 2940 2940 /* Force buffer page aligned */ 2941 2941 if (len < mtd->writesize) { ··· 2977 2977 size_t *retlen, u_char *buf) 2978 2978 { 2979 2979 struct onenand_chip *this = mtd->priv; 2980 - struct mtd_oob_ops ops; 2980 + struct mtd_oob_ops ops = { }; 2981 2981 int ret; 2982 2982 2983 2983 if (FLEXONENAND(this)) {
+1 -1
drivers/mtd/nand/onenand/onenand_bbt.c
··· 61 61 int startblock; 62 62 loff_t from; 63 63 size_t readlen; 64 - struct mtd_oob_ops ops; 64 + struct mtd_oob_ops ops = { }; 65 65 int rgn; 66 66 67 67 printk(KERN_INFO "Scanning device for bad blocks\n");
+4 -4
drivers/mtd/nand/raw/nand_bbt.c
··· 313 313 size_t len) 314 314 { 315 315 struct mtd_info *mtd = nand_to_mtd(this); 316 - struct mtd_oob_ops ops; 316 + struct mtd_oob_ops ops = { }; 317 317 int res, ret = 0; 318 318 319 319 ops.mode = MTD_OPS_PLACE_OOB; ··· 354 354 uint8_t *buf, uint8_t *oob) 355 355 { 356 356 struct mtd_info *mtd = nand_to_mtd(this); 357 - struct mtd_oob_ops ops; 357 + struct mtd_oob_ops ops = { }; 358 358 359 359 ops.mode = MTD_OPS_PLACE_OOB; 360 360 ops.ooboffs = 0; ··· 416 416 { 417 417 struct mtd_info *mtd = nand_to_mtd(this); 418 418 419 - struct mtd_oob_ops ops; 419 + struct mtd_oob_ops ops = { }; 420 420 int ret, page_offset; 421 421 422 422 ops.ooblen = mtd->oobsize; ··· 756 756 uint8_t rcode = td->reserved_block_code; 757 757 size_t retlen, len = 0; 758 758 loff_t to; 759 - struct mtd_oob_ops ops; 759 + struct mtd_oob_ops ops = { }; 760 760 761 761 ops.ooblen = mtd->oobsize; 762 762 ops.ooboffs = 0;
+1 -1
drivers/mtd/nand/raw/sm_common.c
··· 99 99 static int sm_block_markbad(struct nand_chip *chip, loff_t ofs) 100 100 { 101 101 struct mtd_info *mtd = nand_to_mtd(chip); 102 - struct mtd_oob_ops ops; 102 + struct mtd_oob_ops ops = { }; 103 103 struct sm_oob oob; 104 104 int ret; 105 105
+3 -3
drivers/mtd/nftlcore.c
··· 124 124 size_t *retlen, uint8_t *buf) 125 125 { 126 126 loff_t mask = mtd->writesize - 1; 127 - struct mtd_oob_ops ops; 127 + struct mtd_oob_ops ops = { }; 128 128 int res; 129 129 130 130 ops.mode = MTD_OPS_PLACE_OOB; ··· 145 145 size_t *retlen, uint8_t *buf) 146 146 { 147 147 loff_t mask = mtd->writesize - 1; 148 - struct mtd_oob_ops ops; 148 + struct mtd_oob_ops ops = { }; 149 149 int res; 150 150 151 151 ops.mode = MTD_OPS_PLACE_OOB; ··· 168 168 size_t *retlen, uint8_t *buf, uint8_t *oob) 169 169 { 170 170 loff_t mask = mtd->writesize - 1; 171 - struct mtd_oob_ops ops; 171 + struct mtd_oob_ops ops = { }; 172 172 int res; 173 173 174 174 ops.mode = MTD_OPS_PLACE_OOB;
+2 -2
drivers/mtd/sm_ftl.c
··· 239 239 uint8_t *buffer, struct sm_oob *oob) 240 240 { 241 241 struct mtd_info *mtd = ftl->trans->mtd; 242 - struct mtd_oob_ops ops; 242 + struct mtd_oob_ops ops = { }; 243 243 struct sm_oob tmp_oob; 244 244 int ret = -EIO; 245 245 int try = 0; ··· 323 323 int zone, int block, int boffset, 324 324 uint8_t *buffer, struct sm_oob *oob) 325 325 { 326 - struct mtd_oob_ops ops; 326 + struct mtd_oob_ops ops = { }; 327 327 struct mtd_info *mtd = ftl->trans->mtd; 328 328 int ret; 329 329
+1 -1
drivers/mtd/ssfdc.c
··· 163 163 /* Read redundancy area (wrapper to MTD_READ_OOB */ 164 164 static int read_raw_oob(struct mtd_info *mtd, loff_t offs, uint8_t *buf) 165 165 { 166 - struct mtd_oob_ops ops; 166 + struct mtd_oob_ops ops = { }; 167 167 int ret; 168 168 169 169 ops.mode = MTD_OPS_RAW;
+1 -1
drivers/mtd/tests/nandbiterrs.c
··· 99 99 static int rewrite_page(int log) 100 100 { 101 101 int err = 0; 102 - struct mtd_oob_ops ops; 102 + struct mtd_oob_ops ops = { }; 103 103 104 104 if (log) 105 105 pr_info("rewrite page\n");
+4 -4
drivers/mtd/tests/oobtest.c
··· 56 56 static int write_eraseblock(int ebnum) 57 57 { 58 58 int i; 59 - struct mtd_oob_ops ops; 59 + struct mtd_oob_ops ops = { }; 60 60 int err = 0; 61 61 loff_t addr = (loff_t)ebnum * mtd->erasesize; 62 62 ··· 165 165 static int verify_eraseblock(int ebnum) 166 166 { 167 167 int i; 168 - struct mtd_oob_ops ops; 168 + struct mtd_oob_ops ops = { }; 169 169 int err = 0; 170 170 loff_t addr = (loff_t)ebnum * mtd->erasesize; 171 171 size_t bitflips; ··· 260 260 261 261 static int verify_eraseblock_in_one_go(int ebnum) 262 262 { 263 - struct mtd_oob_ops ops; 263 + struct mtd_oob_ops ops = { }; 264 264 int err = 0; 265 265 loff_t addr = (loff_t)ebnum * mtd->erasesize; 266 266 size_t len = mtd->oobavail * pgcnt; ··· 338 338 int err = 0; 339 339 unsigned int i; 340 340 uint64_t tmp; 341 - struct mtd_oob_ops ops; 341 + struct mtd_oob_ops ops = { }; 342 342 loff_t addr = 0, addr0; 343 343 344 344 printk(KERN_INFO "\n");
+1 -1
drivers/mtd/tests/readtest.c
··· 47 47 err = ret; 48 48 } 49 49 if (mtd->oobsize) { 50 - struct mtd_oob_ops ops; 50 + struct mtd_oob_ops ops = { }; 51 51 52 52 ops.mode = MTD_OPS_PLACE_OOB; 53 53 ops.len = 0;
+3 -3
fs/jffs2/wbuf.c
··· 1035 1035 { 1036 1036 int i, ret; 1037 1037 int cmlen = min_t(int, c->oobavail, OOB_CM_SIZE); 1038 - struct mtd_oob_ops ops; 1038 + struct mtd_oob_ops ops = { }; 1039 1039 1040 1040 ops.mode = MTD_OPS_AUTO_OOB; 1041 1041 ops.ooblen = NR_OOB_SCAN_PAGES * c->oobavail; ··· 1076 1076 int jffs2_check_nand_cleanmarker(struct jffs2_sb_info *c, 1077 1077 struct jffs2_eraseblock *jeb) 1078 1078 { 1079 - struct mtd_oob_ops ops; 1079 + struct mtd_oob_ops ops = { }; 1080 1080 int ret, cmlen = min_t(int, c->oobavail, OOB_CM_SIZE); 1081 1081 1082 1082 ops.mode = MTD_OPS_AUTO_OOB; ··· 1101 1101 struct jffs2_eraseblock *jeb) 1102 1102 { 1103 1103 int ret; 1104 - struct mtd_oob_ops ops; 1104 + struct mtd_oob_ops ops = { }; 1105 1105 int cmlen = min_t(int, c->oobavail, OOB_CM_SIZE); 1106 1106 1107 1107 ops.mode = MTD_OPS_AUTO_OOB;