- memset(&cmd, 0, sizeof(cmd)); - cmd.cmd.scan_type = WMI_ACTIVE_SCAN; - cmd.cmd.num_channels = 0; + memset(cmd, 0, sizeof(*cmd));Isn't this unnecessary since DEFINE_FLEX() logic "{ .obj.COUNTER = COUNT, }" should result in everything else being zeroed? And if that isn't sufficient, DEFINE_FLEX() itself says we should "Use __struct_size(@NAME) to get compile-time size of it afterwards" Note the current memset won't zero the flex array and hence if the actual number of channels is less than 4 then kernel stack contents could be exposed to firmware.
Yes, that's correct. The current memset() will only zero out a total of sizeof(struct wmi_start_scan_cmd) bytes, which of course doesn't include the flex-array member. Thanks for the review, I'll remove that line! -- Gustavo
