mtd: onenand: Fix uninitialized retlen in do_otp_read()

The function do_otp_read() does not set the output parameter *retlen,
which is expected to contain the number of bytes actually read.
As a result, in onenand_otp_walk(), the tmp_retlen variable remains
uninitialized after calling do_otp_walk() and used to change
the values of the buf, len and retlen variables.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 49dc08e ("[MTD] [OneNAND] fix numerous races")
Cc: [email protected]
Signed-off-by: Ivan Stepchenko <[email protected]>
Signed-off-by: Miquel Raynal <[email protected]>

Author: Ivan Stepchenko

drivers/mtd/nand/onenand/onenand_base.c

@@ -2923,6 +2923,7 @@ static int do_otp_read(struct mtd_info *mtd, loff_t from, size_t len,
 	ret = ONENAND_IS_4KB_PAGE(this) ?
 		onenand_mlc_read_ops_nolock(mtd, from, &ops) :
 		onenand_read_ops_nolock(mtd, from, &ops);
+	*retlen = ops.retlen;
 
 	/* Exit OTP access mode */
 	this->command(mtd, ONENAND_CMD_RESET, 0, 0);