block: floppy: fix uninitialized use of outparam in fd_locked_ioctl

Purva Yeshi · kawasaki · commit ac03334d64db · 2025-08-03T04:31:55.000+09:00
Fix Smatch-detected error:
drivers/block/floppy.c:3569 fd_locked_ioctl() error:
uninitialized symbol 'outparam'.

Use the outparam pointer only after it is explicitly initialized.
Previously, fd_copyout() was called unconditionally after the switch-case
statement, assuming outparam would always be set when _IOC_READ was active.
However, not all paths ensured this, which led to potential use of an
uninitialized pointer.

Move fd_copyout() calls directly into the relevant case blocks immediately
after outparam is set. This ensures it is only called when safe and
applicable.

Signed-off-by: Purva Yeshi &lt;purvayeshi550@gmail.com&gt;
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
@@ -3482,6 +3482,7 @@ static int fd_locked_ioctl(struct block_device *bdev, blk_mode_t mode,
 		memcpy(&inparam.g, outparam,
 				offsetof(struct floppy_struct, name));
 		outparam = &inparam.g;
+		return fd_copyout((void __user *)param, outparam, size);
 		break;
 	case FDMSGON:
 		drive_params[drive].flags |= FTD_MSG;
@@ -3515,13 +3516,15 @@ static int fd_locked_ioctl(struct block_device *bdev, blk_mode_t mode,
 		return 0;
 	case FDGETMAXERRS:
 		outparam = &drive_params[drive].max_errors;
+		return fd_copyout((void __user *)param, outparam, size);
 		break;
 	case FDSETMAXERRS:
 		drive_params[drive].max_errors = inparam.max_errors;
 		break;
 	case FDGETDRVTYP:
 		outparam = drive_name(type, drive);
 		SUPBOUND(size, strlen((const char *)outparam) + 1);
+		return fd_copyout((void __user *)param, outparam, size);
 		break;
 	case FDSETDRVPRM:
 		if (!valid_floppy_drive_params(inparam.dp.autodetect,
@@ -3531,6 +3534,7 @@ static int fd_locked_ioctl(struct block_device *bdev, blk_mode_t mode,
 		break;
 	case FDGETDRVPRM:
 		outparam = &drive_params[drive];
+		return fd_copyout((void __user *)param, outparam, size);
 		break;
 	case FDPOLLDRVSTAT:
 		if (lock_fdc(drive))
@@ -3541,17 +3545,20 @@ static int fd_locked_ioctl(struct block_device *bdev, blk_mode_t mode,
 		fallthrough;
 	case FDGETDRVSTAT:
 		outparam = &drive_state[drive];
+		return fd_copyout((void __user *)param, outparam, size);
 		break;
 	case FDRESET:
 		return user_reset_fdc(drive, (int)param, true);
 	case FDGETFDCSTAT:
 		outparam = &fdc_state[FDC(drive)];
+		return fd_copyout((void __user *)param, outparam, size);
 		break;
 	case FDWERRORCLR:
 		memset(&write_errors[drive], 0, sizeof(write_errors[drive]));
 		return 0;
 	case FDWERRORGET:
 		outparam = &write_errors[drive];
+		return fd_copyout((void __user *)param, outparam, size);
 		break;
 	case FDRAWCMD:
 		return floppy_raw_cmd_ioctl(type, drive, cmd, (void __user *)param);
@@ -3565,9 +3572,6 @@ static int fd_locked_ioctl(struct block_device *bdev, blk_mode_t mode,
 		return -EINVAL;
 	}
 
-	if (_IOC_DIR(cmd) & _IOC_READ)
-		return fd_copyout((void __user *)param, outparam, size);
-
 	return 0;
 }
 
