ChuanN-sudo/u-boot
1
0
Fork 0
forked from OERV-BSP/u-boot
Code Pull Requests Activity

virtio: fix freeing of virtio ring buffer

Browse Source 
If the allocation if the bounce buffer fails, virtio_free_pages is called
with a random value from the stack.

Ensure that vring.size is initialized.

Fixes: 37e53db38b ("virtio: Allocate bounce buffers for devices with VIRTIO_F_IOMMU_PLATFORM")
Addresses-Coverity-ID: 453314 Uninitialized scalar variable
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This commit is contained in:
Heinrich Schuchardt
2025-07-26 08:17:58 +02:00
committed by Tom Rini
parent c60898c9c6
commit 4b97de0e28
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/virtio/virtio_ring.c
View File

@@ -349,9 +349,10 @@ struct virtqueue *vring_create_virtqueue(unsigned int index, unsigned int num,
/* TODO: allocate each queue chunk individually */
for (; num && vring_size(num, vring_align) > PAGE_SIZE; num /= 2) {
size_t sz = vring_size(num, vring_align);
vring.size = vring_size(num, vring_align);
queue = virtio_alloc_pages(vdev, DIV_ROUND_UP(sz, PAGE_SIZE));
queue = virtio_alloc_pages(vdev,
DIV_ROUND_UP(vring.size, PAGE_SIZE));
if (queue)
break;
}
@@ -362,6 +363,7 @@ struct virtqueue *vring_create_virtqueue(unsigned int index, unsigned int num,
if (!queue) {
/* Try to get a single page. You are my only hope! */
queue = virtio_alloc_pages(vdev, 1);
vring.size = PAGE_SIZE;
}
if (!queue)
return NULL;