[PATCH 1/1] virtio: fix freeing of virtio ring buffer
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Sat Jul 26 08:17:58 CEST 2025
If the allocation if the bounce buffer fails, virtio_free_pages is called
with a random value from the stack.
Ensure that vring.size is initialized.
Fixes: 37e53db38bdb ("virtio: Allocate bounce buffers for devices with VIRTIO_F_IOMMU_PLATFORM")
Addresses-Coverity-ID: 453314 Uninitialized scalar variable
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
---
drivers/virtio/virtio_ring.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 306fa5b3f68..3a40b12f6e5 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -349,9 +349,10 @@ struct virtqueue *vring_create_virtqueue(unsigned int index, unsigned int num,
/* TODO: allocate each queue chunk individually */
for (; num && vring_size(num, vring_align) > PAGE_SIZE; num /= 2) {
- size_t sz = vring_size(num, vring_align);
+ vring.size = vring_size(num, vring_align);
- queue = virtio_alloc_pages(vdev, DIV_ROUND_UP(sz, PAGE_SIZE));
+ queue = virtio_alloc_pages(vdev,
+ DIV_ROUND_UP(vring.size, PAGE_SIZE));
if (queue)
break;
}
@@ -362,6 +363,7 @@ struct virtqueue *vring_create_virtqueue(unsigned int index, unsigned int num,
if (!queue) {
/* Try to get a single page. You are my only hope! */
queue = virtio_alloc_pages(vdev, 1);
+ vring.size = PAGE_SIZE;
}
if (!queue)
return NULL;
--
2.50.0
More information about the U-Boot
mailing list