From: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Date: Sat, 26 Jul 2025 06:17:58 +0000 (+0200)
Subject: virtio: fix freeing of virtio ring buffer
X-Git-Tag: v2025.10-rc2~8
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b97de0e28fc215d3f41bb01f3410baa5e9243d8;p=pandora-u-boot.git

virtio: fix freeing of virtio ring buffer

If the allocation if the bounce buffer fails, virtio_free_pages is called
with a random value from the stack.

Ensure that vring.size is initialized.

Fixes: 37e53db38bdb ("virtio: Allocate bounce buffers for devices with VIRTIO_F_IOMMU_PLATFORM")
Addresses-Coverity-ID: 453314 Uninitialized scalar variable
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
---

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 306fa5b3f68..3a40b12f6e5 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -349,9 +349,10 @@ struct virtqueue *vring_create_virtqueue(unsigned int index, unsigned int num,
 
 	/* TODO: allocate each queue chunk individually */
 	for (; num && vring_size(num, vring_align) > PAGE_SIZE; num /= 2) {
-		size_t sz = vring_size(num, vring_align);
+		vring.size = vring_size(num, vring_align);
 
-		queue = virtio_alloc_pages(vdev, DIV_ROUND_UP(sz, PAGE_SIZE));
+		queue = virtio_alloc_pages(vdev,
+					   DIV_ROUND_UP(vring.size, PAGE_SIZE));
 		if (queue)
 			break;
 	}
@@ -362,6 +363,7 @@ struct virtqueue *vring_create_virtqueue(unsigned int index, unsigned int num,
 	if (!queue) {
 		/* Try to get a single page. You are my only hope! */
 		queue = virtio_alloc_pages(vdev, 1);
+		vring.size = PAGE_SIZE;
 	}
 	if (!queue)
 		return NULL;