virtio: fix freeing of virtio ring buffer

If the allocation if the bounce buffer fails, virtio_free_pages is called
with a random value from the stack.

Ensure that vring.size is initialized.

Fixes: 37e53db38bdb ("virtio: Allocate bounce buffers for devices with VIRTIO_F_IOMMU_PLATFORM")
Addresses-Coverity-ID: 453314 Uninitialized scalar variable
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 306fa5b3f6816cac82b52946644f9120dae09f5e..3a40b12f6e574936c93c6579c87d797436adc241 100644 (file)
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -349,9 +349,10 @@ struct virtqueue *vring_create_virtqueue(unsigned int index, unsigned int num,
 
        /* TODO: allocate each queue chunk individually */
        for (; num && vring_size(num, vring_align) > PAGE_SIZE; num /= 2) {
-               size_t sz = vring_size(num, vring_align);
+               vring.size = vring_size(num, vring_align);
 
-               queue = virtio_alloc_pages(vdev, DIV_ROUND_UP(sz, PAGE_SIZE));
+               queue = virtio_alloc_pages(vdev,
+                                          DIV_ROUND_UP(vring.size, PAGE_SIZE));
                if (queue)
                        break;
        }
@@ -362,6 +363,7 @@ struct virtqueue *vring_create_virtqueue(unsigned int index, unsigned int num,
        if (!queue) {
                /* Try to get a single page. You are my only hope! */
                queue = virtio_alloc_pages(vdev, 1);
+               vring.size = PAGE_SIZE;
        }
        if (!queue)
                return NULL;