• Matthias Lange's avatar
    virtio_ring: fix unmap of indirect descriptors · cf8f1696
    Matthias Lange authored
    The function virtqueue_add_split() DMA-maps the scatterlist buffers. In
    case a mapping error occurs the already mapped buffers must be unmapped.
    This happens by jumping to the 'unmap_release' label.
    
    In case of indirect descriptors the release is wrong and may leak kernel
    memory. Because the implementation assumes that the head descriptor is
    already mapped it starts iterating over the descriptor list starting
    from the head descriptor. However for indirect descriptors the head
    descriptor is never mapped in case of an error.
    
    The fix is to initialize the start index with zero in case of indirect
    descriptors and use the 'desc' pointer directly for iterating over the
    descriptor chain.
    Signed-off-by: default avatarMatthias Lange <matthias.lange@kernkonzept.com>
    Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
    cf8f1696
virtio_ring.c 60.4 KB