If iopt_unmap_iova() fails then "unmapped" is uninitialized. Copying it
to the user can leak stack information.
Fixes: 32c328dc9b73 ("iommufd: vfio container FD ioctl compatibility")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/iommu/iommufd/vfio_compat.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/iommu/iommufd/vfio_compat.c b/drivers/iommu/iommufd/vfio_compat.c
index 976aa12b247d..30a13552d632 100644
--- a/drivers/iommu/iommufd/vfio_compat.c
+++ b/drivers/iommu/iommufd/vfio_compat.c
@@ -189,6 +189,9 @@ static int iommufd_vfio_unmap_dma(struct iommufd_ctx *ictx, unsigned int cmd,
rc = iopt_unmap_iova(&ioas->iopt, unmap.iova, unmap.size,
&unmapped);
}
+ if (rc)
+ goto err_put;
+
unmap.size = unmapped;
if (copy_to_user(arg, &unmap, minsz))
rc = -EFAULT;
--
2.35.1
