vhost: initialize vq->nheads properly

Commit 7918bb2d19c9 ("vhost: basic in order support") introduces
vq->nheads to store the number of batched used buffers per used elem
but it forgets to initialize the vq->nheads to NULL in
vhost_dev_init() this will cause kfree() that would try to free it
without be allocated if SET_OWNER is not called.

Reported-by: JAEHOON KIM <jhkim@linux.ibm.com>
Reported-by: Breno Leitao <leitao@debian.org>
Fixes: 45347e79b544 ("vhost: basic in order support")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20250729073916.80647-1-jasowang@redhat.com>
Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Tested-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Tested-by: Jaehoon Kim <jhkim@linux.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 23286e4d7b492aefc4cb343573220a6215d68e4c..8570fdf2e14ab57806599847b0feff2a2c1c4201 100644 (file)
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -615,6 +615,7 @@ void vhost_dev_init(struct vhost_dev *dev,
                vq->log = NULL;
                vq->indirect = NULL;
                vq->heads = NULL;
+               vq->nheads = NULL;
                vq->dev = dev;
                mutex_init(&vq->mutex);
                vhost_vq_reset(dev, vq);