From 6ccb5e308ceeb895fbccd87a528a8bd24325aa39 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roger=20Pau=20Monn=C3=A9?= Date: Wed, 26 Oct 2022 14:55:30 +0200 Subject: [PATCH] vpci: don't assume that vpci per-device data exists unconditionally MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit It's possible for a device to be assigned to a domain but have no vpci structure if vpci_process_pending() failed and called vpci_remove_device() as a result. The unconditional accesses done by vpci_{read,write}() and vpci_remove_device() to pdev->vpci would then trigger a NULL pointer dereference. Add checks for pdev->vpci presence in the affected functions. Fixes: 9c244fdef7 ('vpci: add header handlers') Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich Release-acked-by: Henry Wang --- xen/drivers/vpci/vpci.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/drivers/vpci/vpci.c b/xen/drivers/vpci/vpci.c index 3467c0de86..647f7af679 100644 --- a/xen/drivers/vpci/vpci.c +++ b/xen/drivers/vpci/vpci.c @@ -37,7 +37,7 @@ extern vpci_register_init_t *const __end_vpci_array[]; void vpci_remove_device(struct pci_dev *pdev) { - if ( !has_vpci(pdev->domain) ) + if ( !has_vpci(pdev->domain) || !pdev->vpci ) return; spin_lock(&pdev->vpci->lock); @@ -326,7 +326,7 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int reg, unsigned int size) /* Find the PCI dev matching the address. */ pdev = pci_get_pdev(d, sbdf); - if ( !pdev ) + if ( !pdev || !pdev->vpci ) return vpci_read_hw(sbdf, reg, size); spin_lock(&pdev->vpci->lock); @@ -436,7 +436,7 @@ void vpci_write(pci_sbdf_t sbdf, unsigned int reg, unsigned int size, * Passthrough everything that's not trapped. */ pdev = pci_get_pdev(d, sbdf); - if ( !pdev ) + if ( !pdev || !pdev->vpci ) { vpci_write_hw(sbdf, reg, size, data); return; -- 2.30.2