From 47b4d562b6a3441020fb6a7762603d1d3a74db27 Mon Sep 17 00:00:00 2001
From: Paul Durrant <paul.durrant@citrix.com>
Date: Fri, 10 Jul 2015 17:45:46 +0200
Subject: [PATCH] x86/hvm: avoid potential NULL pointer dereferences

Coverity flagged that hvm_next_io_handler() will return NULL after
calling domain_crash() and this will then lead to NULL pointer
dereferences in calling functions.

This patch checks for NULL in the callers and bails in that case.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
 xen/arch/x86/hvm/intercept.c | 6 ++++++
 xen/arch/x86/hvm/io.c        | 3 +++
 xen/arch/x86/hvm/stdvga.c    | 4 ++++
 3 files changed, 13 insertions(+)

diff --git a/xen/arch/x86/hvm/intercept.c b/xen/arch/x86/hvm/intercept.c
index 19edd4181e..08a4e73ee4 100644
--- a/xen/arch/x86/hvm/intercept.c
+++ b/xen/arch/x86/hvm/intercept.c
@@ -265,6 +265,9 @@ void register_mmio_handler(struct domain *d,
 {
     struct hvm_io_handler *handler = hvm_next_io_handler(d);
 
+    if ( handler == NULL )
+        return;
+
     handler->type = IOREQ_TYPE_COPY;
     handler->ops = &mmio_ops;
     handler->mmio.ops = ops;
@@ -275,6 +278,9 @@ void register_portio_handler(struct domain *d, unsigned int port,
 {
     struct hvm_io_handler *handler = hvm_next_io_handler(d);
 
+    if ( handler == NULL )
+        return;
+
     handler->type = IOREQ_TYPE_PIO;
     handler->ops = &portio_ops;
     handler->portio.port = port;
diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c
index 3b51d5939d..bbfc31d1a0 100644
--- a/xen/arch/x86/hvm/io.c
+++ b/xen/arch/x86/hvm/io.c
@@ -256,6 +256,9 @@ void register_dpci_portio_handler(struct domain *d)
 {
     struct hvm_io_handler *handler = hvm_next_io_handler(d);
 
+    if ( handler == NULL )
+        return;
+
     handler->type = IOREQ_TYPE_PIO;
     handler->ops = &dpci_portio_ops;
 }
diff --git a/xen/arch/x86/hvm/stdvga.c b/xen/arch/x86/hvm/stdvga.c
index 4a7593d3f6..ebb3b42caa 100644
--- a/xen/arch/x86/hvm/stdvga.c
+++ b/xen/arch/x86/hvm/stdvga.c
@@ -574,6 +574,10 @@ void stdvga_init(struct domain *d)
 
         /* VGA memory */
         handler = hvm_next_io_handler(d);
+
+        if ( handler == NULL )
+            return;
+
         handler->type = IOREQ_TYPE_COPY;
         handler->ops = &stdvga_mem_ops;
     }
-- 
2.30.2