x86/hvm: avoid potential NULL pointer dereferences

Coverity flagged that hvm_next_io_handler() will return NULL after
calling domain_crash() and this will then lead to NULL pointer
dereferences in calling functions.

This patch checks for NULL in the callers and bails in that case.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/xen/arch/x86/hvm/intercept.c b/xen/arch/x86/hvm/intercept.c
index 19edd4181e98034ac9bd0df8b9ca1a6bd1704310..08a4e73ee425375ff4c90a79111ceafa38420fe3 100644 (file)
--- a/xen/arch/x86/hvm/intercept.c
+++ b/xen/arch/x86/hvm/intercept.c
@@ -265,6 +265,9 @@ void register_mmio_handler(struct domain *d,
 {
     struct hvm_io_handler *handler = hvm_next_io_handler(d);
 
+    if ( handler == NULL )
+        return;
+
     handler->type = IOREQ_TYPE_COPY;
     handler->ops = &mmio_ops;
     handler->mmio.ops = ops;
@@ -275,6 +278,9 @@ void register_portio_handler(struct domain *d, unsigned int port,
 {
     struct hvm_io_handler *handler = hvm_next_io_handler(d);
 
+    if ( handler == NULL )
+        return;
+
     handler->type = IOREQ_TYPE_PIO;
     handler->ops = &portio_ops;
     handler->portio.port = port;

diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c
index 3b51d5939d8ba0a8be777ef7b6cd6c3c95c317ab..bbfc31d1a00ab73f576f9b84ffac128db8916796 100644 (file)
--- a/xen/arch/x86/hvm/io.c
+++ b/xen/arch/x86/hvm/io.c
@@ -256,6 +256,9 @@ void register_dpci_portio_handler(struct domain *d)
 {
     struct hvm_io_handler *handler = hvm_next_io_handler(d);
 
+    if ( handler == NULL )
+        return;
+
     handler->type = IOREQ_TYPE_PIO;
     handler->ops = &dpci_portio_ops;
 }

diff --git a/xen/arch/x86/hvm/stdvga.c b/xen/arch/x86/hvm/stdvga.c
index 4a7593d3f621c55404305010cc393ed567d8a5f1..ebb3b42caa49ccdafa9ec50a8ba8c56841f1858f 100644 (file)
--- a/xen/arch/x86/hvm/stdvga.c
+++ b/xen/arch/x86/hvm/stdvga.c
@@ -574,6 +574,10 @@ void stdvga_init(struct domain *d)
 
         /* VGA memory */
         handler = hvm_next_io_handler(d);
+
+        if ( handler == NULL )
+            return;
+
         handler->type = IOREQ_TYPE_COPY;
         handler->ops = &stdvga_mem_ops;
     }