From: Roger Pau Monné Date: Mon, 31 Oct 2022 12:25:13 +0000 (+0100) Subject: vpci: don't assume that vpci per-device data exists unconditionally X-Git-Tag: archive/raspbian/4.16.2+90-g0d39a6d1ae-1+rpi1^2~28^2~54 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=96d26f11f56e83b98ec184f4e0d17161efe3a927;p=xen.git vpci: don't assume that vpci per-device data exists unconditionally It's possible for a device to be assigned to a domain but have no vpci structure if vpci_process_pending() failed and called vpci_remove_device() as a result. The unconditional accesses done by vpci_{read,write}() and vpci_remove_device() to pdev->vpci would then trigger a NULL pointer dereference. Add checks for pdev->vpci presence in the affected functions. Fixes: 9c244fdef7 ('vpci: add header handlers') Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 6ccb5e308ceeb895fbccd87a528a8bd24325aa39 master date: 2022-10-26 14:55:30 +0200 --- diff --git a/xen/drivers/vpci/vpci.c b/xen/drivers/vpci/vpci.c index dfc8136ffb..53d78d5391 100644 --- a/xen/drivers/vpci/vpci.c +++ b/xen/drivers/vpci/vpci.c @@ -37,7 +37,7 @@ extern vpci_register_init_t *const __end_vpci_array[]; void vpci_remove_device(struct pci_dev *pdev) { - if ( !has_vpci(pdev->domain) ) + if ( !has_vpci(pdev->domain) || !pdev->vpci ) return; spin_lock(&pdev->vpci->lock); @@ -326,7 +326,7 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int reg, unsigned int size) /* Find the PCI dev matching the address. */ pdev = pci_get_pdev_by_domain(d, sbdf.seg, sbdf.bus, sbdf.devfn); - if ( !pdev ) + if ( !pdev || !pdev->vpci ) return vpci_read_hw(sbdf, reg, size); spin_lock(&pdev->vpci->lock); @@ -436,7 +436,7 @@ void vpci_write(pci_sbdf_t sbdf, unsigned int reg, unsigned int size, * Passthrough everything that's not trapped. */ pdev = pci_get_pdev_by_domain(d, sbdf.seg, sbdf.bus, sbdf.devfn); - if ( !pdev ) + if ( !pdev || !pdev->vpci ) { vpci_write_hw(sbdf, reg, size, data); return;