'[xen stable-4.16] vpci: don't assume that vpci per-device data exists unconditionally'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xen-cvs
Subject:    [xen stable-4.16] vpci: don't assume that vpci per-device data exists unconditionally
From:       patchbot () xen ! org
Date:       2022-10-31 22:12:12
Message-ID: E1opd0u-0000A7-R7 () xenbits ! xenproject ! org
[Download RAW message or body]

commit 96d26f11f56e83b98ec184f4e0d17161efe3a927
Author:     Roger Pau Monné <roger.pau@citrix.com>
AuthorDate: Mon Oct 31 13:25:13 2022 +0100
Commit:     Jan Beulich <jbeulich@suse.com>
CommitDate: Mon Oct 31 13:25:13 2022 +0100

    vpci: don't assume that vpci per-device data exists unconditionally
    
    It's possible for a device to be assigned to a domain but have no
    vpci structure if vpci_process_pending() failed and called
    vpci_remove_device() as a result.  The unconditional accesses done by
    vpci_{read,write}() and vpci_remove_device() to pdev->vpci would
    then trigger a NULL pointer dereference.
    
    Add checks for pdev->vpci presence in the affected functions.
    
    Fixes: 9c244fdef7 ('vpci: add header handlers')
    Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
    Reviewed-by: Jan Beulich <jbeulich@suse.com>
    master commit: 6ccb5e308ceeb895fbccd87a528a8bd24325aa39
    master date: 2022-10-26 14:55:30 +0200
---
 xen/drivers/vpci/vpci.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/xen/drivers/vpci/vpci.c b/xen/drivers/vpci/vpci.c
index dfc8136ffb..53d78d5391 100644
--- a/xen/drivers/vpci/vpci.c
+++ b/xen/drivers/vpci/vpci.c
@@ -37,7 +37,7 @@ extern vpci_register_init_t *const __end_vpci_array[];
 
 void vpci_remove_device(struct pci_dev *pdev)
 {
-    if ( !has_vpci(pdev->domain) )
+    if ( !has_vpci(pdev->domain) || !pdev->vpci )
         return;
 
     spin_lock(&pdev->vpci->lock);
@@ -326,7 +326,7 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int reg, unsigned int size)
 
     /* Find the PCI dev matching the address. */
     pdev = pci_get_pdev_by_domain(d, sbdf.seg, sbdf.bus, sbdf.devfn);
-    if ( !pdev )
+    if ( !pdev || !pdev->vpci )
         return vpci_read_hw(sbdf, reg, size);
 
     spin_lock(&pdev->vpci->lock);
@@ -436,7 +436,7 @@ void vpci_write(pci_sbdf_t sbdf, unsigned int reg, unsigned int size,
      * Passthrough everything that's not trapped.
      */
     pdev = pci_get_pdev_by_domain(d, sbdf.seg, sbdf.bus, sbdf.devfn);
-    if ( !pdev )
+    if ( !pdev || !pdev->vpci )
     {
         vpci_write_hw(sbdf, reg, size, data);
         return;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.16

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic