diff options
Diffstat (limited to '0036-vpci-don-t-assume-that-vpci-per-device-data-exists-u.patch')
-rw-r--r-- | 0036-vpci-don-t-assume-that-vpci-per-device-data-exists-u.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/0036-vpci-don-t-assume-that-vpci-per-device-data-exists-u.patch b/0036-vpci-don-t-assume-that-vpci-per-device-data-exists-u.patch new file mode 100644 index 0000000..ab8f792 --- /dev/null +++ b/0036-vpci-don-t-assume-that-vpci-per-device-data-exists-u.patch @@ -0,0 +1,60 @@ +From 96d26f11f56e83b98ec184f4e0d17161efe3a927 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com> +Date: Mon, 31 Oct 2022 13:25:13 +0100 +Subject: [PATCH 36/87] vpci: don't assume that vpci per-device data exists + unconditionally +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It's possible for a device to be assigned to a domain but have no +vpci structure if vpci_process_pending() failed and called +vpci_remove_device() as a result. The unconditional accesses done by +vpci_{read,write}() and vpci_remove_device() to pdev->vpci would +then trigger a NULL pointer dereference. + +Add checks for pdev->vpci presence in the affected functions. + +Fixes: 9c244fdef7 ('vpci: add header handlers') +Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +master commit: 6ccb5e308ceeb895fbccd87a528a8bd24325aa39 +master date: 2022-10-26 14:55:30 +0200 +--- + xen/drivers/vpci/vpci.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/xen/drivers/vpci/vpci.c b/xen/drivers/vpci/vpci.c +index dfc8136ffb95..53d78d53911d 100644 +--- a/xen/drivers/vpci/vpci.c ++++ b/xen/drivers/vpci/vpci.c +@@ -37,7 +37,7 @@ extern vpci_register_init_t *const __end_vpci_array[]; + + void vpci_remove_device(struct pci_dev *pdev) + { +- if ( !has_vpci(pdev->domain) ) ++ if ( !has_vpci(pdev->domain) || !pdev->vpci ) + return; + + spin_lock(&pdev->vpci->lock); +@@ -326,7 +326,7 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int reg, unsigned int size) + + /* Find the PCI dev matching the address. */ + pdev = pci_get_pdev_by_domain(d, sbdf.seg, sbdf.bus, sbdf.devfn); +- if ( !pdev ) ++ if ( !pdev || !pdev->vpci ) + return vpci_read_hw(sbdf, reg, size); + + spin_lock(&pdev->vpci->lock); +@@ -436,7 +436,7 @@ void vpci_write(pci_sbdf_t sbdf, unsigned int reg, unsigned int size, + * Passthrough everything that's not trapped. + */ + pdev = pci_get_pdev_by_domain(d, sbdf.seg, sbdf.bus, sbdf.devfn); +- if ( !pdev ) ++ if ( !pdev || !pdev->vpci ) + { + vpci_write_hw(sbdf, reg, size, data); + return; +-- +2.37.4 + |