[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_rom_re
From: |
Longpeng(Mike) |
Subject: |
[PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_rom_read |
Date: |
Mon, 24 Feb 2020 14:42:17 +0800 |
From: Longpeng <address@hidden>
vfio_pci_load_rom() maybe failed and then the vdev->rom is NULL in
some situation (though I've not encountered yet), maybe we should
avoid the VM abort.
Signed-off-by: Longpeng <address@hidden>
---
hw/vfio/pci.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index 5e75a95..ed798ae 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -768,7 +768,7 @@ static void vfio_update_msi(VFIOPCIDevice *vdev)
}
}
-static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
+static bool vfio_pci_load_rom(VFIOPCIDevice *vdev)
{
struct vfio_region_info *reg_info;
uint64_t size;
@@ -778,7 +778,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
if (vfio_get_region_info(&vdev->vbasedev,
VFIO_PCI_ROM_REGION_INDEX, ®_info)) {
error_report("vfio: Error getting ROM info: %m");
- return;
+ return false;
}
trace_vfio_pci_load_rom(vdev->vbasedev.name, (unsigned long)reg_info->size,
@@ -797,7 +797,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
error_printf("Device option ROM contents are probably invalid "
"(check dmesg).\nSkip option ROM probe with rombar=0, "
"or load from file with romfile=\n");
- return;
+ return false;
}
vdev->rom = g_malloc(size);
@@ -849,6 +849,8 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev)
data[6] = -csum;
}
}
+
+ return true;
}
static uint64_t vfio_rom_read(void *opaque, hwaddr addr, unsigned size)
@@ -863,8 +865,9 @@ static uint64_t vfio_rom_read(void *opaque, hwaddr addr,
unsigned size)
uint64_t data = 0;
/* Load the ROM lazily when the guest tries to read it */
- if (unlikely(!vdev->rom && !vdev->rom_read_failed)) {
- vfio_pci_load_rom(vdev);
+ if (unlikely(!vdev->rom && !vdev->rom_read_failed) &&
+ !vfio_pci_load_rom(vdev)) {
+ return 0;
}
memcpy(&val, vdev->rom + addr,
--
1.8.3.1