It's possible for a device to be assigned to a domain but have no
vpci structure if vpci_process_pending() failed and called
vpci_remove_device() as a result. The unconditional accesses done by
vpci_{read,write}() and vpci_remove_device() to pdev->vpci would
then trigger a NULL pointer dereference.
Add checks for pdev->vpci presence in the affected functions.
Fixes: 9c244fdef7 ('vpci: add header handlers')
Signed-off-by: Roger Pau Monné <roger....@citrix.com>
---
xen/drivers/vpci/vpci.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/xen/drivers/vpci/vpci.c b/xen/drivers/vpci/vpci.c
index 3467c0de86..647f7af679 100644
--- a/xen/drivers/vpci/vpci.c
+++ b/xen/drivers/vpci/vpci.c
@@ -37,7 +37,7 @@ extern vpci_register_init_t *const __end_vpci_array[];
void vpci_remove_device(struct pci_dev *pdev)
{
- if ( !has_vpci(pdev->domain) )
+ if ( !has_vpci(pdev->domain) || !pdev->vpci )
return;
spin_lock(&pdev->vpci->lock);
@@ -326,7 +326,7 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int reg,
unsigned int size)
/* Find the PCI dev matching the address. */
pdev = pci_get_pdev(d, sbdf);
- if ( !pdev )
+ if ( !pdev || !pdev->vpci )
return vpci_read_hw(sbdf, reg, size);
spin_lock(&pdev->vpci->lock);
@@ -436,7 +436,7 @@ void vpci_write(pci_sbdf_t sbdf, unsigned int reg, unsigned
int size,
* Passthrough everything that's not trapped.
*/
pdev = pci_get_pdev(d, sbdf);
- if ( !pdev )
+ if ( !pdev || !pdev->vpci )
{
vpci_write_hw(sbdf, reg, size, data);
return;
--
2.37.3
