On Mon, 24 Feb 2020 14:42:17 +0800 "Longpeng(Mike)" <longpe...@huawei.com> wrote:
> From: Longpeng <longpe...@huawei.com> > > vfio_pci_load_rom() maybe failed and then the vdev->rom is NULL in > some situation (though I've not encountered yet), maybe we should > avoid the VM abort. > > Signed-off-by: Longpeng <longpe...@huawei.com> > --- > hw/vfio/pci.c | 13 ++++++++----- > 1 file changed, 8 insertions(+), 5 deletions(-) > > diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c > index 5e75a95..ed798ae 100644 > --- a/hw/vfio/pci.c > +++ b/hw/vfio/pci.c > @@ -768,7 +768,7 @@ static void vfio_update_msi(VFIOPCIDevice *vdev) > } > } > > -static void vfio_pci_load_rom(VFIOPCIDevice *vdev) > +static bool vfio_pci_load_rom(VFIOPCIDevice *vdev) > { > struct vfio_region_info *reg_info; > uint64_t size; > @@ -778,7 +778,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev) > if (vfio_get_region_info(&vdev->vbasedev, > VFIO_PCI_ROM_REGION_INDEX, ®_info)) { > error_report("vfio: Error getting ROM info: %m"); > - return; > + return false; > } > > trace_vfio_pci_load_rom(vdev->vbasedev.name, (unsigned > long)reg_info->size, > @@ -797,7 +797,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev) > error_printf("Device option ROM contents are probably invalid " > "(check dmesg).\nSkip option ROM probe with rombar=0, " > "or load from file with romfile=\n"); > - return; > + return false; > } > > vdev->rom = g_malloc(size); > @@ -849,6 +849,8 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev) > data[6] = -csum; > } > } > + > + return true; > } > > static uint64_t vfio_rom_read(void *opaque, hwaddr addr, unsigned size) > @@ -863,8 +865,9 @@ static uint64_t vfio_rom_read(void *opaque, hwaddr addr, > unsigned size) > uint64_t data = 0; > > /* Load the ROM lazily when the guest tries to read it */ > - if (unlikely(!vdev->rom && !vdev->rom_read_failed)) { > - vfio_pci_load_rom(vdev); > + if (unlikely(!vdev->rom && !vdev->rom_read_failed) && > + !vfio_pci_load_rom(vdev)) { > + return 0; > } > > memcpy(&val, vdev->rom + addr, Looks like an obvious bug, until you look at the rest of this memcpy(): memcpy(&val, vdev->rom + addr, (addr < vdev->rom_size) ? MIN(size, vdev->rom_size - addr) : 0); IOW, we'll do a zero sized memcpy() if rom_size is zero, so there's no risk of the concern identified in the commit log. This patch is unnecessary. Thanks, Alex