On 2020/2/25 0:04, Alex Williamson wrote: > On Mon, 24 Feb 2020 14:42:17 +0800 > "Longpeng(Mike)" <longpe...@huawei.com> wrote: > >> From: Longpeng <longpe...@huawei.com> >> >> vfio_pci_load_rom() maybe failed and then the vdev->rom is NULL in >> some situation (though I've not encountered yet), maybe we should >> avoid the VM abort. >> >> Signed-off-by: Longpeng <longpe...@huawei.com> >> --- >> hw/vfio/pci.c | 13 ++++++++----- >> 1 file changed, 8 insertions(+), 5 deletions(-) >> >> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c >> index 5e75a95..ed798ae 100644 >> --- a/hw/vfio/pci.c >> +++ b/hw/vfio/pci.c >> @@ -768,7 +768,7 @@ static void vfio_update_msi(VFIOPCIDevice *vdev) >> } >> } >> >> -static void vfio_pci_load_rom(VFIOPCIDevice *vdev) >> +static bool vfio_pci_load_rom(VFIOPCIDevice *vdev) >> { >> struct vfio_region_info *reg_info; >> uint64_t size; >> @@ -778,7 +778,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev) >> if (vfio_get_region_info(&vdev->vbasedev, >> VFIO_PCI_ROM_REGION_INDEX, ®_info)) { >> error_report("vfio: Error getting ROM info: %m"); >> - return; >> + return false; >> } >> >> trace_vfio_pci_load_rom(vdev->vbasedev.name, (unsigned >> long)reg_info->size, >> @@ -797,7 +797,7 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev) >> error_printf("Device option ROM contents are probably invalid " >> "(check dmesg).\nSkip option ROM probe with rombar=0, " >> "or load from file with romfile=\n"); >> - return; >> + return false; >> } >> >> vdev->rom = g_malloc(size); >> @@ -849,6 +849,8 @@ static void vfio_pci_load_rom(VFIOPCIDevice *vdev) >> data[6] = -csum; >> } >> } >> + >> + return true; >> } >> >> static uint64_t vfio_rom_read(void *opaque, hwaddr addr, unsigned size) >> @@ -863,8 +865,9 @@ static uint64_t vfio_rom_read(void *opaque, hwaddr addr, >> unsigned size) >> uint64_t data = 0; >> >> /* Load the ROM lazily when the guest tries to read it */ >> - if (unlikely(!vdev->rom && !vdev->rom_read_failed)) { >> - vfio_pci_load_rom(vdev); >> + if (unlikely(!vdev->rom && !vdev->rom_read_failed) && >> + !vfio_pci_load_rom(vdev)) { >> + return 0; >> } >> >> memcpy(&val, vdev->rom + addr, > > Looks like an obvious bug, until you look at the rest of this memcpy(): > > memcpy(&val, vdev->rom + addr, > (addr < vdev->rom_size) ? MIN(size, vdev->rom_size - addr) : 0); > > IOW, we'll do a zero sized memcpy() if rom_size is zero, so there's no > risk of the concern identified in the commit log. This patch is > unnecessary. Thanks, > Oh, I missed that, sorry for make the noise, thanks > Alex > > . >
Re: [PATCH RESEND 1/3] vfio/pci: fix a null pointer reference in vfio_rom_read
Longpeng (Mike, Cloud Infrastructure Service Product Dept.) Mon, 24 Feb 2020 15:49:58 -0800
- [PATCH RESEND ... Longpeng(Mike)
- [PATCH RE... Longpeng(Mike)
- [PATCH RE... Longpeng(Mike)
- Re: [... Alex Williamson
- R... Longpeng (Mike, Cloud Infrastructure Service Product Dept.)
- [PATCH RE... Longpeng(Mike)