On Mon, Jul 07, 2014 at 02:17:58PM -0400, John Snow wrote: > +static void ahci_write_fis_pio(AHCIDevice *ad, uint16_t len) > +{ > + AHCIPortRegs *pr = &ad->port_regs; > + uint8_t *pio_fis, *cmd_fis; > + uint64_t tbl_addr; > + dma_addr_t cmd_len = 0x80; > + > + if (!ad->res_fis || !(pr->cmd & PORT_CMD_FIS_RX)) { > + return; > + } > + > + /* map cmd_fis */ > + tbl_addr = le64_to_cpu(ad->cur_cmd->tbl_addr); > + cmd_fis = dma_memory_map(ad->hba->as, tbl_addr, &cmd_len, > + DMA_DIRECTION_TO_DEVICE);
We should check cmd_len == 0x80 and cmd_fis != NULL to avoid undefined behavior when accessing cmd_fis.
pgp4617Ej93mJ.pgp
Description: PGP signature