On Tue, 4 Jul 2023 16:39:27 +0300
Avihai Horon <avih...@nvidia.com> wrote:
> vfio_realize() has the following flow:
> 1. vfio_bars_prepare() -- sets VFIOBAR->size.
> 2. msix_early_setup().
> 3. vfio_bars_register() -- allocates VFIOBAR->mr.
>
> After vfio_bars_prepare() is called msix_early_setup() can fail. If it
> does fail, vfio_bars_register() is never called and VFIOBAR->mr is not
> allocated.
>
> In this case, vfio_bars_finalize() is called as part of the error flow
> to free the bars' resources. However, vfio_bars_finalize() calls
> object_unparent() for VFIOBAR->mr after checking only VFIOBAR->size, and
> thus we get a null pointer dereference.
>
> Fix it by checking VFIOBAR->mr in vfio_bars_finalize().
>
> Fixes: 89d5202edc50 ("vfio/pci: Allow relocating MSI-X MMIO")
> Signed-off-by: Avihai Horon <avih...@nvidia.com>
> ---
>
> Changes from v1:
> * Assert VFIOBAR->size and set VFIOBAR->mr to NULL to make the code
> more accurate. (Philippe)
> * Small reword in the last paragraph of the commit message.
>
> hw/vfio/pci.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> index ab6645ba60..bc98791cbb 100644
> --- a/hw/vfio/pci.c
> +++ b/hw/vfio/pci.c
> @@ -1752,9 +1752,11 @@ static void vfio_bars_finalize(VFIOPCIDevice *vdev)
>
> vfio_bar_quirk_finalize(vdev, i);
> vfio_region_finalize(&bar->region);
> - if (bar->size) {
> + if (bar->mr) {
> + assert(bar->size);
> object_unparent(OBJECT(bar->mr));
> g_free(bar->mr);
> + bar->mr = NULL;
> }
> }
>
Reviewed-by: Alex Williamson <alex.william...@redhat.com>
