39 lines
1.1 KiB
Diff
39 lines
1.1 KiB
Diff
From: Prasad J Pandit <address@hidden>
|
|
|
|
virtio back end uses set of buffers to facilitate I/O operations.
|
|
If its size is too large, 'cpu_physical_memory_map' could return
|
|
a null address. This would result in a null dereference
|
|
while un-mapping descriptors. Add check to avoid it.
|
|
|
|
Reported-by: Qinghao Tang <address@hidden>
|
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
|
---
|
|
hw/virtio/virtio.c | 10 ++++++----
|
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
|
index 15ee3a7..0a4c5b6 100644
|
|
--- a/hw/virtio/virtio.c
|
|
+++ b/hw/virtio/virtio.c
|
|
@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
|
}
|
|
|
|
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
|
|
- iov[num_sg].iov_len = len;
|
|
- addr[num_sg] = pa;
|
|
+ if (iov[num_sg].iov_base) {
|
|
+ iov[num_sg].iov_len = len;
|
|
+ addr[num_sg] = pa;
|
|
|
|
+ pa += len;
|
|
+ num_sg++;
|
|
+ }
|
|
sz -= len;
|
|
- pa += len;
|
|
- num_sg++;
|
|
}
|
|
*p_num_sg = num_sg;
|
|
}
|
|
--
|
|
2.5.5
|