pci: add device realization check before the capability is unlinked

"pdev" and its member may be unrealized and be freed, so accessing a member of "pdev" is able to cause heap memory corruption.

Check the change of "device_unparent()" in the commit 5c21ce77d7e5643089ceec556c0408445d017f32.

Change-Id: Iacb195a092c86d4c677ad0404582af104b2251ae
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>

diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 2a9f08e..cdc8ee2 100644 (file)
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -2056,7 +2056,11 @@ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
 /* Unlink capability from the pci config space. */
 void pci_del_capability(PCIDevice *pdev, uint8_t cap_id, uint8_t size)
 {
-    uint8_t prev, offset = pci_find_capability_list(pdev, cap_id, &prev);
+    uint8_t prev, offset;
+    if (!(pdev->qdev.realized)) {
+        return;
+    }
+    offset = pci_find_capability_list(pdev, cap_id, &prev);
     if (!offset)
         return;
     pdev->config[prev] = pdev->config[offset + PCI_CAP_LIST_NEXT];