"pdev" and its member may be unrealized and be freed, so accessing a member of "pdev" is able to cause heap memory corruption.
Check the change of "device_unparent()" in the commit
5c21ce77d7e5643089ceec556c0408445d017f32.
Change-Id: Iacb195a092c86d4c677ad0404582af104b2251ae
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
/* Unlink capability from the pci config space. */
void pci_del_capability(PCIDevice *pdev, uint8_t cap_id, uint8_t size)
{
- uint8_t prev, offset = pci_find_capability_list(pdev, cap_id, &prev);
+ uint8_t prev, offset;
+ if (!(pdev->qdev.realized)) {
+ return;
+ }
+ offset = pci_find_capability_list(pdev, cap_id, &prev);
if (!offset)
return;
pdev->config[prev] = pdev->config[offset + PCI_CAP_LIST_NEXT];