On Thu, Oct 24, 2019 at 05:09:28AM -0400, Jagannathan Raman wrote:
> @@ -93,7 +94,8 @@ static void process_config_write(MPQemuMsg *msg)
>      struct conf_data_msg *conf = (struct conf_data_msg *)msg->data2;
>  
>      qemu_mutex_lock_iothread();
> -    pci_default_write_config(remote_pci_dev, conf->addr, conf->val, conf->l);
> +    pci_default_write_config(remote_pci_devs[msg->id], conf->addr, conf->val,
> +                             conf->l);
>      qemu_mutex_unlock_iothread();
>  }
>  
> @@ -106,7 +108,8 @@ static void process_config_read(MPQemuMsg *msg)
>      wait = msg->fds[0];
>  
>      qemu_mutex_lock_iothread();
> -    val = pci_default_read_config(remote_pci_dev, conf->addr, conf->l);
> +    val = pci_default_read_config(remote_pci_devs[msg->id], conf->addr,
> +                                  conf->l);
>      qemu_mutex_unlock_iothread();
>  
>      notify_proxy(wait, val);

msg->id was read from a socket and hasn't been validated before indexing
into remote_pci_devs[].