+cc Farhan, FYI
On Tue, 2026-02-10 at 01:52 -0500, Aby Sam Ross wrote:
> vfio-pci hostdev realize during zpci hot plug fails (in `vfio_pci_realize()`)
> if the vfio group file in `/dev/vfio/` lacks appropriate permissions and the
> hostdev[/properties] addition doesn't reach the point where it could be
> associated with previously added zpci device (in `s390_pcihost_plug()`).
> As a result, zpci iommu pointer remains null. The zpci hot unplug following
> the
> failed hostdev addition assumes zpci iommu pointer was assigned and tries to
> make use of it to end the dma count resulting in a null pointer dereference.
> In the non-hotplug scenario, `qdev_unplug()` for the zpci device is not called
> after hostdev addition failure and this issue is not encountered.
>
> Fixes: 37fa32de7073
This is usually written as:
Fixes: 37fa32de7073 ("s390x/pci: Honor DMA limits set by vfio")
> Signed-off-by: Aby Sam Ross <[email protected]>
> ---
> hw/s390x/s390-pci-bus.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Acked-by: Eric Farman <[email protected]>
>
>
> diff --git a/hw/s390x/s390-pci-bus.c b/hw/s390x/s390-pci-bus.c
> index b438d63c44..3166b91c46 100644
> --- a/hw/s390x/s390-pci-bus.c
> +++ b/hw/s390x/s390-pci-bus.c
> @@ -1248,7 +1248,7 @@ static void s390_pcihost_unplug(HotplugHandler
> *hotplug_dev, DeviceState *dev,
> pbdev->fid = 0;
> QTAILQ_REMOVE(&s->zpci_devs, pbdev, link);
> g_hash_table_remove(s->zpci_table, &pbdev->idx);
> - if (pbdev->iommu->dma_limit) {
> + if (pbdev->iommu && pbdev->iommu->dma_limit) {
> s390_pci_end_dma_count(s, pbdev->iommu->dma_limit);
> }
> qdev_unrealize(dev);
