On 2/10/26 1:52 AM, Aby Sam Ross wrote:
> vfio-pci hostdev realize during zpci hot plug fails (in `vfio_pci_realize()`)
> if the vfio group file in `/dev/vfio/` lacks appropriate permissions and the
> hostdev[/properties] addition doesn't reach the point where it could be
> associated with previously added zpci device (in `s390_pcihost_plug()`).
> As a result, zpci iommu pointer remains null. The zpci hot unplug following
> the
> failed hostdev addition assumes zpci iommu pointer was assigned and tries to
> make use of it to end the dma count resulting in a null pointer dereference.
> In the non-hotplug scenario, `qdev_unplug()` for the zpci device is not called
> after hostdev addition failure and this issue is not encountered.
>
> Fixes: 37fa32de7073
Fixes: 37fa32de70 ("s390x/pci: Honor DMA limits set by vfio")
> Signed-off-by: Aby Sam Ross <[email protected]>
> ---
> hw/s390x/s390-pci-bus.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/s390x/s390-pci-bus.c b/hw/s390x/s390-pci-bus.c
> index b438d63c44..3166b91c46 100644
> --- a/hw/s390x/s390-pci-bus.c
> +++ b/hw/s390x/s390-pci-bus.c
> @@ -1248,7 +1248,7 @@ static void s390_pcihost_unplug(HotplugHandler
> *hotplug_dev, DeviceState *dev,
> pbdev->fid = 0;
> QTAILQ_REMOVE(&s->zpci_devs, pbdev, link);
> g_hash_table_remove(s->zpci_table, &pbdev->idx);
> - if (pbdev->iommu->dma_limit) {
> + if (pbdev->iommu && pbdev->iommu->dma_limit) {
Looks reasonable. I also reproduced with a quick chmod against /dev/vfio/vfio.
I also verified coldplug is unaffected as you described.
I took a look at other instances where we use pbdev->iommu without checking for
non-null and AFAICT these are all otherwise after the device would be plugged
and thus pbdev->iommu would be valid.
So, while updating that fixes tag feel free to add:
Reviewed-by: Matthew Rosato <[email protected]>
Thanks!
