On 2/12/26 10:50 AM, Halil Pasic wrote: > On Thu, 12 Feb 2026 06:47:36 -0500 > Aby Sam Ross <[email protected]> wrote: > >> vfio-pci hostdev realize during zpci hot plug fails (in `vfio_pci_realize()`) >> if the vfio group file in `/dev/vfio/` lacks appropriate permissions and the >> hostdev[/properties] addition doesn't reach the point where it could be >> associated with previously added zpci device (in `s390_pcihost_plug()`). >> As a result, zpci iommu pointer remains null. The zpci hot unplug following >> the >> failed hostdev addition assumes zpci iommu pointer was assigned and tries to >> make use of it to end the dma count resulting in a null pointer dereference. >> In the non-hotplug scenario, `qdev_unplug()` for the zpci device is not >> called >> after hostdev addition failure and this issue is not encountered. > > > Maybe add a word or two why the other dereferences of pbdev->iommu > not guarded by a null check are safe. > > I think we have: > * s390_pci_sclp_deconfigure > * s390_pci_msix_init > * s390_pcihost_reset > * s390_pci_device_reset > * mpcifc_service_call > * stpcifc_service_call > * s390_pci_read_base > > and more. My guess is that the device never gets into a state where > these operations are permissible, and the code makes sure > those functions won't be called on a device that has > pbdev->iommu == NULL. But that is just my guess. > > DISCLAIMER: I didn't look at this properly, just asking based > on a quick look. Some of these may contain explicit or implicit > checking...
I mentioned in response to v1 as part of my review that I did look through all references of pbdev->iommu, as I was also concerned about whether we needed additional NULL checks. But so far I'm not seeing it - it is largely implicit, but we don't drive the routines until the device is plugged, not in reserved|standby and iommu is associated. This particular case is because we reach unplug (which also has to happen after plug of course) but the swizzle is we are reaching unplug exactly because we are giving up without actually having -successfully- plugged both the zpci and pci device. But anyway, yes, I do think it would be good to add a small blurb to the commit message.
