From: Halil Pasic <pasic@linux.ibm.com>
To: Aby Sam Ross <abysamross@ibm.com>
Cc: qemu-s390x@nongnu.org, qemu-devel@nongnu.org,
farman@linux.ibm.com, alifm@linux.ibm.com,
Matthew Rosato <mjrosato@linux.ibm.com>,
Halil Pasic <pasic@linux.ibm.com>
Subject: Re: [PATCH v2] s390x/pci: prevent null pointer dereference during zpci hot unplug
Date: Thu, 12 Feb 2026 16:50:29 +0100 [thread overview]
Message-ID: <20260212165029.206ae722.pasic@linux.ibm.com> (raw)
In-Reply-To: <8e983aa64ebeaad9897496199ca80cfb7e0bf003.1770877629.git.abysamross@ibm.com>
On Thu, 12 Feb 2026 06:47:36 -0500
Aby Sam Ross <abysamross@ibm.com> wrote:
> vfio-pci hostdev realize during zpci hot plug fails (in `vfio_pci_realize()`)
> if the vfio group file in `/dev/vfio/` lacks appropriate permissions and the
> hostdev[/properties] addition doesn't reach the point where it could be
> associated with previously added zpci device (in `s390_pcihost_plug()`).
> As a result, zpci iommu pointer remains null. The zpci hot unplug following the
> failed hostdev addition assumes zpci iommu pointer was assigned and tries to
> make use of it to end the dma count resulting in a null pointer dereference.
> In the non-hotplug scenario, `qdev_unplug()` for the zpci device is not called
> after hostdev addition failure and this issue is not encountered.
Maybe add a word or two why the other dereferences of pbdev->iommu
not guarded by a null check are safe.
I think we have:
* s390_pci_sclp_deconfigure
* s390_pci_msix_init
* s390_pcihost_reset
* s390_pci_device_reset
* mpcifc_service_call
* stpcifc_service_call
* s390_pci_read_base
and more. My guess is that the device never gets into a state where
these operations are permissible, and the code makes sure
those functions won't be called on a device that has
pbdev->iommu == NULL. But that is just my guess.
DISCLAIMER: I didn't look at this properly, just asking based
on a quick look. Some of these may contain explicit or implicit
checking...
Regards,
Halil
>
> Fixes: 37fa32de7073 ("s390x/pci: Honor DMA limits set by vfio")
>
> Signed-off-by: Aby Sam Ross <abysamross@ibm.com>
> Acked-by: Eric Farman <farman@linux.ibm.com>
> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
> Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
next prev parent reply other threads:[~2026-02-12 15:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-10 6:52 [PATCH] prevent null pointer dereference during zpci hot unplug Aby Sam Ross
2026-02-10 14:21 ` Eric Farman
2026-02-10 14:54 ` Matthew Rosato
2026-02-10 17:26 ` Farhan Ali
2026-02-12 11:47 ` [PATCH v2] s390x/pci: " Aby Sam Ross
2026-02-12 15:50 ` Halil Pasic [this message]
2026-02-12 16:55 ` Matthew Rosato
2026-02-12 19:25 ` Halil Pasic
2026-02-13 6:34 ` [PATCH v3] " Aby Sam Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260212165029.206ae722.pasic@linux.ibm.com \
--to=pasic@linux.ibm.com \
--cc=abysamross@ibm.com \
--cc=alifm@linux.ibm.com \
--cc=farman@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.