From: Halil Pasic <pasic@linux.ibm.com>
To: Matthew Rosato <mjrosato@linux.ibm.com>
Cc: Aby Sam Ross <abysamross@ibm.com>,
qemu-s390x@nongnu.org, qemu-devel@nongnu.org,
farman@linux.ibm.com, alifm@linux.ibm.com,
Halil Pasic <pasic@linux.ibm.com>
Subject: Re: [PATCH v2] s390x/pci: prevent null pointer dereference during zpci hot unplug
Date: Thu, 12 Feb 2026 20:25:15 +0100 [thread overview]
Message-ID: <20260212202515.3ffa2a80.pasic@linux.ibm.com> (raw)
In-Reply-To: <5fa0684d-5127-4db5-937c-d9be9fc4508d@linux.ibm.com>
On Thu, 12 Feb 2026 11:55:15 -0500
Matthew Rosato <mjrosato@linux.ibm.com> wrote:
> >
> > Maybe add a word or two why the other dereferences of pbdev->iommu
> > not guarded by a null check are safe.
> >
> > I think we have:
> > * s390_pci_sclp_deconfigure
> > * s390_pci_msix_init
> > * s390_pcihost_reset
> > * s390_pci_device_reset
> > * mpcifc_service_call
> > * stpcifc_service_call
> > * s390_pci_read_base
> >
> > and more. My guess is that the device never gets into a state where
> > these operations are permissible, and the code makes sure
> > those functions won't be called on a device that has
> > pbdev->iommu == NULL. But that is just my guess.
> >
> > DISCLAIMER: I didn't look at this properly, just asking based
> > on a quick look. Some of these may contain explicit or implicit
> > checking...
>
> I mentioned in response to v1 as part of my review that I did look through all references of pbdev->iommu, as I was also concerned about whether we needed additional NULL checks. But so far I'm not seeing it - it is largely implicit, but we don't drive the routines until the device is plugged, not in reserved|standby and iommu is associated.
>
> This particular case is because we reach unplug (which also has to happen after plug of course) but the swizzle is we are reaching unplug exactly because we are giving up without actually having -successfully- plugged both the zpci and pci device.
>
> But anyway, yes, I do think it would be good to add a small blurb to the commit message.
Thanks! I have also assumed that I'm not the first one having this
thought.
Regards,
Halil
next prev parent reply other threads:[~2026-02-12 19:26 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-10 6:52 [PATCH] prevent null pointer dereference during zpci hot unplug Aby Sam Ross
2026-02-10 14:21 ` Eric Farman
2026-02-10 14:54 ` Matthew Rosato
2026-02-10 17:26 ` Farhan Ali
2026-02-12 11:47 ` [PATCH v2] s390x/pci: " Aby Sam Ross
2026-02-12 15:50 ` Halil Pasic
2026-02-12 16:55 ` Matthew Rosato
2026-02-12 19:25 ` Halil Pasic [this message]
2026-02-13 6:34 ` [PATCH v3] " Aby Sam Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260212202515.3ffa2a80.pasic@linux.ibm.com \
--to=pasic@linux.ibm.com \
--cc=abysamross@ibm.com \
--cc=alifm@linux.ibm.com \
--cc=farman@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.