On Thu, 20 Nov 2025 11:28:29 +0200
Leon Romanovsky <[email protected]> wrote:
> diff --git a/drivers/vfio/pci/vfio_pci_core.c
> b/drivers/vfio/pci/vfio_pci_core.c
> index 142b84b3f225..51a3bcc26f8b 100644
> --- a/drivers/vfio/pci/vfio_pci_core.c
> +++ b/drivers/vfio/pci/vfio_pci_core.c
...
> @@ -2487,8 +2500,11 @@ static int vfio_pci_dev_set_hot_reset(struct
> vfio_device_set *dev_set,
>
> err_undo:
> list_for_each_entry_from_reverse(vdev, &dev_set->device_list,
> - vdev.dev_set_list)
> + vdev.dev_set_list) {
> + if (__vfio_pci_memory_enabled(vdev))
> + vfio_pci_dma_buf_move(vdev, false);
> up_write(&vdev->memory_lock);
> + }
I ran into a bug here. In the hot reset path we can have dev_sets
where one or more devices are not opened by the user. The vconfig
buffer for the device is established on open. However:
bool __vfio_pci_memory_enabled(struct vfio_pci_core_device *vdev)
{
struct pci_dev *pdev = vdev->pdev;
u16 cmd = le16_to_cpu(*(__le16 *)&vdev->vconfig[PCI_COMMAND]);
...
Leads to a NULL pointer dereference.
I think the most straightforward fix is simply to test the open_count
on the vfio_device, which is also protected by the dev_set->lock that
we already hold here:
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -2501,7 +2501,7 @@ static int vfio_pci_dev_set_hot_reset(struct
vfio_device_set *dev_set,
err_undo:
list_for_each_entry_from_reverse(vdev, &dev_set->device_list,
vdev.dev_set_list) {
- if (__vfio_pci_memory_enabled(vdev))
+ if (vdev->vdev.open_count && __vfio_pci_memory_enabled(vdev))
vfio_pci_dma_buf_move(vdev, false);
up_write(&vdev->memory_lock);
}
Any other suggestions? This should be the only reset path with this
nuance of affecting non-opened devices. Thanks,
Alex
