s->iommu_pcibus_by_bus_num is a IOMMUPciBus pointer cache indexed
by bus number, bus number may not always be a fixed value,
i.e., guest reboot to different kernel which set bus number with
different algorithm.

This could lead to endpoint binding to wrong iommu MR in
virtio_iommu_get_endpoint(), then vfio device setup wrong
mapping from other device.

Remove the memset in virtio_iommu_device_realize() to avoid
redundancy with memset in system reset.

Signed-off-by: Zhenzhong Duan <>
Message-Id: <>
Reviewed-by: Eric Auger <>
Tested-by: Eric Auger <>
Reviewed-by: Michael S. Tsirkin <>
Signed-off-by: Michael S. Tsirkin <>
(cherry picked from commit 9a457383ce9d309d4679b079fafb51f0a2d949aa)
Signed-off-by: Michael Tokarev <>

diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index eb82462c95..95db19f144 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -1140,6 +1140,8 @@ static void virtio_iommu_system_reset(void *opaque)
+    memset(s->iommu_pcibus_by_bus_num, 0, sizeof(s->iommu_pcibus_by_bus_num));
      * config.bypass is sticky across device reset, but should be restored on
      * system reset
@@ -1156,8 +1158,6 @@ static void virtio_iommu_device_realize(DeviceState *dev, 
Error **errp)
     virtio_init(vdev, VIRTIO_ID_IOMMU, sizeof(struct virtio_iommu_config));
-    memset(s->iommu_pcibus_by_bus_num, 0, sizeof(s->iommu_pcibus_by_bus_num));
     s->req_vq = virtio_add_queue(vdev, VIOMMU_DEFAULT_QUEUE_SIZE,
     s->event_vq = virtio_add_queue(vdev, VIOMMU_DEFAULT_QUEUE_SIZE, NULL);

