On Tue, Nov 18 2025, Thomas Huth <[email protected]> wrote: > On 18/11/2025 12.52, Cornelia Huck wrote: >> On Tue, Nov 18 2025, Thomas Huth <[email protected]> wrote: >> >>> From: Thomas Huth <[email protected]> >>> >>> Consider the following nested setup: An L1 host uses some virtio device >>> (e.g. virtio-keyboard) for the L2 guest, and this L2 guest passes this >>> device through to the L3 guest. Since the L3 guest sees a virtio device, >>> it might send virtio notifications to the QEMU in L2 for that device. >>> But since the QEMU in L2 defined this device as vfio-ccw, the function >>> handle_virtio_ccw_notify() cannot handle this and crashes: It calls >>> virtio_ccw_get_vdev() that casts sch->driver_data into a VirtioCcwDevice, >>> but since "sch" belongs to a vfio-ccw device, that driver_data rather >>> points to a CcwDevice instead. So as soon as QEMU tries to use some >>> VirtioCcwDevice specific data from that device, we've lost. >>> >>> We must not take virtio notifications for such devices. Thus fix the >>> issue by adding a check to the handle_virtio_ccw_notify() handler to >>> refuse all devices that are not our own virtio devices. >>> >>> Signed-off-by: Thomas Huth <[email protected]> >>> --- >>> v2: Now with the required #include statement >>> >>> hw/s390x/s390-hypercall.c | 13 +++++++++++++ >>> 1 file changed, 13 insertions(+) >>> >>> diff --git a/hw/s390x/s390-hypercall.c b/hw/s390x/s390-hypercall.c >>> index ac1b08b2cd5..38f1c6132e0 100644 >>> --- a/hw/s390x/s390-hypercall.c >>> +++ b/hw/s390x/s390-hypercall.c >>> @@ -10,6 +10,7 @@ >>> */ >>> >>> #include "qemu/osdep.h" >>> +#include "qemu/error-report.h" >>> #include "cpu.h" >>> #include "hw/s390x/s390-virtio-ccw.h" >>> #include "hw/s390x/s390-hypercall.h" >>> @@ -42,6 +43,18 @@ static int handle_virtio_ccw_notify(uint64_t subch_id, >>> uint64_t data) >>> if (!sch || !css_subch_visible(sch)) { >>> return -EINVAL; >>> } >>> + if (sch->id.cu_type != VIRTIO_CCW_CU_TYPE) { >>> + /* >>> + * This might happen in nested setups: If the L1 host defined the >>> + * L2 guest with a virtio device (e.g. virtio-keyboard), and the >>> + * L2 guest passes this device through to the L3 guest, the L3 >>> guest >>> + * might send virtio notifications to the QEMU in L2 for that >>> device. >>> + * But since the QEMU in L2 defined this device as vfio-ccw, it's >>> not >>> + * a VirtIODevice that we can handle here! >>> + */ >>> + warn_report_once("Got virtio notification for unsupported >>> device!"); >> >> Maybe also print which device ended up here? > > You mean the values for cssid, ssid and schid ? Or which information did you > have in mind?
Yes, so that you can correlate this message to the configuration.
