From: Pavel Hrdina <phrdina@redhat.com>

The following interface XML will crash libvirt when attached to
running VM:

  <interface type='network'>
    <source network='hostdev_net'/>
  </interface>

Instead of trying to figure out every single place where hostdev is used
as struct directly and allocating empty private data check if iommufd
is configured as that will happen only for <hostdev> device where the
private data are correctly allocated.

This patch is best viewed with `git show -w`.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
---
 src/qemu/qemu_hotplug.c | 37 +++++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index b3f2a173a8..966e746f2b 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1630,20 +1630,23 @@ qemuDomainAttachHostPCIDevice(virQEMUDriver *driver,
 
     qemuDomainObjEnterMonitor(vm);
 
-    if (objprops) {
-        if ((ret = qemuFDPassDirectTransferMonitor(priv->iommufd, priv->mon)) < 0)
-            goto exit_monitor;
 
-        if ((ret = qemuMonitorAddObject(priv->mon, &objprops, NULL)) < 0)
-            goto exit_monitor;
+    if (virHostdevIsPCIDeviceWithIOMMUFD(hostdev)) {
+        if (objprops) {
+            if ((ret = qemuFDPassDirectTransferMonitor(priv->iommufd, priv->mon)) < 0)
+                goto exit_monitor;
+
+            if ((ret = qemuMonitorAddObject(priv->mon, &objprops, NULL)) < 0)
+                goto exit_monitor;
 
-        priv->iommufdState = true;
-        removeiommufd = true;
+            priv->iommufdState = true;
+            removeiommufd = true;
+        }
+
+        if ((ret = qemuFDPassDirectTransferMonitor(hostdevPriv->vfioDeviceFd, priv->mon)) < 0)
+            goto exit_monitor;
     }
 
-    if ((ret = qemuFDPassDirectTransferMonitor(hostdevPriv->vfioDeviceFd, priv->mon)) < 0)
-        goto exit_monitor;
-
     if ((ret = qemuDomainAttachExtensionDevice(priv->mon, hostdev->info)) < 0)
         goto exit_monitor;
 
@@ -1674,15 +1677,17 @@ qemuDomainAttachHostPCIDevice(virQEMUDriver *driver,
     if (teardownmemlock && qemuDomainAdjustMaxMemLock(vm) < 0)
         VIR_WARN("Unable to reset maximum locked memory on hotplug fail");
 
-    qemuDomainObjEnterMonitor(vm);
+    if (virHostdevIsPCIDeviceWithIOMMUFD(hostdev)) {
+        qemuDomainObjEnterMonitor(vm);
 
-    if (removeiommufd)
-        ignore_value(qemuMonitorDelObject(priv->mon, "iommufd0", false));
+        if (removeiommufd)
+            ignore_value(qemuMonitorDelObject(priv->mon, "iommufd0", false));
 
-    qemuFDPassDirectTransferMonitorRollback(hostdevPriv->vfioDeviceFd, priv->mon);
-    qemuFDPassDirectTransferMonitorRollback(priv->iommufd, priv->mon);
+        qemuFDPassDirectTransferMonitorRollback(hostdevPriv->vfioDeviceFd, priv->mon);
+        qemuFDPassDirectTransferMonitorRollback(priv->iommufd, priv->mon);
 
-    qemuDomainObjExitMonitor(vm);
+        qemuDomainObjExitMonitor(vm);
+    }
 
     if (releaseaddr)
         qemuDomainReleaseDeviceAddress(vm, info);
-- 
2.53.0

On Tue, Mar 10, 2026 at 09:35:04 +0100, Pavel Hrdina wrote:
> From: Pavel Hrdina <phrdina@redhat.com>
> 
> The following interface XML will crash libvirt when attached to
> running VM:
> 
>   <interface type='network'>
>     <source network='hostdev_net'/>
>   </interface>
> 
> Instead of trying to figure out every single place where hostdev is used
> as struct directly and allocating empty private data check if iommufd
> is configured as that will happen only for <hostdev> device where the
> private data are correctly allocated.
> 
> This patch is best viewed with `git show -w`.
> 
> Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
> ---
>  src/qemu/qemu_hotplug.c | 37 +++++++++++++++++++++----------------
>  1 file changed, 21 insertions(+), 16 deletions(-)

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>