Add a selfttest, vfio_pci_sriov_uapi_test.c, to validate the
SR-IOV UAPI, including the following cases, iterating over
all the IOMMU modes currently supported:
- Setting correct/incorrect/NULL tokens during device init.
- Close the PF device immediately after setting the token.
- Change/override the PF's token after device init.
Signed-off-by: Raghavendra Rao Ananta <rananta@google.com>
---
tools/testing/selftests/vfio/Makefile | 1 +
.../selftests/vfio/vfio_pci_sriov_uapi_test.c | 215 ++++++++++++++++++
2 files changed, 216 insertions(+)
create mode 100644 tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c
diff --git a/tools/testing/selftests/vfio/Makefile b/tools/testing/selftests/vfio/Makefile
index 3c796ca99a509..f00a63902fbfb 100644
--- a/tools/testing/selftests/vfio/Makefile
+++ b/tools/testing/selftests/vfio/Makefile
@@ -4,6 +4,7 @@ TEST_GEN_PROGS += vfio_iommufd_setup_test
TEST_GEN_PROGS += vfio_pci_device_test
TEST_GEN_PROGS += vfio_pci_device_init_perf_test
TEST_GEN_PROGS += vfio_pci_driver_test
+TEST_GEN_PROGS += vfio_pci_sriov_uapi_test
TEST_FILES += scripts/cleanup.sh
TEST_FILES += scripts/lib.sh
diff --git a/tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c b/tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c
new file mode 100644
index 0000000000000..4c2951d6e049c
--- /dev/null
+++ b/tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c
@@ -0,0 +1,215 @@
+// SPDX-License-Identifier: GPL-2.0-only
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <linux/limits.h>
+
+#include <libvfio.h>
+
+#include "../kselftest_harness.h"
+
+#define UUID_1 "52ac9bff-3a88-4fbd-901a-0d767c3b6c97"
+#define UUID_2 "88594674-90a0-47a9-aea8-9d9b352ac08a"
+
+static const char *pf_dev_bdf;
+
+static int test_vfio_pci_container_setup(struct vfio_pci_device *device,
+ const char *bdf,
+ const char *vf_token)
+{
+ vfio_pci_group_setup(device, bdf);
+ vfio_container_set_iommu(device);
+ __vfio_pci_group_get_device_fd(device, bdf, vf_token);
+
+ /* The device fd will be -1 in case of mismatched tokens */
+ return (device->fd < 0);
+}
+
+static int test_vfio_pci_iommufd_setup(struct vfio_pci_device *device,
+ const char *bdf, const char *vf_token)
+{
+ vfio_pci_iommufd_cdev_open(device, bdf);
+ return __vfio_device_bind_iommufd(device->fd,
+ device->iommu->iommufd, vf_token);
+}
+
+static struct vfio_pci_device *test_vfio_pci_device_init(const char *bdf,
+ struct iommu *iommu,
+ const char *vf_token,
+ int *out_ret)
+{
+ struct vfio_pci_device *device;
+
+ device = calloc(1, sizeof(*device));
+ VFIO_ASSERT_NOT_NULL(device);
+
+ device->iommu = iommu;
+ device->bdf = bdf;
+
+ if (iommu->mode->container_path)
+ *out_ret = test_vfio_pci_container_setup(device, bdf, vf_token);
+ else
+ *out_ret = test_vfio_pci_iommufd_setup(device, bdf, vf_token);
+
+ return device;
+}
+
+static void test_vfio_pci_device_cleanup(struct vfio_pci_device *device)
+{
+ if (device->fd > 0)
+ VFIO_ASSERT_EQ(close(device->fd), 0);
+
+ if (device->group_fd)
+ VFIO_ASSERT_EQ(close(device->group_fd), 0);
+
+ free(device);
+}
+
+FIXTURE(vfio_pci_sriov_uapi_test) {
+ char vf_dev_bdf[16];
+ char vf_driver[32];
+ bool sriov_drivers_autoprobe;
+};
+
+FIXTURE_SETUP(vfio_pci_sriov_uapi_test)
+{
+ int nr_vfs;
+ int ret;
+
+ nr_vfs = sysfs_get_sriov_totalvfs(pf_dev_bdf);
+ if (nr_vfs < 0)
+ SKIP(return, "SR-IOV may not be supported by the device\n");
+
+ nr_vfs = sysfs_get_sriov_numvfs(pf_dev_bdf);
+ if (nr_vfs != 0)
+ SKIP(return, "SR-IOV already configured for the PF\n");
+
+ self->sriov_drivers_autoprobe =
+ sysfs_get_sriov_drivers_autoprobe(pf_dev_bdf);
+ if (self->sriov_drivers_autoprobe)
+ sysfs_set_sriov_drivers_autoprobe(pf_dev_bdf, 0);
+
+ /* Export only one VF for testing */
+ sysfs_set_sriov_numvfs(pf_dev_bdf, 1);
+
+ sysfs_get_sriov_vf_bdf(pf_dev_bdf, 0, self->vf_dev_bdf);
+ if (sysfs_get_driver(self->vf_dev_bdf, self->vf_driver) == 0)
+ sysfs_unbind_driver(self->vf_dev_bdf, self->vf_driver);
+ sysfs_bind_driver(self->vf_dev_bdf, "vfio-pci");
+}
+
+FIXTURE_TEARDOWN(vfio_pci_sriov_uapi_test)
+{
+ sysfs_unbind_driver(self->vf_dev_bdf, "vfio-pci");
+ sysfs_bind_driver(self->vf_dev_bdf, self->vf_driver);
+ sysfs_set_sriov_numvfs(pf_dev_bdf, 0);
+ sysfs_set_sriov_drivers_autoprobe(pf_dev_bdf,
+ self->sriov_drivers_autoprobe);
+}
+
+FIXTURE_VARIANT(vfio_pci_sriov_uapi_test) {
+ const char *iommu_mode;
+ char *vf_token;
+};
+
+#define FIXTURE_VARIANT_ADD_IOMMU_MODE(_iommu_mode, _name, _vf_token) \
+FIXTURE_VARIANT_ADD(vfio_pci_sriov_uapi_test, _iommu_mode ## _ ## _name) { \
+ .iommu_mode = #_iommu_mode, \
+ .vf_token = (_vf_token), \
+}
+
+FIXTURE_VARIANT_ADD_ALL_IOMMU_MODES(same_uuid, UUID_1);
+FIXTURE_VARIANT_ADD_ALL_IOMMU_MODES(diff_uuid, UUID_2);
+FIXTURE_VARIANT_ADD_ALL_IOMMU_MODES(null_uuid, NULL);
+
+/*
+ * PF's token is always set with UUID_1 and VF's token is rotated with
+ * various tokens (including UUID_1 and NULL).
+ * This asserts if the VF device is successfully created for a match
+ * in the token or actually fails during a mismatch.
+ */
+#define ASSERT_VF_CREATION(_ret) do { \
+ if (!variant->vf_token || strcmp(UUID_1, variant->vf_token)) { \
+ ASSERT_NE((_ret), 0); \
+ } else { \
+ ASSERT_EQ((_ret), 0); \
+ } \
+} while (0)
+
+/*
+ * Validate if the UAPI handles correctly and incorrectly set token on the VF.
+ */
+TEST_F(vfio_pci_sriov_uapi_test, init_token_match)
+{
+ struct vfio_pci_device *pf_device;
+ struct vfio_pci_device *vf_device;
+ struct iommu *iommu;
+ int ret;
+
+ iommu = iommu_init(variant->iommu_mode);
+ pf_device = test_vfio_pci_device_init(pf_dev_bdf, iommu, UUID_1, &ret);
+ vf_device = test_vfio_pci_device_init(self->vf_dev_bdf, iommu,
+ variant->vf_token, &ret);
+
+ ASSERT_VF_CREATION(ret);
+
+ test_vfio_pci_device_cleanup(vf_device);
+ test_vfio_pci_device_cleanup(pf_device);
+ iommu_cleanup(iommu);
+}
+
+/*
+ * After setting a token on the PF, validate if the VF can still set the
+ * expected token.
+ */
+TEST_F(vfio_pci_sriov_uapi_test, pf_early_close)
+{
+ struct vfio_pci_device *pf_device;
+ struct vfio_pci_device *vf_device;
+ struct iommu *iommu;
+ int ret;
+
+ iommu = iommu_init(variant->iommu_mode);
+ pf_device = test_vfio_pci_device_init(pf_dev_bdf, iommu, UUID_1, &ret);
+ test_vfio_pci_device_cleanup(pf_device);
+
+ vf_device = test_vfio_pci_device_init(self->vf_dev_bdf, iommu,
+ variant->vf_token, &ret);
+
+ ASSERT_VF_CREATION(ret);
+
+ test_vfio_pci_device_cleanup(vf_device);
+ iommu_cleanup(iommu);
+}
+
+/*
+ * After PF device init, override the existing token and validate if the newly
+ * set token is the one that's active.
+ */
+TEST_F(vfio_pci_sriov_uapi_test, override_token)
+{
+ struct vfio_pci_device *pf_device;
+ struct vfio_pci_device *vf_device;
+ struct iommu *iommu;
+ int ret;
+
+ iommu = iommu_init(variant->iommu_mode);
+ pf_device = test_vfio_pci_device_init(pf_dev_bdf, iommu, UUID_2, &ret);
+ vfio_device_set_vf_token(pf_device->fd, UUID_1);
+
+ vf_device = test_vfio_pci_device_init(self->vf_dev_bdf, iommu,
+ variant->vf_token, &ret);
+
+ ASSERT_VF_CREATION(ret);
+
+ test_vfio_pci_device_cleanup(vf_device);
+ test_vfio_pci_device_cleanup(pf_device);
+ iommu_cleanup(iommu);
+}
+
+int main(int argc, char *argv[])
+{
+ pf_dev_bdf = vfio_selftests_get_bdf(&argc, argv);
+ return test_harness_run(argc, argv);
+}
--
2.52.0.239.gd5f0c6e74e-googOn 2025-12-10 06:14 PM, Raghavendra Rao Ananta wrote:
> Add a selfttest, vfio_pci_sriov_uapi_test.c, to validate the
> SR-IOV UAPI, including the following cases, iterating over
> all the IOMMU modes currently supported:
> - Setting correct/incorrect/NULL tokens during device init.
> - Close the PF device immediately after setting the token.
> - Change/override the PF's token after device init.
>
> Signed-off-by: Raghavendra Rao Ananta <rananta@google.com>
> ---
> tools/testing/selftests/vfio/Makefile | 1 +
> .../selftests/vfio/vfio_pci_sriov_uapi_test.c | 215 ++++++++++++++++++
> 2 files changed, 216 insertions(+)
> create mode 100644 tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c
>
> diff --git a/tools/testing/selftests/vfio/Makefile b/tools/testing/selftests/vfio/Makefile
> index 3c796ca99a509..f00a63902fbfb 100644
> --- a/tools/testing/selftests/vfio/Makefile
> +++ b/tools/testing/selftests/vfio/Makefile
> @@ -4,6 +4,7 @@ TEST_GEN_PROGS += vfio_iommufd_setup_test
> TEST_GEN_PROGS += vfio_pci_device_test
> TEST_GEN_PROGS += vfio_pci_device_init_perf_test
> TEST_GEN_PROGS += vfio_pci_driver_test
> +TEST_GEN_PROGS += vfio_pci_sriov_uapi_test
>
> TEST_FILES += scripts/cleanup.sh
> TEST_FILES += scripts/lib.sh
> diff --git a/tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c b/tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c
> new file mode 100644
> index 0000000000000..4c2951d6e049c
> --- /dev/null
> +++ b/tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c
> @@ -0,0 +1,215 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +#include <fcntl.h>
> +#include <unistd.h>
> +#include <stdlib.h>
> +#include <sys/ioctl.h>
> +#include <linux/limits.h>
> +
> +#include <libvfio.h>
> +
> +#include "../kselftest_harness.h"
> +
> +#define UUID_1 "52ac9bff-3a88-4fbd-901a-0d767c3b6c97"
> +#define UUID_2 "88594674-90a0-47a9-aea8-9d9b352ac08a"
> +
> +static const char *pf_dev_bdf;
nit: I think you could simplify some of the names in this file. This
code isn't in a library so the names dont' have to be globally unique
and quite so long.
s/pf_dev_bdf/pf_bdf/
s/vf_dev_bdf/vf_bdf/
s/pf_device/pf/
s/vf_device/vf/
s/test_vfio_pci_container_setup/container_setup/
s/test_vfio_pci_iommufd_setup/iommufd_setup/
s/test_vfio_pci_device_init/device_init/
s/test_vfio_pci_device_cleanup/device_cleanup/
Feel free to ignore this though if you think it makes the names too
terse.
> +
> +static int test_vfio_pci_container_setup(struct vfio_pci_device *device,
> + const char *bdf,
> + const char *vf_token)
> +{
> + vfio_pci_group_setup(device, bdf);
> + vfio_container_set_iommu(device);
> + __vfio_pci_group_get_device_fd(device, bdf, vf_token);
> +
> + /* The device fd will be -1 in case of mismatched tokens */
> + return (device->fd < 0);
> +}
> +
> +static int test_vfio_pci_iommufd_setup(struct vfio_pci_device *device,
> + const char *bdf, const char *vf_token)
> +{
> + vfio_pci_iommufd_cdev_open(device, bdf);
> + return __vfio_device_bind_iommufd(device->fd,
> + device->iommu->iommufd, vf_token);
> +}
> +
> +static struct vfio_pci_device *test_vfio_pci_device_init(const char *bdf,
> + struct iommu *iommu,
> + const char *vf_token,
> + int *out_ret)
> +{
> + struct vfio_pci_device *device;
> +
> + device = calloc(1, sizeof(*device));
> + VFIO_ASSERT_NOT_NULL(device);
> +
> + device->iommu = iommu;
> + device->bdf = bdf;
Can you put this in a helper exposed by vfio_pci_device.h? e.g.
vfio_pci_device_alloc()
> +
> + if (iommu->mode->container_path)
> + *out_ret = test_vfio_pci_container_setup(device, bdf, vf_token);
> + else
> + *out_ret = test_vfio_pci_iommufd_setup(device, bdf, vf_token);
> +
> + return device;
> +}
> +
> +static void test_vfio_pci_device_cleanup(struct vfio_pci_device *device)
> +{
> + if (device->fd > 0)
> + VFIO_ASSERT_EQ(close(device->fd), 0);
> +
> + if (device->group_fd)
> + VFIO_ASSERT_EQ(close(device->group_fd), 0);
> +
> + free(device);
> +}
> +
> +FIXTURE(vfio_pci_sriov_uapi_test) {
> + char vf_dev_bdf[16];
> + char vf_driver[32];
> + bool sriov_drivers_autoprobe;
> +};
> +
> +FIXTURE_SETUP(vfio_pci_sriov_uapi_test)
> +{
> + int nr_vfs;
> + int ret;
> +
> + nr_vfs = sysfs_get_sriov_totalvfs(pf_dev_bdf);
> + if (nr_vfs < 0)
> + SKIP(return, "SR-IOV may not be supported by the device\n");
Should this be <= 0?
And replace "the device" with the BDF.
> +
> + nr_vfs = sysfs_get_sriov_numvfs(pf_dev_bdf);
> + if (nr_vfs != 0)
> + SKIP(return, "SR-IOV already configured for the PF\n");
Let's print the BDF and nr_vfs for the user.
> +
> + self->sriov_drivers_autoprobe =
> + sysfs_get_sriov_drivers_autoprobe(pf_dev_bdf);
> + if (self->sriov_drivers_autoprobe)
> + sysfs_set_sriov_drivers_autoprobe(pf_dev_bdf, 0);
> +
> + /* Export only one VF for testing */
s/Export/Create/
> + sysfs_set_sriov_numvfs(pf_dev_bdf, 1);
> +
> + sysfs_get_sriov_vf_bdf(pf_dev_bdf, 0, self->vf_dev_bdf);
> + if (sysfs_get_driver(self->vf_dev_bdf, self->vf_driver) == 0)
> + sysfs_unbind_driver(self->vf_dev_bdf, self->vf_driver);
This should be impossible since we disabled autoprobing.
> + sysfs_bind_driver(self->vf_dev_bdf, "vfio-pci");
Some devices also require setting driver_override to "vfio-pci" as well
so the device can be bound to vfio-pci. Let's just do that
unconditionally.
> +}
> +
> +FIXTURE_TEARDOWN(vfio_pci_sriov_uapi_test)
> +{
> + sysfs_unbind_driver(self->vf_dev_bdf, "vfio-pci");
> + sysfs_bind_driver(self->vf_dev_bdf, self->vf_driver);
> + sysfs_set_sriov_numvfs(pf_dev_bdf, 0);
> + sysfs_set_sriov_drivers_autoprobe(pf_dev_bdf,
> + self->sriov_drivers_autoprobe);
> +}
> +
> +FIXTURE_VARIANT(vfio_pci_sriov_uapi_test) {
> + const char *iommu_mode;
> + char *vf_token;
> +};
> +
> +#define FIXTURE_VARIANT_ADD_IOMMU_MODE(_iommu_mode, _name, _vf_token) \
> +FIXTURE_VARIANT_ADD(vfio_pci_sriov_uapi_test, _iommu_mode ## _ ## _name) { \
> + .iommu_mode = #_iommu_mode, \
> + .vf_token = (_vf_token), \
> +}
> +
> +FIXTURE_VARIANT_ADD_ALL_IOMMU_MODES(same_uuid, UUID_1);
> +FIXTURE_VARIANT_ADD_ALL_IOMMU_MODES(diff_uuid, UUID_2);
> +FIXTURE_VARIANT_ADD_ALL_IOMMU_MODES(null_uuid, NULL);
> +
> +/*
> + * PF's token is always set with UUID_1 and VF's token is rotated with
> + * various tokens (including UUID_1 and NULL).
> + * This asserts if the VF device is successfully created for a match
> + * in the token or actually fails during a mismatch.
> + */
> +#define ASSERT_VF_CREATION(_ret) do { \
> + if (!variant->vf_token || strcmp(UUID_1, variant->vf_token)) { \
> + ASSERT_NE((_ret), 0); \
> + } else { \
> + ASSERT_EQ((_ret), 0); \
> + } \
> +} while (0)
> +
> +/*
> + * Validate if the UAPI handles correctly and incorrectly set token on the VF.
> + */
> +TEST_F(vfio_pci_sriov_uapi_test, init_token_match)
> +{
> + struct vfio_pci_device *pf_device;
> + struct vfio_pci_device *vf_device;
> + struct iommu *iommu;
> + int ret;
> +
> + iommu = iommu_init(variant->iommu_mode);
> + pf_device = test_vfio_pci_device_init(pf_dev_bdf, iommu, UUID_1, &ret);
> + vf_device = test_vfio_pci_device_init(self->vf_dev_bdf, iommu,
> + variant->vf_token, &ret);
> +
> + ASSERT_VF_CREATION(ret);
> +
> + test_vfio_pci_device_cleanup(vf_device);
> + test_vfio_pci_device_cleanup(pf_device);
> + iommu_cleanup(iommu);
> +}
> +
> +/*
> + * After setting a token on the PF, validate if the VF can still set the
> + * expected token.
> + */
> +TEST_F(vfio_pci_sriov_uapi_test, pf_early_close)
> +{
> + struct vfio_pci_device *pf_device;
> + struct vfio_pci_device *vf_device;
> + struct iommu *iommu;
> + int ret;
> +
> + iommu = iommu_init(variant->iommu_mode);
> + pf_device = test_vfio_pci_device_init(pf_dev_bdf, iommu, UUID_1, &ret);
> + test_vfio_pci_device_cleanup(pf_device);
> +
> + vf_device = test_vfio_pci_device_init(self->vf_dev_bdf, iommu,
> + variant->vf_token, &ret);
> +
> + ASSERT_VF_CREATION(ret);
> +
> + test_vfio_pci_device_cleanup(vf_device);
> + iommu_cleanup(iommu);
> +}
> +
> +/*
> + * After PF device init, override the existing token and validate if the newly
> + * set token is the one that's active.
> + */
> +TEST_F(vfio_pci_sriov_uapi_test, override_token)
> +{
> + struct vfio_pci_device *pf_device;
> + struct vfio_pci_device *vf_device;
> + struct iommu *iommu;
> + int ret;
> +
> + iommu = iommu_init(variant->iommu_mode);
> + pf_device = test_vfio_pci_device_init(pf_dev_bdf, iommu, UUID_2, &ret);
> + vfio_device_set_vf_token(pf_device->fd, UUID_1);
> +
> + vf_device = test_vfio_pci_device_init(self->vf_dev_bdf, iommu,
> + variant->vf_token, &ret);
> +
> + ASSERT_VF_CREATION(ret);
> +
> + test_vfio_pci_device_cleanup(vf_device);
> + test_vfio_pci_device_cleanup(pf_device);
> + iommu_cleanup(iommu);
> +}
> +
> +int main(int argc, char *argv[])
> +{
> + pf_dev_bdf = vfio_selftests_get_bdf(&argc, argv);
> + return test_harness_run(argc, argv);
> +}
> --
> 2.52.0.239.gd5f0c6e74e-goog
>
On Wed, Jan 7, 2026 at 3:22 PM David Matlack <dmatlack@google.com> wrote:
>
> On 2025-12-10 06:14 PM, Raghavendra Rao Ananta wrote:
> > Add a selfttest, vfio_pci_sriov_uapi_test.c, to validate the
> > SR-IOV UAPI, including the following cases, iterating over
> > all the IOMMU modes currently supported:
> > - Setting correct/incorrect/NULL tokens during device init.
> > - Close the PF device immediately after setting the token.
> > - Change/override the PF's token after device init.
> >
> > Signed-off-by: Raghavendra Rao Ananta <rananta@google.com>
> > ---
> > tools/testing/selftests/vfio/Makefile | 1 +
> > .../selftests/vfio/vfio_pci_sriov_uapi_test.c | 215 ++++++++++++++++++
> > 2 files changed, 216 insertions(+)
> > create mode 100644 tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c
> >
> > diff --git a/tools/testing/selftests/vfio/Makefile b/tools/testing/selftests/vfio/Makefile
> > index 3c796ca99a509..f00a63902fbfb 100644
> > --- a/tools/testing/selftests/vfio/Makefile
> > +++ b/tools/testing/selftests/vfio/Makefile
> > @@ -4,6 +4,7 @@ TEST_GEN_PROGS += vfio_iommufd_setup_test
> > TEST_GEN_PROGS += vfio_pci_device_test
> > TEST_GEN_PROGS += vfio_pci_device_init_perf_test
> > TEST_GEN_PROGS += vfio_pci_driver_test
> > +TEST_GEN_PROGS += vfio_pci_sriov_uapi_test
> >
> > TEST_FILES += scripts/cleanup.sh
> > TEST_FILES += scripts/lib.sh
> > diff --git a/tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c b/tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c
> > new file mode 100644
> > index 0000000000000..4c2951d6e049c
> > --- /dev/null
> > +++ b/tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test.c
> > @@ -0,0 +1,215 @@
> > +// SPDX-License-Identifier: GPL-2.0-only
> > +#include <fcntl.h>
> > +#include <unistd.h>
> > +#include <stdlib.h>
> > +#include <sys/ioctl.h>
> > +#include <linux/limits.h>
> > +
> > +#include <libvfio.h>
> > +
> > +#include "../kselftest_harness.h"
> > +
> > +#define UUID_1 "52ac9bff-3a88-4fbd-901a-0d767c3b6c97"
> > +#define UUID_2 "88594674-90a0-47a9-aea8-9d9b352ac08a"
> > +
> > +static const char *pf_dev_bdf;
>
> nit: I think you could simplify some of the names in this file. This
> code isn't in a library so the names dont' have to be globally unique
> and quite so long.
>
> s/pf_dev_bdf/pf_bdf/
> s/vf_dev_bdf/vf_bdf/
> s/pf_device/pf/
> s/vf_device/vf/
> s/test_vfio_pci_container_setup/container_setup/
> s/test_vfio_pci_iommufd_setup/iommufd_setup/
> s/test_vfio_pci_device_init/device_init/
> s/test_vfio_pci_device_cleanup/device_cleanup/
>
> Feel free to ignore this though if you think it makes the names too
> terse.
>
No, I think the short versions are fine. I can change in the next version.
> > +
> > +static int test_vfio_pci_container_setup(struct vfio_pci_device *device,
> > + const char *bdf,
> > + const char *vf_token)
> > +{
> > + vfio_pci_group_setup(device, bdf);
> > + vfio_container_set_iommu(device);
> > + __vfio_pci_group_get_device_fd(device, bdf, vf_token);
> > +
> > + /* The device fd will be -1 in case of mismatched tokens */
> > + return (device->fd < 0);
> > +}
> > +
> > +static int test_vfio_pci_iommufd_setup(struct vfio_pci_device *device,
> > + const char *bdf, const char *vf_token)
> > +{
> > + vfio_pci_iommufd_cdev_open(device, bdf);
> > + return __vfio_device_bind_iommufd(device->fd,
> > + device->iommu->iommufd, vf_token);
> > +}
> > +
> > +static struct vfio_pci_device *test_vfio_pci_device_init(const char *bdf,
> > + struct iommu *iommu,
> > + const char *vf_token,
> > + int *out_ret)
> > +{
> > + struct vfio_pci_device *device;
> > +
> > + device = calloc(1, sizeof(*device));
> > + VFIO_ASSERT_NOT_NULL(device);
> > +
> > + device->iommu = iommu;
> > + device->bdf = bdf;
>
> Can you put this in a helper exposed by vfio_pci_device.h? e.g.
> vfio_pci_device_alloc()
>
Is that just to wrap the ASSERT() within? Or were you thinking of
initializing the members as well in there?
> > +
> > + if (iommu->mode->container_path)
> > + *out_ret = test_vfio_pci_container_setup(device, bdf, vf_token);
> > + else
> > + *out_ret = test_vfio_pci_iommufd_setup(device, bdf, vf_token);
> > +
> > + return device;
> > +}
> > +
> > +static void test_vfio_pci_device_cleanup(struct vfio_pci_device *device)
> > +{
> > + if (device->fd > 0)
> > + VFIO_ASSERT_EQ(close(device->fd), 0);
> > +
> > + if (device->group_fd)
> > + VFIO_ASSERT_EQ(close(device->group_fd), 0);
> > +
> > + free(device);
> > +}
> > +
> > +FIXTURE(vfio_pci_sriov_uapi_test) {
> > + char vf_dev_bdf[16];
> > + char vf_driver[32];
> > + bool sriov_drivers_autoprobe;
> > +};
> > +
> > +FIXTURE_SETUP(vfio_pci_sriov_uapi_test)
> > +{
> > + int nr_vfs;
> > + int ret;
> > +
> > + nr_vfs = sysfs_get_sriov_totalvfs(pf_dev_bdf);
> > + if (nr_vfs < 0)
> > + SKIP(return, "SR-IOV may not be supported by the device\n");
>
> Should this be <= 0?
>
Yes, <= 0 should be better. I was only aiming for the case where
"Device doesn't support SR-IOV if the file is absent." Looking at the
pci code, I think there's a potential for returning 0, say for a VF or
an error in the PCI config.
I'll update this in v3.
> And replace "the device" with the BDF.
>
Sure
> > +
> > + nr_vfs = sysfs_get_sriov_numvfs(pf_dev_bdf);
> > + if (nr_vfs != 0)
> > + SKIP(return, "SR-IOV already configured for the PF\n");
>
> Let's print the BDF and nr_vfs for the user.
>
Sure
> > +
> > + self->sriov_drivers_autoprobe =
> > + sysfs_get_sriov_drivers_autoprobe(pf_dev_bdf);
> > + if (self->sriov_drivers_autoprobe)
> > + sysfs_set_sriov_drivers_autoprobe(pf_dev_bdf, 0);
> > +
> > + /* Export only one VF for testing */
>
> s/Export/Create/
>
Sure
> > + sysfs_set_sriov_numvfs(pf_dev_bdf, 1);
> > +
> > + sysfs_get_sriov_vf_bdf(pf_dev_bdf, 0, self->vf_dev_bdf);
> > + if (sysfs_get_driver(self->vf_dev_bdf, self->vf_driver) == 0)
> > + sysfs_unbind_driver(self->vf_dev_bdf, self->vf_driver);
>
> This should be impossible since we disabled autoprobing.
>
> > + sysfs_bind_driver(self->vf_dev_bdf, "vfio-pci");
>
> Some devices also require setting driver_override to "vfio-pci" as well
> so the device can be bound to vfio-pci. Let's just do that
> unconditionally.
>
Sure, I'll include that in v3.
Thank you.
Raghavendra
On 2026-01-09 11:05 AM, Raghavendra Rao Ananta wrote:
> On Wed, Jan 7, 2026 at 3:22 PM David Matlack <dmatlack@google.com> wrote:
> > On 2025-12-10 06:14 PM, Raghavendra Rao Ananta wrote:
> > > +static struct vfio_pci_device *test_vfio_pci_device_init(const char *bdf,
> > > + struct iommu *iommu,
> > > + const char *vf_token,
> > > + int *out_ret)
> > > +{
> > > + struct vfio_pci_device *device;
> > > +
> > > + device = calloc(1, sizeof(*device));
> > > + VFIO_ASSERT_NOT_NULL(device);
> > > +
> > > + device->iommu = iommu;
> > > + device->bdf = bdf;
> >
> > Can you put this in a helper exposed by vfio_pci_device.h? e.g.
> > vfio_pci_device_alloc()
> >
> Is that just to wrap the ASSERT() within? Or were you thinking of
> initializing the members as well in there?
I was thinking it would include all of the above.
On 2025-12-10 06:14 PM, Raghavendra Rao Ananta wrote:
> Add a selfttest, vfio_pci_sriov_uapi_test.c, to validate the
> SR-IOV UAPI, including the following cases, iterating over
> all the IOMMU modes currently supported:
> - Setting correct/incorrect/NULL tokens during device init.
> - Close the PF device immediately after setting the token.
> - Change/override the PF's token after device init.
>
> Signed-off-by: Raghavendra Rao Ananta <rananta@google.com>
I hit the following kernel NULL pointer dereference after running the
new test a few times (nice!).
Repro:
$ tools/testing/selftests/vfio/scripts/setup.sh 0000:16:00.1
$ tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test 0000:16:00.1
$ tools/testing/selftests/vfio/scripts/cleanup.sh
... repeat ...
The panic:
[ 553.245784][T27601] vfio-pci 0000:1a:00.0: probe with driver vfio-pci failed with error -22
[ 553.256622][T27601] vfio-pci 0000:1a:00.0: probe with driver vfio-pci failed with error -22
[ 574.857650][T27935] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 574.865322][T27935] #PF: supervisor read access in kernel mode
[ 574.871175][T27935] #PF: error_code(0x0000) - not-present page
[ 574.877021][T27935] PGD 4116e63067 P4D 40fb0a3067 PUD 409597f067 PMD 0
[ 574.883654][T27935] Oops: Oops: 0000 [#1] SMP NOPTI
[ 574.888551][T27935] CPU: 100 UID: 0 PID: 27935 Comm: vfio_pci_sriov_ Tainted: G S W 6.18.0-smp-DEV #1 NONE
[ 574.899600][T27935] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
[ 574.905104][T27935] Hardware name: Google Izumi-EMR/izumi, BIOS 0.20250801.2-0 08/25/2025
[ 574.913289][T27935] RIP: 0010:rb_insert_color+0x44/0x110
[ 574.918623][T27935] Code: cc cc 48 89 cf 48 83 cf 01 48 89 3a 48 89 38 48 8b 01 48 89 cf 48 83 e0 fc 48 89 01 74 d7 48 8b 08 f6 c1 01 0f 85 c1 00 00 00 <48> 8b 51 08 48 39 c2 74 0c 48 85 d2 74 4f f6 02 01 74 c5 eb 48 48
[ 574.938080][T27935] RSP: 0018:ff85113dcdd6bb08 EFLAGS: 00010046
[ 574.944013][T27935] RAX: ff3f257594a99e80 RBX: ff3f25758af490c0 RCX: 0000000000000000
[ 574.951857][T27935] RDX: 0000000000001a00 RSI: ff3f25360038eb70 RDI: ff3f2536658bbee0
[ 574.959702][T27935] RBP: ff3f25360038ea00 R08: 0000000000000002 R09: ff85113dcdd6badc
[ 574.967544][T27935] R10: ff3f257590ab8000 R11: ffffffffa78210a0 R12: ff3f2536658bbea0
[ 574.975387][T27935] R13: 0000000000000286 R14: ff3f25758af49000 R15: ff3f25360038eb78
[ 574.983230][T27935] FS: 00000000223403c0(0000) GS:ff3f25b4d4d83000(0000) knlGS:0000000000000000
[ 574.992032][T27935] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 574.998488][T27935] CR2: 0000000000000008 CR3: 00000040fa254005 CR4: 0000000000f71ef0
[ 575.006332][T27935] PKRU: 55555554
[ 575.009753][T27935] Call Trace:
[ 575.012919][T27935] <TASK>
[ 575.015730][T27935] intel_iommu_probe_device+0x4c9/0x7b0
[ 575.021153][T27935] __iommu_probe_device+0x101/0x4c0
[ 575.026231][T27935] iommu_bus_notifier+0x37/0x100
[ 575.031046][T27935] blocking_notifier_call_chain+0x53/0xd0
[ 575.036634][T27935] bus_notify+0x99/0xc0
[ 575.040666][T27935] device_add+0x252/0x470
[ 575.044872][T27935] pci_device_add+0x414/0x5c0
[ 575.049429][T27935] pci_iov_add_virtfn+0x2f2/0x3e0
[ 575.054326][T27935] sriov_add_vfs+0x33/0x70
[ 575.058613][T27935] sriov_enable+0x2fc/0x490
[ 575.062992][T27935] vfio_pci_core_sriov_configure+0x16c/0x210
[ 575.068843][T27935] sriov_numvfs_store+0xc4/0x190
[ 575.073652][T27935] kernfs_fop_write_iter+0xfe/0x180
[ 575.078724][T27935] vfs_write+0x2d0/0x430
[ 575.082846][T27935] ksys_write+0x7f/0x100
[ 575.086965][T27935] do_syscall_64+0x6f/0x940
[ 575.091339][T27935] ? arch_exit_to_user_mode_prepare+0x9/0xb0
[ 575.097193][T27935] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 575.102952][T27935] RIP: 0033:0x46fcf7
[ 575.106721][T27935] Code: 48 89 fa 4c 89 df e8 88 16 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[ 575.126178][T27935] RSP: 002b:00007ffe991aff40 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[ 575.134457][T27935] RAX: ffffffffffffffda RBX: 00000000223403c0 RCX: 000000000046fcf7
[ 575.142301][T27935] RDX: 0000000000000001 RSI: 00007ffe991b1050 RDI: 0000000000000003
[ 575.150143][T27935] RBP: 00007ffe991b0ff0 R08: 0000000000000000 R09: 0000000000000000
[ 575.157985][T27935] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffe991b1768
[ 575.165829][T27935] R13: 0000000000000016 R14: 00000000004dd480 R15: 0000000000000016
[ 575.173677][T27935] </TASK>
[ 575.176573][T27935] Modules linked in: vfat fat dummy bridge stp llc intel_vsec cdc_acm cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd
[ 575.190930][T27935] CR2: 0000000000000008
[ 575.194960][T27935] ---[ end trace 0000000000000000 ]---
[ 575.204004][T27935] RIP: 0010:rb_insert_color+0x44/0x110
[ 575.209336][T27935] Code: cc cc 48 89 cf 48 83 cf 01 48 89 3a 48 89 38 48 8b 01 48 89 cf 48 83 e0 fc 48 89 01 74 d7 48 8b 08 f6 c1 01 0f 85 c1 00 00 00 <48> 8b 51 08 48 39 c2 74 0c 48 85 d2 74 4f f6 02 01 74 c5 eb 48 48
[ 575.228796][T27935] RSP: 0018:ff85113dcdd6bb08 EFLAGS: 00010046
[ 575.234729][T27935] RAX: ff3f257594a99e80 RBX: ff3f25758af490c0 RCX: 0000000000000000
[ 575.242572][T27935] RDX: 0000000000001a00 RSI: ff3f25360038eb70 RDI: ff3f2536658bbee0
[ 575.250414][T27935] RBP: ff3f25360038ea00 R08: 0000000000000002 R09: ff85113dcdd6badc
[ 575.258263][T27935] R10: ff3f257590ab8000 R11: ffffffffa78210a0 R12: ff3f2536658bbea0
[ 575.266105][T27935] R13: 0000000000000286 R14: ff3f25758af49000 R15: ff3f25360038eb78
[ 575.273948][T27935] FS: 00000000223403c0(0000) GS:ff3f25b4d4d83000(0000) knlGS:0000000000000000
[ 575.282741][T27935] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 575.289197][T27935] CR2: 0000000000000008 CR3: 00000040fa254005 CR4: 0000000000f71ef0
[ 575.297046][T27935] PKRU: 55555554
[ 575.300466][T27935] Kernel panic - not syncing: Fatal exception
[ 575.345557][T27935] Kernel Offset: 0x25800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 575.362075][T27935] mtdoops: Cannot write from panic without panic_write
[ 575.368795][T27935] Rebooting in 10 seconds..
I also have the following diff on top of your series to fix the other
bug you found.
diff --git a/tools/testing/selftests/vfio/lib/sysfs.c b/tools/testing/selftests/vfio/lib/sysfs.c
index 5551e8b98107..d94616e8aff4 100644
--- a/tools/testing/selftests/vfio/lib/sysfs.c
+++ b/tools/testing/selftests/vfio/lib/sysfs.c
@@ -40,7 +40,7 @@ static void sysfs_set_val(const char *component, const char *name,
static int sysfs_get_device_val(const char *bdf, const char *file)
{
- sysfs_get_val("devices", bdf, file);
+ return sysfs_get_val("devices", bdf, file);
}
static void sysfs_set_device_val(const char *bdf, const char *file, const char *val)
I'm not sure which exact test case triggered the panic. This is the only
test output that made it to my ssh window:
TAP version 13
1..45
# Starting 45 tests from 15 test cases.
# RUN vfio_pci_sriov_uapi_test.vfio_type1_iommu_same_uuid.init_token_match ...
+ cc: iommu@lists.linux.dev for the crash
Thank you.
Raghavendra
On Thu, Dec 18, 2025 at 3:26 PM David Matlack <dmatlack@google.com> wrote:
>
> On 2025-12-10 06:14 PM, Raghavendra Rao Ananta wrote:
> > Add a selfttest, vfio_pci_sriov_uapi_test.c, to validate the
> > SR-IOV UAPI, including the following cases, iterating over
> > all the IOMMU modes currently supported:
> > - Setting correct/incorrect/NULL tokens during device init.
> > - Close the PF device immediately after setting the token.
> > - Change/override the PF's token after device init.
> >
> > Signed-off-by: Raghavendra Rao Ananta <rananta@google.com>
>
> I hit the following kernel NULL pointer dereference after running the
> new test a few times (nice!).
>
> Repro:
>
> $ tools/testing/selftests/vfio/scripts/setup.sh 0000:16:00.1
> $ tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test 0000:16:00.1
> $ tools/testing/selftests/vfio/scripts/cleanup.sh
> ... repeat ...
>
> The panic:
>
> [ 553.245784][T27601] vfio-pci 0000:1a:00.0: probe with driver vfio-pci failed with error -22
> [ 553.256622][T27601] vfio-pci 0000:1a:00.0: probe with driver vfio-pci failed with error -22
> [ 574.857650][T27935] BUG: kernel NULL pointer dereference, address: 0000000000000008
> [ 574.865322][T27935] #PF: supervisor read access in kernel mode
> [ 574.871175][T27935] #PF: error_code(0x0000) - not-present page
> [ 574.877021][T27935] PGD 4116e63067 P4D 40fb0a3067 PUD 409597f067 PMD 0
> [ 574.883654][T27935] Oops: Oops: 0000 [#1] SMP NOPTI
> [ 574.888551][T27935] CPU: 100 UID: 0 PID: 27935 Comm: vfio_pci_sriov_ Tainted: G S W 6.18.0-smp-DEV #1 NONE
> [ 574.899600][T27935] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
> [ 574.905104][T27935] Hardware name: Google Izumi-EMR/izumi, BIOS 0.20250801.2-0 08/25/2025
> [ 574.913289][T27935] RIP: 0010:rb_insert_color+0x44/0x110
> [ 574.918623][T27935] Code: cc cc 48 89 cf 48 83 cf 01 48 89 3a 48 89 38 48 8b 01 48 89 cf 48 83 e0 fc 48 89 01 74 d7 48 8b 08 f6 c1 01 0f 85 c1 00 00 00 <48> 8b 51 08 48 39 c2 74 0c 48 85 d2 74 4f f6 02 01 74 c5 eb 48 48
> [ 574.938080][T27935] RSP: 0018:ff85113dcdd6bb08 EFLAGS: 00010046
> [ 574.944013][T27935] RAX: ff3f257594a99e80 RBX: ff3f25758af490c0 RCX: 0000000000000000
> [ 574.951857][T27935] RDX: 0000000000001a00 RSI: ff3f25360038eb70 RDI: ff3f2536658bbee0
> [ 574.959702][T27935] RBP: ff3f25360038ea00 R08: 0000000000000002 R09: ff85113dcdd6badc
> [ 574.967544][T27935] R10: ff3f257590ab8000 R11: ffffffffa78210a0 R12: ff3f2536658bbea0
> [ 574.975387][T27935] R13: 0000000000000286 R14: ff3f25758af49000 R15: ff3f25360038eb78
> [ 574.983230][T27935] FS: 00000000223403c0(0000) GS:ff3f25b4d4d83000(0000) knlGS:0000000000000000
> [ 574.992032][T27935] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 574.998488][T27935] CR2: 0000000000000008 CR3: 00000040fa254005 CR4: 0000000000f71ef0
> [ 575.006332][T27935] PKRU: 55555554
> [ 575.009753][T27935] Call Trace:
> [ 575.012919][T27935] <TASK>
> [ 575.015730][T27935] intel_iommu_probe_device+0x4c9/0x7b0
> [ 575.021153][T27935] __iommu_probe_device+0x101/0x4c0
> [ 575.026231][T27935] iommu_bus_notifier+0x37/0x100
> [ 575.031046][T27935] blocking_notifier_call_chain+0x53/0xd0
> [ 575.036634][T27935] bus_notify+0x99/0xc0
> [ 575.040666][T27935] device_add+0x252/0x470
> [ 575.044872][T27935] pci_device_add+0x414/0x5c0
> [ 575.049429][T27935] pci_iov_add_virtfn+0x2f2/0x3e0
> [ 575.054326][T27935] sriov_add_vfs+0x33/0x70
> [ 575.058613][T27935] sriov_enable+0x2fc/0x490
> [ 575.062992][T27935] vfio_pci_core_sriov_configure+0x16c/0x210
> [ 575.068843][T27935] sriov_numvfs_store+0xc4/0x190
> [ 575.073652][T27935] kernfs_fop_write_iter+0xfe/0x180
> [ 575.078724][T27935] vfs_write+0x2d0/0x430
> [ 575.082846][T27935] ksys_write+0x7f/0x100
> [ 575.086965][T27935] do_syscall_64+0x6f/0x940
> [ 575.091339][T27935] ? arch_exit_to_user_mode_prepare+0x9/0xb0
> [ 575.097193][T27935] entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [ 575.102952][T27935] RIP: 0033:0x46fcf7
> [ 575.106721][T27935] Code: 48 89 fa 4c 89 df e8 88 16 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
> [ 575.126178][T27935] RSP: 002b:00007ffe991aff40 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
> [ 575.134457][T27935] RAX: ffffffffffffffda RBX: 00000000223403c0 RCX: 000000000046fcf7
> [ 575.142301][T27935] RDX: 0000000000000001 RSI: 00007ffe991b1050 RDI: 0000000000000003
> [ 575.150143][T27935] RBP: 00007ffe991b0ff0 R08: 0000000000000000 R09: 0000000000000000
> [ 575.157985][T27935] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffe991b1768
> [ 575.165829][T27935] R13: 0000000000000016 R14: 00000000004dd480 R15: 0000000000000016
> [ 575.173677][T27935] </TASK>
> [ 575.176573][T27935] Modules linked in: vfat fat dummy bridge stp llc intel_vsec cdc_acm cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd
> [ 575.190930][T27935] CR2: 0000000000000008
> [ 575.194960][T27935] ---[ end trace 0000000000000000 ]---
> [ 575.204004][T27935] RIP: 0010:rb_insert_color+0x44/0x110
> [ 575.209336][T27935] Code: cc cc 48 89 cf 48 83 cf 01 48 89 3a 48 89 38 48 8b 01 48 89 cf 48 83 e0 fc 48 89 01 74 d7 48 8b 08 f6 c1 01 0f 85 c1 00 00 00 <48> 8b 51 08 48 39 c2 74 0c 48 85 d2 74 4f f6 02 01 74 c5 eb 48 48
> [ 575.228796][T27935] RSP: 0018:ff85113dcdd6bb08 EFLAGS: 00010046
> [ 575.234729][T27935] RAX: ff3f257594a99e80 RBX: ff3f25758af490c0 RCX: 0000000000000000
> [ 575.242572][T27935] RDX: 0000000000001a00 RSI: ff3f25360038eb70 RDI: ff3f2536658bbee0
> [ 575.250414][T27935] RBP: ff3f25360038ea00 R08: 0000000000000002 R09: ff85113dcdd6badc
> [ 575.258263][T27935] R10: ff3f257590ab8000 R11: ffffffffa78210a0 R12: ff3f2536658bbea0
> [ 575.266105][T27935] R13: 0000000000000286 R14: ff3f25758af49000 R15: ff3f25360038eb78
> [ 575.273948][T27935] FS: 00000000223403c0(0000) GS:ff3f25b4d4d83000(0000) knlGS:0000000000000000
> [ 575.282741][T27935] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 575.289197][T27935] CR2: 0000000000000008 CR3: 00000040fa254005 CR4: 0000000000f71ef0
> [ 575.297046][T27935] PKRU: 55555554
> [ 575.300466][T27935] Kernel panic - not syncing: Fatal exception
> [ 575.345557][T27935] Kernel Offset: 0x25800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
> [ 575.362075][T27935] mtdoops: Cannot write from panic without panic_write
> [ 575.368795][T27935] Rebooting in 10 seconds..
>
> I also have the following diff on top of your series to fix the other
> bug you found.
>
> diff --git a/tools/testing/selftests/vfio/lib/sysfs.c b/tools/testing/selftests/vfio/lib/sysfs.c
> index 5551e8b98107..d94616e8aff4 100644
> --- a/tools/testing/selftests/vfio/lib/sysfs.c
> +++ b/tools/testing/selftests/vfio/lib/sysfs.c
> @@ -40,7 +40,7 @@ static void sysfs_set_val(const char *component, const char *name,
>
> static int sysfs_get_device_val(const char *bdf, const char *file)
> {
> - sysfs_get_val("devices", bdf, file);
> + return sysfs_get_val("devices", bdf, file);
> }
>
> static void sysfs_set_device_val(const char *bdf, const char *file, const char *val)
>
> I'm not sure which exact test case triggered the panic. This is the only
> test output that made it to my ssh window:
>
> TAP version 13
> 1..45
> # Starting 45 tests from 15 test cases.
> # RUN vfio_pci_sriov_uapi_test.vfio_type1_iommu_same_uuid.init_token_match ...
On 2026-01-06 11:47 AM, Raghavendra Rao Ananta wrote:
> On Thu, Dec 18, 2025 at 3:26 PM David Matlack <dmatlack@google.com> wrote:
> >
> > On 2025-12-10 06:14 PM, Raghavendra Rao Ananta wrote:
> > > Add a selfttest, vfio_pci_sriov_uapi_test.c, to validate the
> > > SR-IOV UAPI, including the following cases, iterating over
> > > all the IOMMU modes currently supported:
> > > - Setting correct/incorrect/NULL tokens during device init.
> > > - Close the PF device immediately after setting the token.
> > > - Change/override the PF's token after device init.
> > >
> > > Signed-off-by: Raghavendra Rao Ananta <rananta@google.com>
> >
> > I hit the following kernel NULL pointer dereference after running the
> > new test a few times (nice!).
> >
> > Repro:
> >
> > $ tools/testing/selftests/vfio/scripts/setup.sh 0000:16:00.1
> > $ tools/testing/selftests/vfio/vfio_pci_sriov_uapi_test 0000:16:00.1
> > $ tools/testing/selftests/vfio/scripts/cleanup.sh
> > ... repeat ...
> >
> > The panic:
> >
> > [ 553.245784][T27601] vfio-pci 0000:1a:00.0: probe with driver vfio-pci failed with error -22
> > [ 553.256622][T27601] vfio-pci 0000:1a:00.0: probe with driver vfio-pci failed with error -22
> > [ 574.857650][T27935] BUG: kernel NULL pointer dereference, address: 0000000000000008
> > [ 574.865322][T27935] #PF: supervisor read access in kernel mode
> > [ 574.871175][T27935] #PF: error_code(0x0000) - not-present page
> > [ 574.877021][T27935] PGD 4116e63067 P4D 40fb0a3067 PUD 409597f067 PMD 0
> > [ 574.883654][T27935] Oops: Oops: 0000 [#1] SMP NOPTI
> > [ 574.888551][T27935] CPU: 100 UID: 0 PID: 27935 Comm: vfio_pci_sriov_ Tainted: G S W 6.18.0-smp-DEV #1 NONE
> > [ 574.899600][T27935] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
> > [ 574.905104][T27935] Hardware name: Google Izumi-EMR/izumi, BIOS 0.20250801.2-0 08/25/2025
> > [ 574.913289][T27935] RIP: 0010:rb_insert_color+0x44/0x110
> > [ 574.918623][T27935] Code: cc cc 48 89 cf 48 83 cf 01 48 89 3a 48 89 38 48 8b 01 48 89 cf 48 83 e0 fc 48 89 01 74 d7 48 8b 08 f6 c1 01 0f 85 c1 00 00 00 <48> 8b 51 08 48 39 c2 74 0c 48 85 d2 74 4f f6 02 01 74 c5 eb 48 48
> > [ 574.938080][T27935] RSP: 0018:ff85113dcdd6bb08 EFLAGS: 00010046
> > [ 574.944013][T27935] RAX: ff3f257594a99e80 RBX: ff3f25758af490c0 RCX: 0000000000000000
> > [ 574.951857][T27935] RDX: 0000000000001a00 RSI: ff3f25360038eb70 RDI: ff3f2536658bbee0
> > [ 574.959702][T27935] RBP: ff3f25360038ea00 R08: 0000000000000002 R09: ff85113dcdd6badc
> > [ 574.967544][T27935] R10: ff3f257590ab8000 R11: ffffffffa78210a0 R12: ff3f2536658bbea0
> > [ 574.975387][T27935] R13: 0000000000000286 R14: ff3f25758af49000 R15: ff3f25360038eb78
> > [ 574.983230][T27935] FS: 00000000223403c0(0000) GS:ff3f25b4d4d83000(0000) knlGS:0000000000000000
> > [ 574.992032][T27935] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 574.998488][T27935] CR2: 0000000000000008 CR3: 00000040fa254005 CR4: 0000000000f71ef0
> > [ 575.006332][T27935] PKRU: 55555554
> > [ 575.009753][T27935] Call Trace:
> > [ 575.012919][T27935] <TASK>
> > [ 575.015730][T27935] intel_iommu_probe_device+0x4c9/0x7b0
> > [ 575.021153][T27935] __iommu_probe_device+0x101/0x4c0
> > [ 575.026231][T27935] iommu_bus_notifier+0x37/0x100
> > [ 575.031046][T27935] blocking_notifier_call_chain+0x53/0xd0
> > [ 575.036634][T27935] bus_notify+0x99/0xc0
> > [ 575.040666][T27935] device_add+0x252/0x470
> > [ 575.044872][T27935] pci_device_add+0x414/0x5c0
> > [ 575.049429][T27935] pci_iov_add_virtfn+0x2f2/0x3e0
> > [ 575.054326][T27935] sriov_add_vfs+0x33/0x70
> > [ 575.058613][T27935] sriov_enable+0x2fc/0x490
> > [ 575.062992][T27935] vfio_pci_core_sriov_configure+0x16c/0x210
> > [ 575.068843][T27935] sriov_numvfs_store+0xc4/0x190
> > [ 575.073652][T27935] kernfs_fop_write_iter+0xfe/0x180
> > [ 575.078724][T27935] vfs_write+0x2d0/0x430
> > [ 575.082846][T27935] ksys_write+0x7f/0x100
> > [ 575.086965][T27935] do_syscall_64+0x6f/0x940
> > [ 575.091339][T27935] ? arch_exit_to_user_mode_prepare+0x9/0xb0
> > [ 575.097193][T27935] entry_SYSCALL_64_after_hwframe+0x76/0x7e
I think this is a use-after-free.
The VF used in this test matches quirk_intel_e2000_no_ats() which means
that ATS gets disabled (pdev->ats_cap = 0) via quirk after the device is
set up.
drivers/pci/quirks.c:
5651 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x1457, quirk_intel_e2000_no_ats);
The issue is this quirk is applied after the Intel IOMMU driver is
notified about the device.
So during intel_iommu_probe_device(), the Intel IOMMU driver sees that
ATS is enabled, and adds the device to the device rbtree:
drivers/iommu/intel/iommu.c:
3765 static struct iommu_device *intel_iommu_probe_device(struct device *dev)
3766 {
...
3826 if (pdev && pci_ats_supported(pdev)) {
3827 pci_prepare_ats(pdev, VTD_PAGE_SHIFT);
3828 ret = device_rbtree_insert(iommu, info);
3829 if (ret)
3830 goto free;
3831 }
...
3858 }
Then ATS is disabled via quirk:
drivers/pci/iov.c:
346 int pci_iov_add_virtfn(struct pci_dev *dev, int id)
347 {
...
383
384 pci_device_add(virtfn, virtfn->bus); <======= notifies Intel IOMMU
385 rc = pci_iov_sysfs_link(dev, virtfn, id);
386 if (rc)
387 goto failed1;
388
389 pci_bus_add_device(virtfn); <==== Disables ATS via pci_fixup_final
390
391 return 0;
...
401 }
Then later when the VF is destroyed (SR-IOV disabled on the PF), the
Intel IOMMU sees that ATS is disabled and does not remove the device
from its rbtree.
drivers/iommu/intel/iommu.c:
3889 static void intel_iommu_release_device(struct device *dev)
3890 {
...
3903 if (dev_is_pci(dev) && pci_ats_supported(to_pci_dev(dev)))
3904 device_rbtree_remove(info);
...
3913 kfree(info); <======= info is still reachable from device rbtree
3914 }
On Wed, Dec 10, 2025 at 10:14 AM Raghavendra Rao Ananta
<rananta@google.com> wrote:
>
> +FIXTURE_SETUP(vfio_pci_sriov_uapi_test)
> +{
> + int nr_vfs;
> + int ret;
> +
'ret' is unused in the function. I'll remove it in v3.
Thank you.
Raghavendra
© 2016 - 2026 Red Hat, Inc.