I have found bug in file virt/kvm/assigned-device.c 670 /* Don't allow bridges to be assigned */ 671 pci_read_config_byte(dev, PCI_HEADER_TYPE, &header_type); 672 if ((header_type & PCI_HEADER_TYPE) != PCI_HEADER_TYPE_NORMAL) { 673 r = -EPERM; 674 goto out_put; 675 } This code doesn't check that device is PCI-Bridge. In my case header_type is 1, default value for PCI-Bridge PCI_HEADER_TYPE is 14(0xE) PCI_HEADER_TYPE_NORMAL is 0 So, 1 & 0xE == 0 thus KVM assigns pci-bridge device to VM successfully.
(In reply to comment #0) > > So, 1 & 0xE == 0 thus KVM assigns pci-bridge device to VM successfully. Have you found this to be true in practice? The test here is clearly wrong, but immediately after this we test pci-sysfs resource permissions. We only test standard device resources, as we're not expecting a bridge to get through, but I believe those should all be zero for a bridge, which will result in denying assignment of the device because it has no resources. If you have a pci-bridge that actually makes it through that test, please include lspci -vvv for it here. Thanks
Follow-up; I guess a bridge implementing BARs is not that unique. Many bridges do not have BARs, which should be rejected from assignment outright. Those with BARs will still fall into the requirement that the user will require permission to the pci-sysfs resource files, so a privileged entity still has to grant access to the device. Let me know if you find differently. Thanks
A patch referencing this bug report has been merged in Linux v3.5-rc4: commit f961f72836eb6c0fd76201f6f6b2fafff93c4cea Author: Jan Kiszka <jan.kiszka@siemens.com> Date: Fri Jun 15 07:56:20 2012 -0600 KVM: Fix PCI header check on device assignment