## Host environment - Operating system: Any - OS/kernel version: Any - Architecture: Any - QEMU flavor: qemu-system - QEMU version:QEMU emulator version 7.0.0 (v6.2.0-3146-g7e0e865ad5-dirty) ## Emulated/Virtualized environment - Architecture: TCG-based ## Description of problem When a TCG cpu accesses an unmapped page within an IOMMU region that causes a translation fault, QEMU SIGSEGVs in `io_readx`. The reason was that in `address_space_translate_for_iotlb`, `xlat` is not set on a permission fault. As a result, `xlat` in `tlb_set_page_with_attr` is uninitialized. This in turn causes various mis-calculation and eventually crashes in `io_readx`. ## Suggested fix I would suggest setting `*xlat = addr` before the for loop in `address_space_translate_for_iotlb` so that if the translation fail, we can still have a guest error log that shows a meaningful address. <!-- The line below ensures that proper tags are added to the issue. Please do not remove it. -->