[PATCH] vfio/pci: sanitize bogus INTx interrupt pin values
From: Christos Longros
Date: Sat Mar 28 2026 - 18:01:17 EST
Some PCI devices report invalid interrupt pin values in config space
(e.g., 0xFF instead of the valid range 0-4). The VFIO PCI config
virtualization layer passes these values through to userspace, causing
QEMU to crash with an assertion failure in pci_irq_handler() when it
computes irq_num = pin - 1, which exceeds PCI_NUM_PINS (4).
The existing code already handles bogus VF interrupt pins (set to 0
per SR-IOV spec §3.4.1.18), but physical functions with out-of-range
pin values are not caught. Extend the condition that clears the
virtualized interrupt pin to also cover values outside 1-4.
Observed on Realtek RTL8852CE (10ec:c852) which reports interrupt pin
0xFF in hardware config space.
Signed-off-by: Christos Longros <chris.longros@xxxxxxxxx>
---
drivers/vfio/pci/vfio_pci_config.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index b4e39253f..ed75c1cc3 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -1829,8 +1829,17 @@ int vfio_config_init(struct vfio_pci_core_device *vdev)
cpu_to_le16(PCI_COMMAND_MEMORY);
}
+ /*
+ * Sanitize bogus interrupt pin values. Valid pins are 1 (INTA)
+ * through 4 (INTD); anything else disables legacy interrupts.
+ */
+ if (vconfig[PCI_INTERRUPT_PIN] > 4)
+ pci_info(pdev, "Bogus INTx pin %d, disabling INTx virtualization\n",
+ vconfig[PCI_INTERRUPT_PIN]);
+
if (!IS_ENABLED(CONFIG_VFIO_PCI_INTX) || vdev->nointx ||
- !vdev->pdev->irq || vdev->pdev->irq == IRQ_NOTCONNECTED)
+ !vdev->pdev->irq || vdev->pdev->irq == IRQ_NOTCONNECTED ||
+ vconfig[PCI_INTERRUPT_PIN] > 4)
vconfig[PCI_INTERRUPT_PIN] = 0;
ret = vfio_cap_init(vdev);
--
2.53.0