[PATCH v2 0/3] vfio/cdx: Fix interrupt trigger races and consolidate MSI state

Next message: Alex Williamson: "[PATCH v2 1/3] vfio/cdx: Fix NULL pointer dereference in interrupt trigger path"
Previous message: Krister Johansen: "Re: [PATCH] Drivers: hv: vmbus: Improve the logc of reserving fb_mmio on Gen2 VMs"
Next in thread: Alex Williamson: "[PATCH v2 1/3] vfio/cdx: Fix NULL pointer dereference in interrupt trigger path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alex Williamson

Date: Fri Apr 17 2026 - 16:28:49 EST

Prasanna Kumar's original patch [1] closes a NULL-pointer dereference
that can be triggered by userspace via VFIO_DEVICE_SET_IRQS with
VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE before any
VFIO_IRQ_SET_DATA_EVENTFD. Included here unchanged as patch 1/3.

Review of that patch identified a race in the same code path, where
concurrent SET_IRQS calls can potentially result in time-of-check vs
time-of-use and use-after-free inconsistencies. Patch 2/3 adds a
per-device cdx_irqs_lock mutex and serializes all MSI state updates
through vfio_cdx_set_msi_trigger(), which is the single choke-point
covering both the ioctl path and the close-device cleanup.

Patch 3/3 is a non-stable cleanup that aligns vdev->cdx_irqs to NULL
in error paths, thereby allowing removal of the now redundant
config_msi.

[1] https://lore.kernel.org/all/20260320101933.1554416-1-ptsm@xxxxxxxxxxxxxxxxxxx

Alex Williamson (2):
vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
vfio/cdx: Consolidate MSI configured state onto cdx_irqs

Prasanna Kumar T S M (1):
vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

drivers/vfio/cdx/intr.c | 38 ++++++++++++++++++--------------------
drivers/vfio/cdx/main.c | 19 +++++++++++++++++++
drivers/vfio/cdx/private.h | 4 +++-
3 files changed, 40 insertions(+), 21 deletions(-)

--
2.51.0