RE: [PATCH v2 0/3] vfio/cdx: Fix interrupt trigger races and consolidate MSI state
From: Agarwal, Nikhil
Date: Tue Apr 21 2026 - 07:28:20 EST
> -----Original Message-----
> From: Alex Williamson <alex.williamson@xxxxxxxxxx>
> Sent: Saturday, April 18, 2026 1:58 AM
> To: alex@xxxxxxxxxxx
> Cc: Alex Williamson <alex.williamson@xxxxxxxxxx>; ptsm@xxxxxxxxxxxxxxxxxxx;
> Gupta, Nipun <Nipun.Gupta@xxxxxxx>; Agarwal, Nikhil
> <nikhil.agarwal@xxxxxxx>; kvm@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
> Subject: [PATCH v2 0/3] vfio/cdx: Fix interrupt trigger races and consolidate MSI
> state
>
> Prasanna Kumar's original patch [1] closes a NULL-pointer dereference
> that can be triggered by userspace via VFIO_DEVICE_SET_IRQS with
> VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE before any
> VFIO_IRQ_SET_DATA_EVENTFD. Included here unchanged as patch 1/3.
>
> Review of that patch identified a race in the same code path, where
> concurrent SET_IRQS calls can potentially result in time-of-check vs
> time-of-use and use-after-free inconsistencies. Patch 2/3 adds a
> per-device cdx_irqs_lock mutex and serializes all MSI state updates
> through vfio_cdx_set_msi_trigger(), which is the single choke-point
> covering both the ioctl path and the close-device cleanup.
>
> Patch 3/3 is a non-stable cleanup that aligns vdev->cdx_irqs to NULL
> in error paths, thereby allowing removal of the now redundant
> config_msi.
>
> [1] https://lore.kernel.org/all/20260320101933.1554416-1-ptsm@xxxxxxxxxxxxxxxxxxx
>
> Alex Williamson (2):
> vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
> vfio/cdx: Consolidate MSI configured state onto cdx_irqs
>
> Prasanna Kumar T S M (1):
> vfio/cdx: Fix NULL pointer dereference in interrupt trigger path
>
For series:
Acked-by: Nikhil Agarwal <nikhil.agarwal@xxxxxxx>