From nobody Thu Apr  2 12:33:36 2026
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com
 [209.85.128.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F6DC34F26F
	for <linux-kernel@vger.kernel.org>; Sat, 28 Mar 2026 23:01:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774738911; cv=none;
 b=lIyHixpEQljuNDI4eU8U7Uhoo6XDc2Qb/xvFBxv7JASThcbQ2bUykebs1UA0SX+b4BI8dRAO3iR+uZ4MbLUrEAZ1yZCVn4maK7l8eMPU0WWziyPd2icY3jXxCd6eKDA4a0EBXUn0WCOI8F+nqcm35ZPy30ER7NlmpONL5dPDKCY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774738911; c=relaxed/simple;
	bh=lDpXKbbx+iUKi1EaJXjH5FYWfPCjxXzTGrKbapyCYk8=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=nru7+ELoSvdoyRs2wCh+y0fd8d8pZq4cZRvrIEOZBCN2w2KVZx/lQ4I5In+nHANDjrsnb3TAkAQrfNte6TJHP8niTdJ09Rk79CZIqY79r1ipgvknxEyWo5upnt27eUdL70aYZhOLHRUnNixHzJL88ruIzR1gNNlNvQU7dpQ62y8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=E6ewS6Db; arc=none smtp.client-ip=209.85.128.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="E6ewS6Db"
Received: by mail-wm1-f54.google.com with SMTP id
 5b1f17b1804b1-486fd27754bso31661755e9.3
        for <linux-kernel@vger.kernel.org>;
 Sat, 28 Mar 2026 16:01:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1774738908; x=1775343708;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=YBt6KoG15kjXguWZ637dFltb5bZY9qwpDoNpuJqHG30=;
        b=E6ewS6DbFHi7hUux5YifeZAVXoMpkdKW86wLRhCcVE6kpBKuPG8X9e9MSlKsy7fqgn
         U/QL553f76br5VrG51/ngz7KzYw3UZREhWp705Z601gdYFIYwwCeO6N6bhuadDoq6rlF
         ytr996B5OSyUVWGARgXEDTuIZU3ucgYF6e/NKKiSjnz4dfN00254TMB57ftju8DLJvu6
         myuBfD0MR7dh93DbklPSsOyHwXJ3LGQuBF2jSQNakI6O41faW9JDkJMy23EViOBX+IgZ
         4qksxDLZYAMhVcnnBt/1kmVSxv4TByMYibaP0OGmC2wHpQzPhKZuSYgOvFRw/IcxH8c5
         57jQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774738908; x=1775343708;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=YBt6KoG15kjXguWZ637dFltb5bZY9qwpDoNpuJqHG30=;
        b=ioXSAXPOMWfw1zO629c+qEFtcDjpdmKEc3d91gaKVoXh0qyEyEBiBZzZtFvej3nGNe
         MdgSE0VDQVhQ0VkqEyZt1NTdogCNO2YOXwHMsZA9ED11aID1+cM7ffTHOgCdkmLSNkVF
         BMCCpU2GUdXomqC3ZMkC5bwf1Lopnw+WiGJJnuNwta/b4lvNvXDXYJhC2oLhvMqQrnNe
         ts/yLwEVkdmh5b338ARZVi0kQThtNDhatNWbFe4HbPHEg53TYvOYNDHbXSg+o0glZL5q
         ACyg7H1kSO5vjD/6PPv4nZ1CtFqWDZwdCdSiRnJR1ZhgXnPq45aLVjGoHFeQFQfeKXfL
         4+Wg==
X-Forwarded-Encrypted: i=1;
 AJvYcCXtw/91U1I2fJoC40M2FPbYAnnt9i4SV7370Ccc4wqudejk4W37SwKr16vjE+EMTlqxbDKbJ2i9m7B26hQ=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywy7b3H1PLZILuzvgUfF/axYD2QSaPyZnY0Xt5pwmXqD9DvAj6M
	SV9BpwA1s/vc9zdjg7F/JnL2S9RlZA3OxYQE3no541vdSVbYPE5h6h0yH17karmiwJU=
X-Gm-Gg: ATEYQzxSqJdXomU8B0RDTwFpGxXt6d/8EQsX1hKSoSyPIhfXG3993JByXa3e7W1hC53
	+KXuLb8JV1RQYKh4AXQLKqfjMrmvGqQrUvhhHeC2FXGqJ2xykN0gdR9GlLXrSN3rSywf6K/JVQp
	+1WqfGJR2fb42GDUtmzssCTxZsoLfQBuUeyOg6p4DZO7pafBz01Mc8MqKT2ZWHKpYHMvK8/VDCw
	GxgLl20xdArIckrYNm3nZS9AoMxMOxPa8h6Zook+e3MyYd6jLziLU2437PpQ9JUrAWd6ObP/zBr
	HJjDVKxP/eOqhEwmHXw1pbsEELUPMhicwJL+MsfflfLeLzdhif5Xu99ADKGWIJqpTL5wSIrcgb2
	BoQbpspM8Sf+IgYRufo5T4c5Jfe8GxIeOXXawEF8bMSNlzL2r61/5yfKLNPY09RHBJ/v/8LsgZd
	z1mqD25bNUp6rnB1y6wHng4sFVUwBcMxYkLpk80gSmHAYxuspEt87WIVZnTK0rW+D2WPBLNqTPI
	4cLDwWi9+w/ab+yGg4eBNK8YoQAX5w6XX1wIU+33OXzNWxrPhilTsSptXQ3fo9M1TYIetb8NjIV
	TcHNZbupO6DMfECmhWWIs4lCNUnUUnHZ6g+jNFPEEPuuSv7t1JMOMB41E9c=
X-Received: by 2002:a05:600c:1d0e:b0:485:a4de:f4f9 with SMTP id
 5b1f17b1804b1-48727ee54bcmr130405885e9.27.1774738908324;
        Sat, 28 Mar 2026 16:01:48 -0700 (PDT)
Received: from archlinux.kangaroo-newton.ts.net ([185.213.155.209])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4873061ef41sm75078355e9.3.2026.03.28.16.01.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 28 Mar 2026 16:01:48 -0700 (PDT)
From: Christos Longros <chris.longros@gmail.com>
To: Alex Williamson <alex@shazbot.org>
Cc: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>,
	kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Christos Longros <chris.longros@gmail.com>
Subject: [PATCH v2] vfio/pci: sanitize bogus INTx interrupt pin values
Date: Sun, 29 Mar 2026 00:01:26 +0100
Message-ID: <20260328230126.73230-1-chris.longros@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260328215808.16108-1-chris.longros@gmail.com>
References: <20260328215808.16108-1-chris.longros@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Some PCI devices may report out-of-range interrupt pin values in
config space (e.g., 0xFF when the device is in an error state).
The VFIO PCI config virtualization layer passes these values through
to userspace, causing QEMU to crash with an assertion failure in
pci_irq_handler() when it computes irq_num =3D pin - 1, which exceeds
PCI_NUM_PINS (4).

The existing code already handles bogus VF interrupt pins (set to 0
per SR-IOV spec 3.4.1.18), but physical functions with out-of-range
pin values are not caught.  Extend the condition that clears the
virtualized interrupt pin to also cover values outside 1-4.

Signed-off-by: Christos Longros <chris.longros@gmail.com>
---
 drivers/vfio/pci/vfio_pci_config.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci=
_config.c
index b4e39253f..ed75c1cc3 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -1829,8 +1829,17 @@ int vfio_config_init(struct vfio_pci_core_device *vd=
ev)
 					cpu_to_le16(PCI_COMMAND_MEMORY);
 	}
=20
+	/*
+	 * Sanitize bogus interrupt pin values.  Valid pins are 1 (INTA)
+	 * through 4 (INTD); anything else disables legacy interrupts.
+	 */
+	if (vconfig[PCI_INTERRUPT_PIN] > 4)
+		pci_info(pdev, "Bogus INTx pin %d, disabling INTx virtualization\n",
+			 vconfig[PCI_INTERRUPT_PIN]);
+
 	if (!IS_ENABLED(CONFIG_VFIO_PCI_INTX) || vdev->nointx ||
-	    !vdev->pdev->irq || vdev->pdev->irq =3D=3D IRQ_NOTCONNECTED)
+	    !vdev->pdev->irq || vdev->pdev->irq =3D=3D IRQ_NOTCONNECTED ||
+	    vconfig[PCI_INTERRUPT_PIN] > 4)
 		vconfig[PCI_INTERRUPT_PIN] =3D 0;
=20
 	ret =3D vfio_cap_init(vdev);
--=20
2.53.0