vfio/cdx: Fix interrupt trigger races and consolidate MSI state

[PATCH v2 0/3] vfio/cdx: Fix interrupt trigger races and consolidate MSI state

Alex Williamson posted 3 patches 1 month, 4 weeks ago

Download series mbox

drivers/vfio/cdx/intr.c    | 38 ++++++++++++++++++--------------------
drivers/vfio/cdx/main.c    | 19 +++++++++++++++++++
drivers/vfio/cdx/private.h |  4 +++-
3 files changed, 40 insertions(+), 21 deletions(-)

Expand all Fold all

[PATCH v2 0/3] vfio/cdx: Fix interrupt trigger races and consolidate MSI state

Posted by Alex Williamson 1 month, 4 weeks ago

Prasanna Kumar's original patch [1] closes a NULL-pointer dereference
that can be triggered by userspace via VFIO_DEVICE_SET_IRQS with
VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE before any
VFIO_IRQ_SET_DATA_EVENTFD.  Included here unchanged as patch 1/3.

Review of that patch identified a race in the same code path, where
concurrent SET_IRQS calls can potentially result in time-of-check vs
time-of-use and use-after-free inconsistencies.  Patch 2/3 adds a
per-device cdx_irqs_lock mutex and serializes all MSI state updates
through vfio_cdx_set_msi_trigger(), which is the single choke-point
covering both the ioctl path and the close-device cleanup.

Patch 3/3 is a non-stable cleanup that aligns vdev->cdx_irqs to NULL
in error paths, thereby allowing removal of the now redundant
config_msi.

[1] https://lore.kernel.org/all/20260320101933.1554416-1-ptsm@linux.microsoft.com

Alex Williamson (2):
  vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
  vfio/cdx: Consolidate MSI configured state onto cdx_irqs

Prasanna Kumar T S M (1):
  vfio/cdx: Fix NULL pointer dereference in interrupt trigger path

 drivers/vfio/cdx/intr.c    | 38 ++++++++++++++++++--------------------
 drivers/vfio/cdx/main.c    | 19 +++++++++++++++++++
 drivers/vfio/cdx/private.h |  4 +++-
 3 files changed, 40 insertions(+), 21 deletions(-)

-- 
2.51.0