From nobody Tue Jun 16 10:01:09 2026 Received: from CY3PR05CU001.outbound.protection.outlook.com (mail-westcentralusazon11013009.outbound.protection.outlook.com [40.93.201.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F7C532936C; Fri, 17 Apr 2026 20:28:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.201.9 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776457719; cv=fail; b=ZqHHzPkzPyzZ0kLE5n5Z9YJQR+eBATTphI3y9Q+mvf5KpA1k3yoDXeXKUGVQXNos4/SHQNw17ufhbwTl5wor8hvtfSlNT8Ag3+lM/RzOzNtrd4WyhXT1WQs527DUwGqJHkCg/S8rFaqGkYkqf/B8cvKUiLsqlHk3misA1bDP1E8= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776457719; c=relaxed/simple; bh=c6QNrxitQxZkHHHxt1eN1jOgtXMG7ZzRsOsTWI/+wvY=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=dlRJppUux8JTA3slBzrF2vx0d3qYaDZ3akYAKA3uQRCszTcZ9MMGyodj5fB6hLsAfKH4tsiVycYk4AuFK/ZZdVih2gwDxM+kji6zjBwplFMd4N1yZAKMF5VYWR3k/QjmoILVkc8GcT7yAO2QdgVmsCIyJ61Lb6GGwjkIbaROcjI= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=jwIufy23; arc=fail smtp.client-ip=40.93.201.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="jwIufy23" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=AOWm3M3o7FgIF+A/Rz8OHogWeDFsm7LCM/g35sM2Bu3ku1R5ZzSP5/g0r2uhQjml8tOjlAAzdJP+sMCakJrn1OYC7/cy7J8wLIn7BE9j+/A7DHfzJXdvzBlTanasLavTRbp0JGLiD/k8AvPqTgdSY4yxM00BS+AaBRRhHmPjwRddbw/OGxYtuqXjUoPlPeu803fw8xIq+/rJbz49v8h9p2EJixyv36e9BqOH9r6VylfmTXYGN7BZEnb1lmhBxZWpg5Bff4smaIxf9xuaRgBQYFkmcmp3g1L5FzCpvxpza3M+93Dw9EVwbyfcSCUucF5lDyFM2nsrmOV719B699iqzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Y1idMXaQ3Q6yM0MvXb8UUc55UF81pOVko05A7D7A4Oc=; b=h98xDIimfJOxeAEZEjodM2nJDEuB/N3JDdtwD4Cg5K/bJnA8r/t40IueVLeIOg2VstsmCg5QGLQu7GIgw7SgCL2a/oXlmE2/bgECwCrw0jJs3R+pxuAtRv4Rw3iOVQ03DEuPCtHsOimCvx403hKyhC6PlgiuMe4ZA7hk6LDBuPNjSR/RYNjM45urY2IKsjW20BX7nzLxEO64mU7O0Em3lUmbRAOTtb88fkN8rdTJ+ea1JpPc9gsXSMnAHsHMcv+g0Hwpt94mkLYrQjXtUV7GLpg87fL5315t+67sfAl7dcPx20PsynJ0VyX07xn064Z+4HjND4U7V63qjLgG5BvbRw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=shazbot.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Y1idMXaQ3Q6yM0MvXb8UUc55UF81pOVko05A7D7A4Oc=; b=jwIufy23KBVHEyOZmWsygp9qpkjrRH6NkJiQXSxiLiMT7SAuZXG7bhDDBqxSxn+NDLRO3YG644v7sV9/dms+cE9unci1ELxwT63Ks50ZCmuMTlflTFV+LZhYZjCytecTn5npvfSHAcPbdUiQD/DpGnFTq9VArgJoHKX7FEmUNbADvsdifSrL7KvJEm+adjt72oTLCqSh3YO9QrNBOxIhmMtMsnfqJgyBIT5CeeTXNqpYJZd0ub8cEsOJ7ob9mRXbS4CmbBhsBCDpcVpEZbsWSfs3rg1H+b5Z6/PLmPSuN0Ith5o5YsDibL4K9WqqnH40yzpdIvXd2pSOE5i7Oxi7QQ== Received: from BL1PR13CA0206.namprd13.prod.outlook.com (2603:10b6:208:2be::31) by SJ0PR12MB6903.namprd12.prod.outlook.com (2603:10b6:a03:485::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.25; Fri, 17 Apr 2026 20:28:33 +0000 Received: from BL6PEPF00020E63.namprd04.prod.outlook.com (2603:10b6:208:2be:cafe::ae) by BL1PR13CA0206.outlook.office365.com (2603:10b6:208:2be::31) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.52 via Frontend Transport; Fri, 17 Apr 2026 20:28:33 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BL6PEPF00020E63.mail.protection.outlook.com (10.167.249.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Fri, 17 Apr 2026 20:28:33 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Fri, 17 Apr 2026 13:28:10 -0700 Received: from meforce.lab.shazbot.org (10.126.230.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Fri, 17 Apr 2026 13:28:09 -0700 From: Alex Williamson To: CC: Prasanna Kumar T S M , , , , , , Alex Williamson Subject: [PATCH v2 1/3] vfio/cdx: Fix NULL pointer dereference in interrupt trigger path Date: Fri, 17 Apr 2026 14:27:56 -0600 Message-ID: <20260417202800.88287-2-alex.williamson@nvidia.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260417202800.88287-1-alex.williamson@nvidia.com> References: <20260417202800.88287-1-alex.williamson@nvidia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: rnnvmail203.nvidia.com (10.129.68.9) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF00020E63:EE_|SJ0PR12MB6903:EE_ X-MS-Office365-Filtering-Correlation-Id: 4b0840b0-6c19-4ea3-bdaf-08de9cbfe549 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|82310400026|36860700016|376014|18002099003|22082099003|56012099003; X-Microsoft-Antispam-Message-Info: tg8ZEPP5TyrVp/IUWaFpABX/Wq9XzxF5o7L+VSF0sqad9A+iU/yYpGHWCTBLOeAtF6d7xl1Ozi7NZu0RrA/U/VbP/+OJFOaiMd+NjWVYPV4yxOTv/QrhLJ7x1fL3Jx9z0J9iK0gTOSrGkEmxtu31e+S6x/5Qi9XT3VO17IQ+8MkCzHIU9G6vJ1pwWbF4gGRExXJSWGo3aAwJy/Ta8NcTS+JD967ol/aoSxOoxsJTJ0Uc9nTxjmx5Azmu290ChOEwHlQ3J07kNu0XxnDVYMcuH0JcGfypN14yfPgg35i/wah+Yg6Usw4V2bOmvBtJ6ep/vEteFpkSdJk+G3wvNNB0Lfp5vzB7SqEuCjEJ5EvMzznhz3qLLXy1SWCjc+zf4CITS1VUfoStCKNrrQ/id6iBYzOXyaeRWSES43wo1Ay6Z+tvjrZOAuly3GYFwn3hIlx0jueObo6LXgf4638KOqNR2bdLP1xKnQb1OvykE8VJ6NnKOV4sB3WmLNYqJriqgNKjzUnIiUKvEKzbJDVvQv+1Vcl4EfZkTjWldZ/5MV4P3UKzNwJ+Ok1D+pA5M8rJa0ElMq0/KyQPbVyoFHoea1wsfLgXnbrj8h2Q55o3rg9Zb2B8JE60GmJDYlrcuQWs5kRv68fr1qF5O1DRQhINNM4ufEsJcrHSHjrYFAhjV4eWEAXMvbhaOGTjeb8leUwYhl6JEJmy31w4tO+qA6d2sgMXWdgJiGcUeKBNtkceyKB8fTSSK0tvP5gQuouCAGJxb6HlRCfEA/Rlza1rymB2ikeyjQ== X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(82310400026)(36860700016)(376014)(18002099003)(22082099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: EQKpCSO069XyHAvBU3uF4ssD6cNAN7aL9HQ70HWbSF4GGtoziKY/hHWMeh/XxSbZ/uyylhQLuM77Nhw0JHczedzOymv05I+3WX+4LMEeOV51d7veAvKMOZEsSD39pleyHu8NuiWMTGKrOLkC5IYHQDDUStLc3b9wiVh2gP1QSCOv/B4f/6+Deh3Ujf5J14sZy1169tXO+J4ZfiY6aPXh/HIrgLJ7f1tj2GCDEFnmEOlgPdRaTBhE8mIKvI9bBZoxT2y07SP/aIGptjxoehwb5L3ZluFNzMNhpBVxPimCGzsZ6J/j0V0ozTEh69RUhrz2kmsHuEVngDfIv4Oyb1eslya4TrfD2lYOBMtsXhOGKin1t2KxtHmLAnHu2JQBviOu/w0XMYyk7IBJFWiCVz4Qg1GJHLNnCdabL1Jvwfq6xPQTtOtvjSxJAREY1zRddm2b X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Apr 2026 20:28:33.0871 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 4b0840b0-6c19-4ea3-bdaf-08de9cbfe549 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF00020E63.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR12MB6903 Content-Type: text/plain; charset="utf-8" From: Prasanna Kumar T S M Add validation to ensure MSI is configured before accessing cdx_irqs array in vfio_cdx_set_msi_trigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD. The vfio_cdx_msi_enable() function allocates the cdx_irqs array and sets config_msi to 1 only when called through the EVENTFD path. The trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been done, but there was no enforcement of this call ordering. This matches the protection used in the PCI VFIO driver where vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop. Fixes: 848e447e000c ("vfio/cdx: add interrupt support") Cc: stable@vger.kernel.org Signed-off-by: Prasanna Kumar T S M Acked-by: Nipun Gupta Signed-off-by: Alex Williamson --- drivers/vfio/cdx/intr.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/vfio/cdx/intr.c b/drivers/vfio/cdx/intr.c index 8f4402cec9c5..c0eed065e8ef 100644 --- a/drivers/vfio/cdx/intr.c +++ b/drivers/vfio/cdx/intr.c @@ -175,6 +175,10 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_de= vice *vdev, return ret; } =20 + /* Ensure MSI is configured before accessing cdx_irqs */ + if (!vdev->config_msi) + return -EINVAL; + for (i =3D start; i < start + count; i++) { if (!vdev->cdx_irqs[i].trigger) continue; --=20 2.51.0 From nobody Tue Jun 16 10:01:09 2026 Received: from CY7PR03CU001.outbound.protection.outlook.com (mail-westcentralusazon11010053.outbound.protection.outlook.com [40.93.198.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E0F032FA30; Fri, 17 Apr 2026 20:28:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.198.53 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776457720; cv=fail; b=HdEBIww8mHXAw5vldLgex/nEf8tezr44m9Sg7RPoLCjRE2ZNooBMx1YuOboUdQSfP4kxtFnhGs5f0iw1kXczew3UvZ8hJd0u+nzv5bHrQdcI+m2Tqgo1luQpbQXN/8wyv8Ms9rd2nIyOlrndQJr8Cys84FII2okSFy8ZXmO0WkA= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776457720; c=relaxed/simple; bh=PcR1hBeVKSLNOXdpS/bbk2VIn96qYE2cFWBGXKTwzXg=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=VZwfdOEKhQbWnn2eFP3B8a9Kipx6PtQMEOFGX9KMtotdzXnncJah8EbE5QXYb7TRB0B7yHmv9PjTaPiL3g3PCPEaf1w7DlutLKMBp6ENVvpZeX4c4xbRhCnRd8+mnfS9ANDQOb7eTWtwRXeIlEvmwlMqteHRJkUGQQWK2GsDSL0= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=GXVOREuN; arc=fail smtp.client-ip=40.93.198.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="GXVOREuN" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kkQUxok9CDlEp9e1RFoittsrh3gsvhPyCBj5iMN/3qZsvsv8cFhBit1HGB/BbiGUMJf5qZMLTx0mL9VNG2he37/9b4cji9g6SEtVfRgcsIPr1kZd79JUDZ/iGg0bVCoTFD3QeFctzD0xxShIBTrxkoL0iCg+MkCELO+ZusjvwqnRQCXDInORqs5tLkJ4BKRSgsCWNhVUS0EPTjrOQvEaFBpRiMDOe8JCA7s7nHrdidCKxdtltwLNQh2EZzFLeyhHwi05P0N5lFtXFiH+/+R6t7Ufw5YFpV5m9aUmTfjC6s4OSlmKnAB9oCVQZdLnn/tloywW3xH/10Wquz9KZKJh+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UxZ35UH88JZVQ5hX+ApV042cPTmx4yBnCW3Zupc9sBg=; b=viaaGFf19xrJ2Ogwhv2lhE2943X69XZ9BI0jC999XYIDjUVBgJOaNJBsoQKG+w22TJn6PPGC/eMna5D7QqyujXPD+TrZmqRSGQ6KlbiWaOg9dJRXz3S27Yvtjbo9mnSYTLorh0WnC4URjmhxkuMADR76fs+syr/BKamvkOJWXi/359+Fx9wh0zxiHt64Rrqvk1p0c2uY0TjCODYRDBeCqoSvubdXuWA3XHQLbpH8B7S63hTt1esBAhd8bGW3lFOKII/7lnCQJETTk+xAjI2YWCcfxw9I6uF31Wj6/aH+i/htAk/d0evbUJ5IFPnSsRfNlH2EfhoXrqg+9KnIDywfjw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=shazbot.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UxZ35UH88JZVQ5hX+ApV042cPTmx4yBnCW3Zupc9sBg=; b=GXVOREuNpSzFsrcodKdzhTKqGAyWKqurMhqIyeWM0TqaXiWSDhShJ8AGsYIIeoXSnqwIR5WY/3+aS7jV9gwa7/48YXbI/jXcC0D4ZDJ9I3ta3Jx/ytEHWGhMGa7fIo+LkC6FfYCS0CABCBmIt7JxYQ85BLExV6SYBtVLVFbiO/LhDnAX50qPhSJKYbM/kwKO07qCyTuXT1uOWkvKWZXjYbiRqX91EFvIHYqeFCb8KigilSiT/GtkTK7U8IlSpP8fiiByUT6+D43BiQtkMPH2HtHlc9Zva6kf64loxTd4q7BG2sydzRspYKGrbc4I3vAtLB52q453C85DDkC9bX/I7Q== Received: from BL1PR13CA0209.namprd13.prod.outlook.com (2603:10b6:208:2be::34) by DS0PR12MB8041.namprd12.prod.outlook.com (2603:10b6:8:147::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.25; Fri, 17 Apr 2026 20:28:34 +0000 Received: from BL6PEPF00020E63.namprd04.prod.outlook.com (2603:10b6:208:2be:cafe::8a) by BL1PR13CA0209.outlook.office365.com (2603:10b6:208:2be::34) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.52 via Frontend Transport; Fri, 17 Apr 2026 20:28:34 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BL6PEPF00020E63.mail.protection.outlook.com (10.167.249.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Fri, 17 Apr 2026 20:28:34 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Fri, 17 Apr 2026 13:28:12 -0700 Received: from meforce.lab.shazbot.org (10.126.230.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Fri, 17 Apr 2026 13:28:10 -0700 From: Alex Williamson To: CC: Alex Williamson , , , , , , Subject: [PATCH v2 2/3] vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex Date: Fri, 17 Apr 2026 14:27:57 -0600 Message-ID: <20260417202800.88287-3-alex.williamson@nvidia.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260417202800.88287-1-alex.williamson@nvidia.com> References: <20260417202800.88287-1-alex.williamson@nvidia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: rnnvmail203.nvidia.com (10.129.68.9) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF00020E63:EE_|DS0PR12MB8041:EE_ X-MS-Office365-Filtering-Correlation-Id: 9a0da7f2-c172-4f33-12a0-08de9cbfe5d6 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|82310400026|1800799024|36860700016|22082099003|18002099003|56012099003; X-Microsoft-Antispam-Message-Info: 33W1r/z0TUGU80wrYs9u4Qa0az5xX8CrAO1VnkVyKb2d+SI01ilhKXKOEbH1036YcgaRmLB8WDXDsQ06bRKRcqZ3fLOYADyfg/+0hKPwmjWv5bnfZMcxg+hlFuh8nZ/uq6+8yfB2WQNC9WqTgdCIA6kmo5jg9hzT+/ZVcuM0+qbTFGX+yrJlfXUuM087NbsrL0wf8QuobvISWZLeMcniaizN70Gfg0SzmvhizgTodnz/4Z5CnbaO8hqn8tW8QOf3p5t2rLD2FDVYj5zMI5A+BiYBSE0nUsiwgRvGauLQ2Mn/SvZttLdnKKHYyH1QA8EOSOtDinJiGHdVnNCpl8aXycpQQTjN1K4+wSD+VNxi9uDpC8s19YP6mzr2WkFSnScZYCDIhp4NHp046qLdFxGMN8VA05QUnYAnjvHr9/5dfdZCBgKwmr5Rh/ePTNYMkAnaNixxhxPRcwb6WN4Xlvm+50SELVq3pmHIPQ7QUfb1OTTIDwI9V1BwvKUJTFh/pePLAdI82aExvpsZZXjs7eoDKfmxuFO0z3ofIu9eZTLZ8w/ZFidgLkIIf8lX298mi39LDzB6FDNWKo9fiyb5wY4tF18VIY+FM5GLNIxwlgaFxHwwQDXCCb3v63GgD6Key05h1MQ832+36LWIz7Pf+bj8WrfzfJg1Pf/9WzECS7W05+MB4DI74QP87spO9S2UyNYsc7QJqwR8u/xg6cImNNIGS86SBfliXirwlG2cS8sQO9JgdJUHsqGTzdHyPbpz69rZalOqblfzDhlnNoFmDDLjng== X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(376014)(82310400026)(1800799024)(36860700016)(22082099003)(18002099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 4KQzKFixKGDSvWhlITvXH3oTeRMbbuMRmgcRMS902M6uH64n9uQLb89+GSgMSkTk0Y2idc/R3F/oLi1T5Vo3svsM7/e18qwxAVCRpC+5voFvjhGfovr7oRcIuaODWoAfQlp6Egl2Wt0jzgAfMZ6VMy78RAFswwwt0tkCxowkFoZJ05Hz4uda7dpv6+mQH4j9BlH9Xbe7h5RF9WGgP1l3w+AFu4A+06WU20Bz/WtJSmHOSUOX9M2S274etnw6TuBhAuWXxn5X0c808LRIaw0hE8usEwDFJnHj2+hVjbzItbi3rXIrb1QAdC43MUaksp0gcVPT2dU735LRwNIhR7KXNVUo1Bbf1qZHNvBD6uCcBdM2rdTP/2tfITJPeyOS7HxU48G1NWAe6mWMowqad9UjNIj2FxwZ3Ia1Kv4zixR2tF6E6vouj7FaIu5HGp9f1EN5 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Apr 2026 20:28:34.0000 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9a0da7f2-c172-4f33-12a0-08de9cbfe5d6 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF00020E63.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB8041 Content-Type: text/plain; charset="utf-8" vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the vdev->cdx_irqs array based on its value, but provides no serialization against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race such that one observes config_msi as set while another clears it and frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free of the cdx_irqs array. Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in vfio_cdx_set_msi_trigger(), which is the single chokepoint through which all updates to config_msi, cdx_irqs, and msi_count flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of config_msi atomic with the subsequent enable, disable, or trigger operations. Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part of this change: the optimization it provided is redundant with the !config_msi early-return inside vfio_cdx_msi_disable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect. Fixes: 848e447e000c ("vfio/cdx: add interrupt support") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Alex Williamson --- drivers/vfio/cdx/intr.c | 9 ++------- drivers/vfio/cdx/main.c | 19 +++++++++++++++++++ drivers/vfio/cdx/private.h | 3 +++ 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/drivers/vfio/cdx/intr.c b/drivers/vfio/cdx/intr.c index c0eed065e8ef..6dfe0ced3bdd 100644 --- a/drivers/vfio/cdx/intr.c +++ b/drivers/vfio/cdx/intr.c @@ -152,6 +152,8 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_dev= ice *vdev, if (start + count > cdx_dev->num_msi) return -EINVAL; =20 + guard(mutex)(&vdev->cdx_irqs_lock); + if (!count && (flags & VFIO_IRQ_SET_DATA_NONE)) { vfio_cdx_msi_disable(vdev); return 0; @@ -210,12 +212,5 @@ int vfio_cdx_set_irqs_ioctl(struct vfio_cdx_device *vd= ev, /* Free All IRQs for the given device */ void vfio_cdx_irqs_cleanup(struct vfio_cdx_device *vdev) { - /* - * Device does not support any interrupt or the interrupts - * were not configured - */ - if (!vdev->cdx_irqs) - return; - vfio_cdx_set_msi_trigger(vdev, 0, 0, 0, VFIO_IRQ_SET_DATA_NONE, NULL); } diff --git a/drivers/vfio/cdx/main.c b/drivers/vfio/cdx/main.c index 8ab97405b2bd..b31ed4be7bdc 100644 --- a/drivers/vfio/cdx/main.c +++ b/drivers/vfio/cdx/main.c @@ -8,6 +8,23 @@ =20 #include "private.h" =20 +static int vfio_cdx_init_dev(struct vfio_device *core_vdev) +{ + struct vfio_cdx_device *vdev =3D + container_of(core_vdev, struct vfio_cdx_device, vdev); + + mutex_init(&vdev->cdx_irqs_lock); + return 0; +} + +static void vfio_cdx_release_dev(struct vfio_device *core_vdev) +{ + struct vfio_cdx_device *vdev =3D + container_of(core_vdev, struct vfio_cdx_device, vdev); + + mutex_destroy(&vdev->cdx_irqs_lock); +} + static int vfio_cdx_open_device(struct vfio_device *core_vdev) { struct vfio_cdx_device *vdev =3D @@ -273,6 +290,8 @@ static int vfio_cdx_mmap(struct vfio_device *core_vdev, =20 static const struct vfio_device_ops vfio_cdx_ops =3D { .name =3D "vfio-cdx", + .init =3D vfio_cdx_init_dev, + .release =3D vfio_cdx_release_dev, .open_device =3D vfio_cdx_open_device, .close_device =3D vfio_cdx_close_device, .ioctl =3D vfio_cdx_ioctl, diff --git a/drivers/vfio/cdx/private.h b/drivers/vfio/cdx/private.h index 172e48caa3a0..94374b5fc989 100644 --- a/drivers/vfio/cdx/private.h +++ b/drivers/vfio/cdx/private.h @@ -6,6 +6,8 @@ #ifndef VFIO_CDX_PRIVATE_H #define VFIO_CDX_PRIVATE_H =20 +#include + #define VFIO_CDX_OFFSET_SHIFT 40 =20 static inline u64 vfio_cdx_index_to_offset(u32 index) @@ -31,6 +33,7 @@ struct vfio_cdx_region { struct vfio_cdx_device { struct vfio_device vdev; struct vfio_cdx_region *regions; + struct mutex cdx_irqs_lock; struct vfio_cdx_irq *cdx_irqs; u32 flags; #define BME_SUPPORT BIT(0) --=20 2.51.0 From nobody Tue Jun 16 10:01:09 2026 Received: from BL2PR02CU003.outbound.protection.outlook.com (mail-eastusazon11011051.outbound.protection.outlook.com [52.101.52.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D029D31F9BF; Fri, 17 Apr 2026 20:28:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.52.51 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776457719; cv=fail; b=eZ/w6xvcnvoJq7KhDWTLtuU7rnoGPhhpYaGosCXDfooigIluF2GoAjWrmYjwS9y9fA2YARkkwvWCgAAKNzLXyTk/JCdlLJFIr/NH2st02wddpo1bVc5ouhTw9WcSvPK6gjePRnOgEQrtFRAc0/XYjLe4HL+Pa7c3khZlM2bfZWk= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776457719; c=relaxed/simple; bh=FwOTV0OlKHex5o+lmgovtmCCHdJMSG3724AivI41huo=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=eH9atPBTql+LxopJeOJwm1/EhEdJs/KWf809IdDqN/NLsELM7WYpu//5ZpzeYIzdA6BqFs3R72GsjYGhSMk9UxH+MzRVHYk7W1ocupylucqYRqh5WZJzfKYwQ4TasbMlomV+yavrp/PVnJEng3obr+Z5BhT15eHwK67VsIcQ/8w= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=FYIlDTnh; arc=fail smtp.client-ip=52.101.52.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="FYIlDTnh" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Hbw//q1w0dGQk2oOUfkDXwu1xccZAMVsU/CGxJaKmriJv4iDz5DZCrVAMczoozuKa2hTVW0YJXuggf3H58SfyEi0won7de0eUHXeSjVUz7P+UF4PKqdCJpwApfQ1zgfgkmI7xMd8D+sbI+8e/d+Xhan4Am4Vc82rULUxnvPKhTuGQJtk+tGCEu0wzegXeAzPQE2mOaW5Q5mkajJxYum5F95UNahrhMctxdmJoSWAyEKUa+/mxQItD3VETiStOWh9/wFDTLFmIYjNOwRr6BEYUY0LquXe0NOVT3V8EXr25yQKtuW6rFZo4n9v3nucJz5e0yfEn3I+3+KF6AwMKTiLrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=800slJCbfoVGHJevUQaVwDICQ+JdAQyguOySYB9zR+A=; b=V7DaIJ2cA3xm1JGwUjwYtmjrcCoK30GCcQnIPeS1dKyk6H4tRqw/HG9sLdDaeUcfoS5qsQGcJWu30UEK41jg9qQ+SeXroJeILVpE57Jnnn+dCCisrmDFvhN57x3W9ZFmhedhe0nvKNjJ7SZpC0LoN4FcLWeIhMpRMNZV5p05LzSKXF4MsLAaLdtXfc8BoBZOvlSqu+b8ytaNk4HmbXkS/mqs9V/lddshj6C2CFOBQqnEc2Dalk8qJtLossi5O/yVvPNLUI7yVDqJ7HHo/WB6OQP6HuSzBUGTlu8XceR4JLAYJH3FrecKH80S09n4cQYqznIw+gn8bFJmrcq/DperTQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=shazbot.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=800slJCbfoVGHJevUQaVwDICQ+JdAQyguOySYB9zR+A=; b=FYIlDTnh9rNOr+vZyTFDesDZ+YHeh0DI1gaE3+BOFt8Q069QJ2t89slUOryjEki0umcJy6VqcSQ4GAlLwSsJoQpQ7woJYBqnCW/Q1tVA6SZDTsWmfKAimyqTiW5bcUkD1ZVOISaAlWo4eTwnMluB5gE7MbV8tq6DnFVyN4fLIS54WwFlAqDs3ZXa4s8DUaB2kLWH+5rNstRS7OIzZuT86Pin0xhtQU/gaDIHhqauJxrgJfSs0A0vZEcATULPfRkBj07o0yW3/7ZPVuIKS/+KHfMpuKOeGQxtHG0FuzizqveDcWTCasYoBLa7fYA3i6Use4kwg61VdYnfpPsLFfsmfw== Received: from BN9PR03CA0908.namprd03.prod.outlook.com (2603:10b6:408:107::13) by DSSPR12MB999212.namprd12.prod.outlook.com (2603:10b6:8:376::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.25; Fri, 17 Apr 2026 20:28:31 +0000 Received: from BN3PEPF0000B073.namprd04.prod.outlook.com (2603:10b6:408:107:cafe::53) by BN9PR03CA0908.outlook.office365.com (2603:10b6:408:107::13) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.52 via Frontend Transport; Fri, 17 Apr 2026 20:28:30 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BN3PEPF0000B073.mail.protection.outlook.com (10.167.243.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Fri, 17 Apr 2026 20:28:30 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Fri, 17 Apr 2026 13:28:13 -0700 Received: from meforce.lab.shazbot.org (10.126.230.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Fri, 17 Apr 2026 13:28:11 -0700 From: Alex Williamson To: CC: Alex Williamson , , , , , Subject: [PATCH v2 3/3] vfio/cdx: Consolidate MSI configured state onto cdx_irqs Date: Fri, 17 Apr 2026 14:27:58 -0600 Message-ID: <20260417202800.88287-4-alex.williamson@nvidia.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260417202800.88287-1-alex.williamson@nvidia.com> References: <20260417202800.88287-1-alex.williamson@nvidia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: rnnvmail203.nvidia.com (10.129.68.9) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN3PEPF0000B073:EE_|DSSPR12MB999212:EE_ X-MS-Office365-Filtering-Correlation-Id: 2b14320e-6e6b-4bc6-73d0-08de9cbfe3c3 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|82310400026|1800799024|36860700016|18002099003|22082099003|56012099003; X-Microsoft-Antispam-Message-Info: JE4c76JxkH74lOkPSawCt5IhqxywCPfGLIt78wcssAQR3AA2lePiWnvDQz/1PRMRinq5T3XKNViMq/7/q11BRG0Y5Zh6YtgYHwXNUL3mz1WLJcVP6DTnbg4b+lpJsEKTrwdd2fJ7wtKctoU2whOeqt7ETZH2jl+KcXs0sKPO4T18dUwnBvVpMbGzHHTkIl7IaMPiZXNXOkSlFdZCygoGzQMt2EkRWrbA/nF2lQWQWHe1YcPveh627wrlLOixAeYHnhWOVUvo0Cs43Lbc5toEiqt4P9u0KVB2eejGX7mzNuH+QuMOy+LDIIjsxoCjyjE96I3zNonm4Xhsky+tOzCDm4HHqDl8egRQFXcszQgOt+HzKxyLivmzMEuyvssD01Qf/C6fb8Jr8htJXFtKe2O2yYUGdhnejKNtyPD9v7cZfbAVVftlorC5BXvkADOAkPKk4FvelIhXjc5dBW6O5dwj9HKG4X/hs453+CNzW8ZwvMAK1JP023NOpo3hD7KxPFWnG9cByKfjoCgmXQYzFpZQo56EL9R2CKp7Lho/Dt/yX1rtZWUMbvk6Htek/9xtBOVVXDL8KaFtJDDWD7P0+3V1qXKnKxqHdU5FXjHWTceMw5It/REdB063n/lMJ1SAqTv+VAswtF4JG2ds18q2hRSdDFDQ9UXAZHTNXmb9R1552JFPPrDDSzENlniVTjRLn3dDkmDTybk/xbWTCALNOJyxFGOr+PMPy1wjVlo0Ol/v6CSdXd7nNenp6u3irDZUYPxCZpNYr/3A7YIfB6sn3JGMqQ== X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230040)(376014)(82310400026)(1800799024)(36860700016)(18002099003)(22082099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: wr+Uf76KUAx2rnyzF4BA1an2mkYS9vupuXFE//pzFH/mO9uOLCIdIY9fCO0eZhIxy8dWwWfIS/NKzOgBlUV6iSZ+UyH/9ZATxgh1q47xqzRaTEn4nfJ/iWEHZ6H715U/fRcWNoiesnlnRIX3cNe6Ded0nVIBupXhRe2+aO63wHGw++EF0KyU+lNe/lhk+cDVOj7DEHlIojw1IR8lFq1AK4udBLHgcJIrzBl87zMQ8/sdcU3tzD8GALPQnEzp16R/2P2DEcDNjEIZ7d3Z8PJUQ0HpXuRX/gVl4lad6SZLXYDXuIF/4vw/wgljnsFH0MXVff8wdUSeY8+Zkgr5HlIV7mqnor9bF3lWXlEDg1J6LdBlonPYeMPKsuqVyELlhScMdZkmJYDgbXFLi5YwDsJuzmMtNtbONyy8sjh2o1u8IB3ZDaiiDTCmOqunifjJgLnQ X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Apr 2026 20:28:30.5303 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 2b14320e-6e6b-4bc6-73d0-08de9cbfe3c3 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN3PEPF0000B073.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DSSPR12MB999212 Content-Type: text/plain; charset="utf-8" struct vfio_cdx_device carries three fields that track whether MSI has been configured: vdev->cdx_irqs (the allocated vector array), vdev-> msi_count (the array length), and vdev->config_msi (a boolean flag). The three are set together when vfio_cdx_msi_enable() succeeds and cleared together by vfio_cdx_msi_disable(). However, the error paths in vfio_cdx_msi_enable() free the cdx_irqs allocation on failure without resetting the pointer, leaving it stale and skewed from the other two fields until the next enable call overwrites it. Clear vdev->cdx_irqs to NULL alongside the kfree() in both error paths so the pointer consistently reflects the configured state. With that invariant restored and access to the MSI state serialized by cdx_irqs_lock, vdev->config_msi is fully redundant with (vdev->cdx_irqs !=3D NULL). Drop the config_msi field and switch all readers to test cdx_irqs directly. Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Alex Williamson --- drivers/vfio/cdx/intr.c | 29 ++++++++++++++--------------- drivers/vfio/cdx/private.h | 1 - 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/drivers/vfio/cdx/intr.c b/drivers/vfio/cdx/intr.c index 6dfe0ced3bdd..4439481fe633 100644 --- a/drivers/vfio/cdx/intr.c +++ b/drivers/vfio/cdx/intr.c @@ -32,26 +32,27 @@ static int vfio_cdx_msi_enable(struct vfio_cdx_device *= vdev, int nvec) return -ENOMEM; =20 ret =3D cdx_enable_msi(cdx_dev); - if (ret) { - kfree(vdev->cdx_irqs); - return ret; - } + if (ret) + goto err_free; =20 /* Allocate cdx MSIs */ ret =3D msi_domain_alloc_irqs(dev, MSI_DEFAULT_DOMAIN, nvec); - if (ret) { - cdx_disable_msi(cdx_dev); - kfree(vdev->cdx_irqs); - return ret; - } + if (ret) + goto err_disable; =20 for (msi_idx =3D 0; msi_idx < nvec; msi_idx++) vdev->cdx_irqs[msi_idx].irq_no =3D msi_get_virq(dev, msi_idx); =20 vdev->msi_count =3D nvec; - vdev->config_msi =3D 1; =20 return 0; + +err_disable: + cdx_disable_msi(cdx_dev); +err_free: + kfree(vdev->cdx_irqs); + vdev->cdx_irqs =3D NULL; + return ret; } =20 static int vfio_cdx_msi_set_vector_signal(struct vfio_cdx_device *vdev, @@ -129,7 +130,7 @@ static void vfio_cdx_msi_disable(struct vfio_cdx_device= *vdev) =20 vfio_cdx_msi_set_block(vdev, 0, vdev->msi_count, NULL); =20 - if (!vdev->config_msi) + if (!vdev->cdx_irqs) return; =20 msi_domain_free_irqs_all(dev, MSI_DEFAULT_DOMAIN); @@ -138,7 +139,6 @@ static void vfio_cdx_msi_disable(struct vfio_cdx_device= *vdev) =20 vdev->cdx_irqs =3D NULL; vdev->msi_count =3D 0; - vdev->config_msi =3D 0; } =20 static int vfio_cdx_set_msi_trigger(struct vfio_cdx_device *vdev, @@ -163,7 +163,7 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_dev= ice *vdev, s32 *fds =3D data; int ret; =20 - if (vdev->config_msi) + if (vdev->cdx_irqs) return vfio_cdx_msi_set_block(vdev, start, count, fds); ret =3D vfio_cdx_msi_enable(vdev, cdx_dev->num_msi); @@ -177,8 +177,7 @@ static int vfio_cdx_set_msi_trigger(struct vfio_cdx_dev= ice *vdev, return ret; } =20 - /* Ensure MSI is configured before accessing cdx_irqs */ - if (!vdev->config_msi) + if (!vdev->cdx_irqs) return -EINVAL; =20 for (i =3D start; i < start + count; i++) { diff --git a/drivers/vfio/cdx/private.h b/drivers/vfio/cdx/private.h index 94374b5fc989..4c00bf633356 100644 --- a/drivers/vfio/cdx/private.h +++ b/drivers/vfio/cdx/private.h @@ -38,7 +38,6 @@ struct vfio_cdx_device { u32 flags; #define BME_SUPPORT BIT(0) u32 msi_count; - u8 config_msi; }; =20 #ifdef CONFIG_GENERIC_MSI_IRQ --=20 2.51.0