CVE-2024-26812

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/pci: Create persistent INTx handler<br /> <br /> A vulnerability exists where the eventfd for INTx signaling can be<br /> deconfigured, which unregisters the IRQ handler but still allows<br /> eventfds to be signaled with a NULL context through the SET_IRQS ioctl<br /> or through unmask irqfd if the device interrupt is pending.<br /> <br /> Ideally this could be solved with some additional locking; the igate<br /> mutex serializes the ioctl and config space accesses, and the interrupt<br /> handler is unregistered relative to the trigger, but the irqfd path<br /> runs asynchronous to those. The igate mutex cannot be acquired from the<br /> atomic context of the eventfd wake function. Disabling the irqfd<br /> relative to the eventfd registration is potentially incompatible with<br /> existing userspace.<br /> <br /> As a result, the solution implemented here moves configuration of the<br /> INTx interrupt handler to track the lifetime of the INTx context object<br /> and irq_type configuration, rather than registration of a particular<br /> trigger eventfd. Synchronization is added between the ioctl path and<br /> eventfd_signal() wrapper such that the eventfd trigger can be<br /> dynamically updated relative to in-flight interrupts or irqfd callbacks.