CVE-2024-26813

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/platform: Create persistent IRQ handlers<br /> <br /> The vfio-platform SET_IRQS ioctl currently allows loopback triggering of<br /> an interrupt before a signaling eventfd has been configured by the user,<br /> which thereby allows a NULL pointer dereference.<br /> <br /> Rather than register the IRQ relative to a valid trigger, register all<br /> IRQs in a disabled state in the device open path. This allows mask<br /> operations on the IRQ to nest within the overall enable state governed<br /> by a valid eventfd signal. This decouples @masked, protected by the<br /> @locked spinlock from @trigger, protected via the @igate mutex.<br /> <br /> In doing so, it&amp;#39;s guaranteed that changes to @trigger cannot race the<br /> IRQ handlers because the IRQ handler is synchronously disabled before<br /> modifying the trigger, and loopback triggering of the IRQ via ioctl is<br /> safe due to serialization with trigger changes via igate.<br /> <br /> For compatibility, request_irq() failures are maintained to be local to<br /> the SET_IRQS ioctl rather than a fatal error in the open device path.<br /> This allows, for example, a userspace driver with polling mode support<br /> to continue to work regardless of moving the request_irq() call site.<br /> This necessarily blocks all SET_IRQS access to the failed index.