From: Christos Longros <chris.longros@gmail.com>
To: Alex Williamson <alex@shazbot.org>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Christos Longros <chris.longros@gmail.com>
Subject: [PATCH] vfio/pci: sanitize bogus INTx interrupt pin values
Date: Sat, 28 Mar 2026 22:58:08 +0100 [thread overview]
Message-ID: <20260328215808.16108-1-chris.longros@gmail.com> (raw)
Some PCI devices report invalid interrupt pin values in config space
(e.g., 0xFF instead of the valid range 0-4). The VFIO PCI config
virtualization layer passes these values through to userspace, causing
QEMU to crash with an assertion failure in pci_irq_handler() when it
computes irq_num = pin - 1, which exceeds PCI_NUM_PINS (4).
The existing code already handles bogus VF interrupt pins (set to 0
per SR-IOV spec §3.4.1.18), but physical functions with out-of-range
pin values are not caught. Extend the condition that clears the
virtualized interrupt pin to also cover values outside 1-4.
Observed on Realtek RTL8852CE (10ec:c852) which reports interrupt pin
0xFF in hardware config space.
Signed-off-by: Christos Longros <chris.longros@gmail.com>
---
drivers/vfio/pci/vfio_pci_config.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index b4e39253f..ed75c1cc3 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -1829,8 +1829,17 @@ int vfio_config_init(struct vfio_pci_core_device *vdev)
cpu_to_le16(PCI_COMMAND_MEMORY);
}
+ /*
+ * Sanitize bogus interrupt pin values. Valid pins are 1 (INTA)
+ * through 4 (INTD); anything else disables legacy interrupts.
+ */
+ if (vconfig[PCI_INTERRUPT_PIN] > 4)
+ pci_info(pdev, "Bogus INTx pin %d, disabling INTx virtualization\n",
+ vconfig[PCI_INTERRUPT_PIN]);
+
if (!IS_ENABLED(CONFIG_VFIO_PCI_INTX) || vdev->nointx ||
- !vdev->pdev->irq || vdev->pdev->irq == IRQ_NOTCONNECTED)
+ !vdev->pdev->irq || vdev->pdev->irq == IRQ_NOTCONNECTED ||
+ vconfig[PCI_INTERRUPT_PIN] > 4)
vconfig[PCI_INTERRUPT_PIN] = 0;
ret = vfio_cap_init(vdev);
--
2.53.0
next reply other threads:[~2026-03-28 21:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-28 21:58 Christos Longros [this message]
2026-03-28 23:01 ` [PATCH v2] vfio/pci: sanitize bogus INTx interrupt pin values Christos Longros
2026-04-01 22:59 ` Alex Williamson
2026-04-04 18:14 ` Christos Longros
2026-04-10 16:53 ` Alex Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260328215808.16108-1-chris.longros@gmail.com \
--to=chris.longros@gmail.com \
--cc=alex@shazbot.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox