CVE-2026-46036

In the Linux kernel, the following vulnerability has been resolved:

vfio/cdx: Serialize VFIO DEVICE SET IRQS with a per-device mutex

vfio cdx set msi trigger() reads vdev->config msi and operates on the vdev->cdx irqs array based on its value, but provides no serialization against concurrent VFIO DEVICE SET IRQS ioctls. Two callers can race such that one observes config msi as set while another clears it and frees cdx irqs via vfio cdx msi disable(), resulting in a use-after-free of the cdx irqs array.

Add a cdx irqs lock mutex to struct vfio cdx device and acquire it in vfio cdx set msi trigger(), which is the single chokepoint through which all updates to config msi, cdx irqs, and msi count flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of config msi atomic with the subsequent enable, disable, or trigger operations.

Drop the pre-call !cdx irqs test from vfio cdx irqs cleanup() as part of this change: the optimization it provided is redundant with the !config msi early-return inside vfio cdx msi disable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect.