vfio/pci: Fix ordering of eventfd vs virqfd shutdown

Both the INTx and MSI/X disable paths do an eventfd_ctx_put() for the
trigger eventfd before calling vfio_virqfd_disable() any potential
mask and unmask eventfds.  This opens a use-after-free race where an
inopportune irqfd can reference the freed signalling eventfd.  Reorder
to avoid this possibility.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

1 files changed, 3 insertions, 3 deletions

diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
index e9ea3fef144a..15ecfc9c5f6c 100644
--- a/drivers/vfio/pci/vfio_pci_intrs.c
+++ b/drivers/vfio/pci/vfio_pci_intrs.c
@@ -228,9 +228,9 @@ static int vfio_intx_set_signal(struct vfio_pci_device *vdev, int fd)
 
 static void vfio_intx_disable(struct vfio_pci_device *vdev)
 {
-        vfio_intx_set_signal(vdev, -1);
         vfio_virqfd_disable(&vdev->ctx[0].unmask);
         vfio_virqfd_disable(&vdev->ctx[0].mask);
+        vfio_intx_set_signal(vdev, -1);
         vdev->irq_type = VFIO_PCI_NUM_IRQS;
         vdev->num_ctx = 0;
         kfree(vdev->ctx);
@@ -401,13 +401,13 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix)
         struct pci_dev *pdev = vdev->pdev;
         int i;
 
-        vfio_msi_set_block(vdev, 0, vdev->num_ctx, NULL, msix);
-
         for (i = 0; i < vdev->num_ctx; i++) {
                 vfio_virqfd_disable(&vdev->ctx[i].unmask);
                 vfio_virqfd_disable(&vdev->ctx[i].mask);
         }
 
+        vfio_msi_set_block(vdev, 0, vdev->num_ctx, NULL, msix);
+
         if (msix) {
                 pci_disable_msix(vdev->pdev);
                 kfree(vdev->msix);