Re: [PATCH rc v1 0/4] iommufd: Fix veventq_depth boundary

Next message: Jonas Karlman: "[PATCH v4 2/2] phy: rockchip: inno-hdmi: Remove deprecated way to configure TMDS rate"
Previous message: Joel Fernandes: "[PATCH v1 07/16] gpu: nova-core: mm: Add MMU v2 page table types"
In reply to: Nicolin Chen: "[PATCH rc v1 3/4] iommufd: Fix data_len byte-count vs element-count mismatch"
Next in thread: Jason Gunthorpe: "Re: [PATCH rc v1 0/4] iommufd: Fix veventq_depth boundary"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Mon May 18 2026 - 14:14:55 EST

On Sun, May 17, 2026 at 07:28:45PM -0700, Nicolin Chen wrote:
> The upper bound of veventq_depth has been missing for veventq allocation,
> leaving a vulnerability where userspace could exhaust atomic memory pool.
>
> Fix it properly:
> - Allocate outside the spinlock to avoid GFP_ATOMIC
> - Cap the veventq_depth upper bound
> - Fix event_data byte-count
> - Add selftest coverage
>
> Note that QEMU's SMMU has been already allocating veventq using a "HW"
> EVTQ entry number. So, picking 19 as the known use case, for a minimal
> level of ABI consistency.
>
> This is on github:
> https://github.com/nicolinc/iommufd/commits/fix_veventq_depth-v1
>
> Nicolin Chen (4):
> iommufd: Move vevent memory allocation outside spinlock
> iommufd: Set veventq_depth upper bound
> iommufd: Fix data_len byte-count vs element-count mismatch
> iommufd/selftest: Add boundary tests for veventq_depth

Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxx>

Jason