RE: [PATCH rc v2 3/4] iommufd: Set veventq_depth upper bound

Next message: Christoph Hellwig: "Re: [RFC PATCH 34/40] btrfs: allocate eb-attached btree pages as movable"
Previous message: Shuai Zhang: "[PATCH v2] Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading"
Next in thread: Nicolin Chen: "Re: [PATCH rc v2 3/4] iommufd: Set veventq_depth upper bound"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tian, Kevin

Date: Mon May 25 2026 - 02:57:24 EST

> From: Nicolin Chen <nicolinc@xxxxxxxxxx>
> Sent: Friday, May 22, 2026 8:37 AM
>
> iommufd_veventq_alloc() accepts any !0 veventq_depth from userspace,
> with
> an upper bound at U32_MAX.
>
> This leaves a vulnerability where userspace can allocate excessively large
> queues to exhaust kernel memory reserves.
>
> Cap the veventq_depth (maximum number of entries) to 1 << 19, matching
> the
> maximum number of entries in the SMMUv3 EVTQ (the largest use case
> today).

probably add a comment to uapi header that the maximum number of
supported veventq depth is implementation specific hence user may
expect -EINVAL returned if the specified value is too large?

>
> Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and
> IOMMUFD_CMD_VEVENTQ_ALLOC")
> Cc: stable@xxxxxxxxxxxxxxx
> Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
> Signed-off-by: Nicolin Chen <nicolinc@xxxxxxxxxx>

Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx>