[PATCH rc v3 1/4] iommufd: Fix data_len byte-count vs element-count mismatch

Next message: Nicolin Chen: "[PATCH rc v3 2/4] iommufd: Move vevent memory allocation outside spinlock"
Previous message: Nicolin Chen: "[PATCH rc v3 3/4] iommufd: Set veventq_depth upper bound"
In reply to: Nicolin Chen: "[PATCH rc v3 3/4] iommufd: Set veventq_depth upper bound"
Next in thread: Nicolin Chen: "[PATCH rc v3 2/4] iommufd: Move vevent memory allocation outside spinlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nicolin Chen

Date: Mon May 25 2026 - 14:52:34 EST

kzalloc_flex() computes the allocation size. With event_data typed as u64,
data_len is interpreted as a u64 element count. Yet, every caller and the
read path treat data_len as a byte count. The current code over-allocates
by sizeof(u64) and the __counted_by() annotation overstates the length by
the same factor.

Re-type event_data as u8. No functional change in user-visible behavior.

Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Cc: stable@xxxxxxxxxxxxxxx
Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx>
Signed-off-by: Nicolin Chen <nicolinc@xxxxxxxxxx>
---
drivers/iommu/iommufd/iommufd_private.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/iommufd/iommufd_private.h b/drivers/iommu/iommufd/iommufd_private.h
index 6ac1965199e9a..43fbc5bed8de3 100644
--- a/drivers/iommu/iommufd/iommufd_private.h
+++ b/drivers/iommu/iommufd/iommufd_private.h
@@ -602,7 +602,7 @@ struct iommufd_vevent {
struct iommufd_vevent_header header;
struct list_head node; /* for iommufd_eventq::deliver */
ssize_t data_len;
- u64 event_data[] __counted_by(data_len);
+ u8 event_data[] __counted_by(data_len);
};

#define vevent_for_lost_events_header(vevent) \
--
2.43.0