[PATCH rc v3 4/4] iommufd/selftest: Add boundary tests for veventq_depth
From: Nicolin Chen
Date: Mon May 25 2026 - 14:53:06 EST
Test veventq_depth to cover a memory exhaustion vulnerability.
Keep veventq_depth=2 for the existing callers.
Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx>
Signed-off-by: Nicolin Chen <nicolinc@xxxxxxxxxx>
---
tools/testing/selftests/iommu/iommufd_utils.h | 17 +++++++++--------
tools/testing/selftests/iommu/iommufd.c | 19 +++++++++++++++++--
.../selftests/iommu/iommufd_fail_nth.c | 2 +-
3 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/tools/testing/selftests/iommu/iommufd_utils.h b/tools/testing/selftests/iommu/iommufd_utils.h
index 5502751d500c8..b4928cbd4d9c8 100644
--- a/tools/testing/selftests/iommu/iommufd_utils.h
+++ b/tools/testing/selftests/iommu/iommufd_utils.h
@@ -1060,12 +1060,13 @@ static int _test_cmd_hw_queue_alloc(int fd, __u32 viommu_id, __u32 type,
base_addr, len, out_qid))
static int _test_cmd_veventq_alloc(int fd, __u32 viommu_id, __u32 type,
- __u32 *veventq_id, __u32 *veventq_fd)
+ __u32 depth, __u32 *veventq_id,
+ __u32 *veventq_fd)
{
struct iommu_veventq_alloc cmd = {
.size = sizeof(cmd),
.type = type,
- .veventq_depth = 2,
+ .veventq_depth = depth,
.viommu_id = viommu_id,
};
int ret;
@@ -1080,13 +1081,13 @@ static int _test_cmd_veventq_alloc(int fd, __u32 viommu_id, __u32 type,
return 0;
}
-#define test_cmd_veventq_alloc(viommu_id, type, veventq_id, veventq_fd) \
- ASSERT_EQ(0, _test_cmd_veventq_alloc(self->fd, viommu_id, type, \
+#define test_cmd_veventq_alloc(viommu_id, type, depth, veventq_id, veventq_fd) \
+ ASSERT_EQ(0, _test_cmd_veventq_alloc(self->fd, viommu_id, type, depth, \
veventq_id, veventq_fd))
-#define test_err_veventq_alloc(_errno, viommu_id, type, veventq_id, \
- veventq_fd) \
- EXPECT_ERRNO(_errno, \
- _test_cmd_veventq_alloc(self->fd, viommu_id, type, \
+#define test_err_veventq_alloc(_errno, viommu_id, type, depth, veventq_id, \
+ veventq_fd) \
+ EXPECT_ERRNO(_errno, \
+ _test_cmd_veventq_alloc(self->fd, viommu_id, type, depth, \
veventq_id, veventq_fd))
static int _test_cmd_trigger_vevents(int fd, __u32 dev_id, __u32 nvevents)
diff --git a/tools/testing/selftests/iommu/iommufd.c b/tools/testing/selftests/iommu/iommufd.c
index d1fe5dbc2813e..2e8a27dab0bb8 100644
--- a/tools/testing/selftests/iommu/iommufd.c
+++ b/tools/testing/selftests/iommu/iommufd.c
@@ -2986,11 +2986,26 @@ TEST_F(iommufd_viommu, vdevice_alloc)
test_err_mock_domain_replace(ENOENT, self->stdev_id,
self->nested_hwpt_id);
+ /* Test depth lower and upper bounds (mirrors kernel cap) */
+#define VEVENTQ_MAX_DEPTH (1U << 19)
+ test_err_veventq_alloc(EINVAL, viommu_id,
+ IOMMU_VEVENTQ_TYPE_SELFTEST, 0, NULL,
+ NULL);
+ test_err_veventq_alloc(EINVAL, viommu_id,
+ IOMMU_VEVENTQ_TYPE_SELFTEST,
+ VEVENTQ_MAX_DEPTH + 1, NULL, NULL);
+ test_cmd_veventq_alloc(viommu_id, IOMMU_VEVENTQ_TYPE_SELFTEST,
+ VEVENTQ_MAX_DEPTH, &veventq_id,
+ &veventq_fd);
+ close(veventq_fd);
+ test_ioctl_destroy(veventq_id);
+
/* Allocate a vEVENTQ with veventq_depth=2 */
test_cmd_veventq_alloc(viommu_id, IOMMU_VEVENTQ_TYPE_SELFTEST,
- &veventq_id, &veventq_fd);
+ 2, &veventq_id, &veventq_fd);
test_err_veventq_alloc(EEXIST, viommu_id,
- IOMMU_VEVENTQ_TYPE_SELFTEST, NULL, NULL);
+ IOMMU_VEVENTQ_TYPE_SELFTEST, 2, NULL,
+ NULL);
/* Set vdev_id to 0x99, unset it, and set to 0x88 */
test_cmd_vdevice_alloc(viommu_id, dev_id, 0x99, &vdev_id);
test_cmd_mock_domain_replace(self->stdev_id,
diff --git a/tools/testing/selftests/iommu/iommufd_fail_nth.c b/tools/testing/selftests/iommu/iommufd_fail_nth.c
index 45c14323a6183..25495d8dceb3d 100644
--- a/tools/testing/selftests/iommu/iommufd_fail_nth.c
+++ b/tools/testing/selftests/iommu/iommufd_fail_nth.c
@@ -712,7 +712,7 @@ TEST_FAIL_NTH(basic_fail_nth, device)
return -1;
if (_test_cmd_veventq_alloc(self->fd, viommu_id,
- IOMMU_VEVENTQ_TYPE_SELFTEST, &veventq_id,
+ IOMMU_VEVENTQ_TYPE_SELFTEST, 2, &veventq_id,
&veventq_fd))
return -1;
close(veventq_fd);
--
2.43.0