[PATCH v1 4/7] iommufd: Reject invalid read count in iommufd_fault_fops_read()

Next message: Rob Herring: "Re: [PATCH 1/3] dt-bindings: net: qca,ipq5018: Split IPQ5018 PHY bindings from ar803x"
Previous message: Aliaksandr Smirnou: "[PATCH v7 1/2] dt-bindings: Pinefeat cef168 lens control board"
In reply to: Pranjal Shrivastava: "Re: [PATCH v1 2/7] iommufd: Reject invalid read count in iommufd_veventq_fops_read()"
Next in thread: Pranjal Shrivastava: "Re: [PATCH v1 4/7] iommufd: Reject invalid read count in iommufd_fault_fops_read()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nicolin Chen

Date: Mon Jun 01 2026 - 16:50:18 EST

The read count must be large enough to hold one fault or a group's faults.

iommufd_fault_fops_read() does not validate the count, but returns 0 as if
the read had succeeded while leaving the pending fault in the queue.

Return -EINVAL in the undersize cases.

Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Nicolin Chen <nicolinc@xxxxxxxxxx>
---
drivers/iommu/iommufd/eventq.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/iommu/iommufd/eventq.c b/drivers/iommu/iommufd/eventq.c
index f55d173c59f61..613024ca8f1ff 100644
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -142,6 +142,9 @@ static ssize_t iommufd_fault_fops_read(struct file *filep, char __user *buf,
if (done >= count ||
group->fault_count * fault_size > count - done) {
iommufd_fault_deliver_restore(fault, group);
+ /* Read count doesn't fit the first fault group */
+ if (done == 0)
+ rc = -EINVAL;
break;
}

--
2.43.0