Re: [PATCH v1 0/7] iommufd: Fix bugs in eventq fops_read paths

Next message: Ian Rogers: "[PATCH v11 06/19] perf symbol: Avoid use of machine__is"
Previous message: Ian Rogers: "[PATCH v11 05/19] perf print_insn: Use e_machine for fallback IP length check"
In reply to: Pranjal Shrivastava: "Re: [PATCH v1 4/7] iommufd: Reject invalid read count in iommufd_fault_fops_read()"
Next in thread: Tian, Kevin: "RE: [PATCH v1 0/7] iommufd: Fix bugs in eventq fops_read paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nicolin Chen

Date: Tue Jun 02 2026 - 02:28:23 EST

On Mon, Jun 01, 2026 at 01:42:31PM -0700, Nicolin Chen wrote:
> Bugs were found in iommufd_veventq/fault_fops_read(), where userspace may:
> - Receive a corrupted byte stream after a partial copy_to_user
> - Spin in a poll/read loop when reading with an undersized buffer
> - Miss notifications when the kernel cannot allocate a lost-events copy
> - Receive duplicate faults with stale cookies after a mid-group failure
> - Cause the kernel to retry the same failed copy_to_user indefinitely
>
> Fix them, then add selftest coverage for the vEVENTQ count validation.
>
> This is on github:
> https://github.com/nicolinc/iommufd/commits/fix_eventq_read_bugs-v1
>
> Rebased on Jason's for-next tree with the veventq_depth series applied.
[...]
> base-commit: f25989c19028e8bf81e26e1133a99e3436c3afc2

I realized that I sent this too fast, before Jason's for-next tree
is available in linux-next. So maybe this is why Sashiko failed to
review.

FWIW, I've done a local Sashiko review, which came out clean. But,
maybe we can respin a v2 once it collects some comments and tags.

Thanks
Nicolin