Re: [PATCH] vfio: Fix ksize arg while copying user struct in vfio_df_ioctl_bind_iommufd()

[Raghavendra Rao Ananta]

On Thu, Oct 30, 2025 at 11:31 AM Jason Gunthorpe <jgg@xxxxxxxx> wrote:
>
> On Thu, Oct 30, 2025 at 05:12:38PM +0000, Raghavendra Rao Ananta wrote:
> > For the cases where user includes a non-zero value in 'token_uuid_ptr'
> > field of 'struct vfio_device_bind_iommufd', the copy_struct_from_user()
> > in vfio_df_ioctl_bind_iommufd() fails with -E2BIG. For the 'minsz' passed,
> > copy_struct_from_user() expects the newly introduced field to be zero-ed,
> > which would be incorrect in this case.
> >
> > Fix this by passing the actual size of the kernel struct. If working
> > with a newer userspace, copy_struct_from_user() would copy the
> > 'token_uuid_ptr' field, and if working with an old userspace, it would
> > zero out this field, thus still retaining backward compatibility.
> >
> > Fixes: 86624ba3b522 ("vfio/pci: Do vf_token checks for VFIO_DEVICE_BIND_IOMMUFD")
> > Signed-off-by: Raghavendra Rao Ananta <rananta@xxxxxxxxxx>
> > ---
> >  drivers/vfio/device_cdev.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
>
> Cc: stable@xxxxxxxxxxxxxxx
> Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
>
> Though I feel this was copied from some other spot in vfio so I wonder
> if we have a larger set of things that are a little off..
>
I could only find vfio_df_ioctl_bind_iommufd() in vfio referencing
copy_struct_from_user(). The other closest would be in
drivers/iommu/iommufd/main.c::iommufd_fops_ioctl(), which seems to be
doing the right thing.

Thank you.
Raghavendra