Re: [PATCH] vfio: Fix ksize arg while copying user struct in vfio_df_ioctl_bind_iommufd()

Next message: Randy Dunlap: "Re: [PATCH net-next v2] Documentation: netconsole: Separate literal code blocks for full and short netcat command name versions"
Previous message: Conor Dooley: "Re: [PATCH v2] dt-bindings: interrupt-controller: Update license for MIPS GIC header"
In reply to: Raghavendra Rao Ananta: "[PATCH] vfio: Fix ksize arg while copying user struct in vfio_df_ioctl_bind_iommufd()"
Next in thread: Raghavendra Rao Ananta: "Re: [PATCH] vfio: Fix ksize arg while copying user struct in vfio_df_ioctl_bind_iommufd()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Thu Oct 30 2025 - 14:31:22 EST

On Thu, Oct 30, 2025 at 05:12:38PM +0000, Raghavendra Rao Ananta wrote:
> For the cases where user includes a non-zero value in 'token_uuid_ptr'
> field of 'struct vfio_device_bind_iommufd', the copy_struct_from_user()
> in vfio_df_ioctl_bind_iommufd() fails with -E2BIG. For the 'minsz' passed,
> copy_struct_from_user() expects the newly introduced field to be zero-ed,
> which would be incorrect in this case.
>
> Fix this by passing the actual size of the kernel struct. If working
> with a newer userspace, copy_struct_from_user() would copy the
> 'token_uuid_ptr' field, and if working with an old userspace, it would
> zero out this field, thus still retaining backward compatibility.
>
> Fixes: 86624ba3b522 ("vfio/pci: Do vf_token checks for VFIO_DEVICE_BIND_IOMMUFD")
> Signed-off-by: Raghavendra Rao Ananta <rananta@xxxxxxxxxx>
> ---
> drivers/vfio/device_cdev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

Cc: stable@xxxxxxxxxxxxxxx
Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxx>

Though I feel this was copied from some other spot in vfio so I wonder
if we have a larger set of things that are a little off..

Jason