From: Nicolin Chen <nicolinc@nvidia.com>
To: <jgg@nvidia.com>, <kevin.tian@intel.com>
Cc: <joro@8bytes.org>, <baolu.lu@linux.intel.com>,
<iommu@lists.linux.dev>, <linux-kernel@vger.kernel.org>,
<linux-kselftest@vger.kernel.org>
Subject: [PATCH v1 0/7] iommufd: Fix bugs in eventq fops_read paths
Date: Mon, 1 Jun 2026 13:42:31 -0700 [thread overview]
Message-ID: <cover.1780343944.git.nicolinc@nvidia.com> (raw)
Bugs were found in iommufd_veventq/fault_fops_read(), where userspace may:
- Receive a corrupted byte stream after a partial copy_to_user
- Spin in a poll/read loop when reading with an undersized buffer
- Miss notifications when the kernel cannot allocate a lost-events copy
- Receive duplicate faults with stale cookies after a mid-group failure
- Cause the kernel to retry the same failed copy_to_user indefinitely
Fix them, then add selftest coverage for the vEVENTQ count validation.
This is on github:
https://github.com/nicolinc/iommufd/commits/fix_eventq_read_bugs-v1
Rebased on Jason's for-next tree with the veventq_depth series applied.
Nicolin Chen (7):
iommufd: Rewind header length in done if iommufd_veventq_fops_read()
fails
iommufd: Reject invalid read count in iommufd_veventq_fops_read()
iommufd: Propagate allocation failure in
iommufd_veventq_deliver_fetch()
iommufd: Reject invalid read count in iommufd_fault_fops_read()
iommufd: Break the loop on failure in iommufd_fault_fops_read()
iommufd: Avoid partial fault group delivery in
iommufd_fault_fops_read()
iommufd/selftest: Cover invalid read counts on vEVENTQ FD
drivers/iommu/iommufd/eventq.c | 29 ++++++++++++++++++++++---
tools/testing/selftests/iommu/iommufd.c | 17 +++++++++++++++
2 files changed, 43 insertions(+), 3 deletions(-)
base-commit: f25989c19028e8bf81e26e1133a99e3436c3afc2
--
2.43.0
next reply other threads:[~2026-06-01 20:43 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 20:42 Nicolin Chen [this message]
2026-06-01 20:42 ` [PATCH v1 1/7] iommufd: Rewind header length in done if iommufd_veventq_fops_read() fails Nicolin Chen
2026-06-03 14:01 ` Pranjal Shrivastava
2026-06-01 20:42 ` [PATCH v1 2/7] iommufd: Reject invalid read count in iommufd_veventq_fops_read() Nicolin Chen
2026-06-03 14:08 ` Pranjal Shrivastava
2026-06-01 20:42 ` [PATCH v1 3/7] iommufd: Propagate allocation failure in iommufd_veventq_deliver_fetch() Nicolin Chen
2026-06-03 14:13 ` Pranjal Shrivastava
2026-06-01 20:42 ` [PATCH v1 4/7] iommufd: Reject invalid read count in iommufd_fault_fops_read() Nicolin Chen
2026-06-03 14:15 ` Pranjal Shrivastava
2026-06-01 20:42 ` [PATCH v1 5/7] iommufd: Break the loop on failure " Nicolin Chen
2026-06-03 14:18 ` Pranjal Shrivastava
2026-06-01 20:42 ` [PATCH v1 6/7] iommufd: Avoid partial fault group delivery " Nicolin Chen
2026-06-03 14:26 ` Pranjal Shrivastava
2026-06-01 20:42 ` [PATCH v1 7/7] iommufd/selftest: Cover invalid read counts on vEVENTQ FD Nicolin Chen
2026-06-03 14:46 ` Pranjal Shrivastava
2026-06-02 6:27 ` [PATCH v1 0/7] iommufd: Fix bugs in eventq fops_read paths Nicolin Chen
2026-06-03 6:59 ` Tian, Kevin
2026-06-05 14:30 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1780343944.git.nicolinc@nvidia.com \
--to=nicolinc@nvidia.com \
--cc=baolu.lu@linux.intel.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@nvidia.com \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.