* Re: [PATCH v2] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read
[not found] <20260430175630.67078-1-kai.aizen.dev@gmail.com>
@ 2026-05-05 3:26 ` Baolu Lu
2026-05-05 3:45 ` Nicolin Chen
` (2 subsequent siblings)
3 siblings, 0 replies; 4+ messages in thread
From: Baolu Lu @ 2026-05-05 3:26 UTC (permalink / raw)
To: Kai Aizen, jgg
Cc: baolu.lu, kevin.tian, nicolinc, will, robin.murphy, joro, iommu,
linux-kernel, stable
On 5/1/2026 1:56 AM, Kai Aizen wrote:
> The bound-check in iommufd_veventq_fops_read() for the normal vEVENT
> path uses sizeof(hdr) where the surrounding code uses sizeof(*hdr):
>
> if (!vevent_for_lost_events_header(cur) &&
> sizeof(hdr) + cur->data_len > count - done) {
>
> hdr is declared as struct iommufd_vevent_header *, so sizeof(hdr)
> evaluates to the size of the pointer. Surrounding code uses
> sizeof(*hdr) consistently:
>
> if (done >= count || sizeof(*hdr) > count - done) {
> ...
> if (copy_to_user(buf + done, hdr, sizeof(*hdr))) {
> ...
> done += sizeof(*hdr);
>
> struct iommufd_vevent_header is currently 8 bytes (two __u32 fields,
> flags and sequence), so on 64-bit (sizeof(void *) == 8) the two
> expressions happen to be equal and the check works as intended.
>
> On 32-bit (sizeof(void *) == 4) the check under-counts the header by
> 4 bytes: a vEVENT whose data_len causes 8 + cur->data_len to exceed
> count - done while 4 + cur->data_len does not will pass the check,
> then the loop will copy_to_user 8 bytes of header followed by data_len
> bytes of payload, writing past the user-supplied buffer.
>
> It is also a latent bug for any future expansion of struct
> iommufd_vevent_header beyond sizeof(void *) on 64-bit; the check
> should not depend on the type happening to match the host pointer
> width.
>
> Use sizeof(*hdr) to match the rest of the function and the actual
> amount that will be copied.
>
> Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
> Cc:stable@vger.kernel.org
> Reported-by: Kai Aizen<kai.aizen.dev@gmail.com>
> Signed-off-by: Kai Aizen<kai.aizen.dev@gmail.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read
[not found] <20260430175630.67078-1-kai.aizen.dev@gmail.com>
2026-05-05 3:26 ` [PATCH v2] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read Baolu Lu
@ 2026-05-05 3:45 ` Nicolin Chen
2026-05-08 8:17 ` Tian, Kevin
2026-05-08 23:37 ` Jason Gunthorpe
3 siblings, 0 replies; 4+ messages in thread
From: Nicolin Chen @ 2026-05-05 3:45 UTC (permalink / raw)
To: Kai Aizen
Cc: jgg, kevin.tian, will, robin.murphy, joro, iommu, linux-kernel,
stable
On Thu, Apr 30, 2026 at 08:56:30PM +0300, Kai Aizen wrote:
> The bound-check in iommufd_veventq_fops_read() for the normal vEVENT
> path uses sizeof(hdr) where the surrounding code uses sizeof(*hdr):
>
> if (!vevent_for_lost_events_header(cur) &&
> sizeof(hdr) + cur->data_len > count - done) {
>
> hdr is declared as struct iommufd_vevent_header *, so sizeof(hdr)
> evaluates to the size of the pointer. Surrounding code uses
> sizeof(*hdr) consistently:
>
> if (done >= count || sizeof(*hdr) > count - done) {
> ...
> if (copy_to_user(buf + done, hdr, sizeof(*hdr))) {
> ...
> done += sizeof(*hdr);
>
> struct iommufd_vevent_header is currently 8 bytes (two __u32 fields,
> flags and sequence), so on 64-bit (sizeof(void *) == 8) the two
> expressions happen to be equal and the check works as intended.
>
> On 32-bit (sizeof(void *) == 4) the check under-counts the header by
> 4 bytes: a vEVENT whose data_len causes 8 + cur->data_len to exceed
> count - done while 4 + cur->data_len does not will pass the check,
> then the loop will copy_to_user 8 bytes of header followed by data_len
> bytes of payload, writing past the user-supplied buffer.
>
> It is also a latent bug for any future expansion of struct
> iommufd_vevent_header beyond sizeof(void *) on 64-bit; the check
> should not depend on the type happening to match the host pointer
> width.
>
> Use sizeof(*hdr) to match the rest of the function and the actual
> amount that will be copied.
>
> Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
> Cc: stable@vger.kernel.org
> Reported-by: Kai Aizen <kai.aizen.dev@gmail.com>
> Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [PATCH v2] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read
[not found] <20260430175630.67078-1-kai.aizen.dev@gmail.com>
2026-05-05 3:26 ` [PATCH v2] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read Baolu Lu
2026-05-05 3:45 ` Nicolin Chen
@ 2026-05-08 8:17 ` Tian, Kevin
2026-05-08 23:37 ` Jason Gunthorpe
3 siblings, 0 replies; 4+ messages in thread
From: Tian, Kevin @ 2026-05-08 8:17 UTC (permalink / raw)
To: Kai Aizen, jgg@nvidia.com
Cc: nicolinc@nvidia.com, will@kernel.org, robin.murphy@arm.com,
joro@8bytes.org, iommu@lists.linux.dev,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
> From: Kai Aizen <kai.aizen.dev@gmail.com>
> Sent: Friday, May 1, 2026 1:57 AM
>
> The bound-check in iommufd_veventq_fops_read() for the normal vEVENT
> path uses sizeof(hdr) where the surrounding code uses sizeof(*hdr):
>
> if (!vevent_for_lost_events_header(cur) &&
> sizeof(hdr) + cur->data_len > count - done) {
>
> hdr is declared as struct iommufd_vevent_header *, so sizeof(hdr)
> evaluates to the size of the pointer. Surrounding code uses
> sizeof(*hdr) consistently:
>
> if (done >= count || sizeof(*hdr) > count - done) {
> ...
> if (copy_to_user(buf + done, hdr, sizeof(*hdr))) {
> ...
> done += sizeof(*hdr);
>
> struct iommufd_vevent_header is currently 8 bytes (two __u32 fields,
> flags and sequence), so on 64-bit (sizeof(void *) == 8) the two
> expressions happen to be equal and the check works as intended.
>
> On 32-bit (sizeof(void *) == 4) the check under-counts the header by
> 4 bytes: a vEVENT whose data_len causes 8 + cur->data_len to exceed
> count - done while 4 + cur->data_len does not will pass the check,
> then the loop will copy_to_user 8 bytes of header followed by data_len
> bytes of payload, writing past the user-supplied buffer.
>
> It is also a latent bug for any future expansion of struct
> iommufd_vevent_header beyond sizeof(void *) on 64-bit; the check
> should not depend on the type happening to match the host pointer
> width.
>
> Use sizeof(*hdr) to match the rest of the function and the actual
> amount that will be copied.
>
> Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and
> IOMMUFD_CMD_VEVENTQ_ALLOC")
> Cc: stable@vger.kernel.org
> Reported-by: Kai Aizen <kai.aizen.dev@gmail.com>
> Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read
[not found] <20260430175630.67078-1-kai.aizen.dev@gmail.com>
` (2 preceding siblings ...)
2026-05-08 8:17 ` Tian, Kevin
@ 2026-05-08 23:37 ` Jason Gunthorpe
3 siblings, 0 replies; 4+ messages in thread
From: Jason Gunthorpe @ 2026-05-08 23:37 UTC (permalink / raw)
To: Kai Aizen
Cc: kevin.tian, nicolinc, will, robin.murphy, joro, iommu,
linux-kernel, stable
On Thu, Apr 30, 2026 at 08:56:30PM +0300, Kai Aizen wrote:
> The bound-check in iommufd_veventq_fops_read() for the normal vEVENT
> path uses sizeof(hdr) where the surrounding code uses sizeof(*hdr):
>
> if (!vevent_for_lost_events_header(cur) &&
> sizeof(hdr) + cur->data_len > count - done) {
>
> hdr is declared as struct iommufd_vevent_header *, so sizeof(hdr)
> evaluates to the size of the pointer. Surrounding code uses
> sizeof(*hdr) consistently:
>
> if (done >= count || sizeof(*hdr) > count - done) {
> ...
> if (copy_to_user(buf + done, hdr, sizeof(*hdr))) {
> ...
> done += sizeof(*hdr);
>
> struct iommufd_vevent_header is currently 8 bytes (two __u32 fields,
> flags and sequence), so on 64-bit (sizeof(void *) == 8) the two
> expressions happen to be equal and the check works as intended.
>
> On 32-bit (sizeof(void *) == 4) the check under-counts the header by
> 4 bytes: a vEVENT whose data_len causes 8 + cur->data_len to exceed
> count - done while 4 + cur->data_len does not will pass the check,
> then the loop will copy_to_user 8 bytes of header followed by data_len
> bytes of payload, writing past the user-supplied buffer.
>
> It is also a latent bug for any future expansion of struct
> iommufd_vevent_header beyond sizeof(void *) on 64-bit; the check
> should not depend on the type happening to match the host pointer
> width.
>
> Use sizeof(*hdr) to match the rest of the function and the actual
> amount that will be copied.
>
> Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
> Cc: stable@vger.kernel.org
> Reported-by: Kai Aizen <kai.aizen.dev@gmail.com>
> Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
> ---
> v2: fix From/Signed-off-by to use real name and email address.
> ---
> drivers/iommu/iommufd/eventq.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Applied to for-rc, thanks
Jason
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-08 23:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20260430175630.67078-1-kai.aizen.dev@gmail.com>
2026-05-05 3:26 ` [PATCH v2] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read Baolu Lu
2026-05-05 3:45 ` Nicolin Chen
2026-05-08 8:17 ` Tian, Kevin
2026-05-08 23:37 ` Jason Gunthorpe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox