Bugs were found in iommufd_veventq/fault_fops_read(), where userspace may: - Receive a corrupted byte stream after a partial copy_to_user - Spin in a poll/read loop when reading with an undersized buffer - Miss notifications when the kernel cannot allocate a lost-events copy - Receive duplicate faults with stale cookies after a mid-group failure - Cause the kernel to retry the same failed copy_to_user indefinitely
Fix them, then add selftest coverage for the vEVENTQ count validation. This is on github: https://github.com/nicolinc/iommufd/commits/fix_eventq_read_bugs-v1 Rebased on Jason's for-next tree with the veventq_depth series applied. Nicolin Chen (7): iommufd: Rewind header length in done if iommufd_veventq_fops_read() fails iommufd: Reject invalid read count in iommufd_veventq_fops_read() iommufd: Propagate allocation failure in iommufd_veventq_deliver_fetch() iommufd: Reject invalid read count in iommufd_fault_fops_read() iommufd: Break the loop on failure in iommufd_fault_fops_read() iommufd: Avoid partial fault group delivery in iommufd_fault_fops_read() iommufd/selftest: Cover invalid read counts on vEVENTQ FD drivers/iommu/iommufd/eventq.c | 29 ++++++++++++++++++++++--- tools/testing/selftests/iommu/iommufd.c | 17 +++++++++++++++ 2 files changed, 43 insertions(+), 3 deletions(-) base-commit: f25989c19028e8bf81e26e1133a99e3436c3afc2 -- 2.43.0
