[PATCH v1 6/7] iommufd: Avoid partial fault group delivery in iommufd_fault_fops_read()

[Nicolin Chen]

The cookie returned by xa_alloc() in iommufd_fault_fops_read() is per fault
group, but the inner copy_to_user() runs per fault inside the group. If a
copy fails mid-group, xa_erase clears the cookie and the group is restored
to the deliver list, yet done is not rolled back. The function returns the
partial byte count, with the successfully copied faults sitting at offsets
below done carrying the now-erased cookie. The next read() then re-fetches
the group, allocates a fresh cookie, and re-delivers every fault including
the ones already copied; userspace sees duplicates carrying the new cookie,
and a stale cookie that can never be responded to.

Use a local group_done variable that tracks the per-group progress inside
the inner loop, and only commit done = group_done after the inner loop has
finished successfully. On a copy_to_user failure the outer break skips the
commit, so done remains at its prior start-of-group baseline; the partial
bytes already written past done are undefined to userspace per the read(2)
contract, and the next read re-delivers the whole group atomically.

Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object")
Cc: sta...@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Nicolin Chen <nicol...@nvidia.com>
---
 drivers/iommu/iommufd/eventq.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/iommu/iommufd/eventq.c b/drivers/iommu/iommufd/eventq.c
index 1c010e691f972..5129e3bf5461c 100644
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -139,6 +139,8 @@ static ssize_t iommufd_fault_fops_read(struct file *filep, 
char __user *buf,
 
        mutex_lock(&fault->mutex);
        while ((group = iommufd_fault_deliver_fetch(fault))) {
+               size_t group_done = done;
+
                if (done >= count ||
                    group->fault_count * fault_size > count - done) {
                        iommufd_fault_deliver_restore(fault, group);
@@ -160,16 +162,17 @@ static ssize_t iommufd_fault_fops_read(struct file 
*filep, char __user *buf,
                        iommufd_compose_fault_message(&iopf->fault,
                                                      &data, idev,
                                                      group->cookie);
-                       if (copy_to_user(buf + done, &data, fault_size)) {
+                       if (copy_to_user(buf + group_done, &data, fault_size)) {
                                xa_erase(&fault->response, group->cookie);
                                iommufd_fault_deliver_restore(fault, group);
                                rc = -EFAULT;
                                break;
                        }
-                       done += fault_size;
+                       group_done += fault_size;
                }
                if (rc)
                        break;
+               done = group_done;
        }
        mutex_unlock(&fault->mutex);
 
-- 
2.43.0