Bugs were found in iommufd_veventq/fault_fops_read(), where userspace may:
 - Receive a corrupted byte stream after a partial copy_to_user
 - Spin in a poll/read loop when reading with an undersized buffer
 - Miss notifications when the kernel cannot allocate a lost-events copy
 - Receive duplicate faults with stale cookies after a mid-group failure
 - Cause the kernel to retry the same failed copy_to_user indefinitely

Fix them, then add selftest coverage for the vEVENTQ count validation.

This is on github:
https://github.com/nicolinc/iommufd/commits/fix_eventq_read_bugs-v1

Rebased on Jason's for-next tree with the veventq_depth series applied.

Nicolin Chen (7):
  iommufd: Rewind header length in done if iommufd_veventq_fops_read()
    fails
  iommufd: Reject invalid read count in iommufd_veventq_fops_read()
  iommufd: Propagate allocation failure in
    iommufd_veventq_deliver_fetch()
  iommufd: Reject invalid read count in iommufd_fault_fops_read()
  iommufd: Break the loop on failure in iommufd_fault_fops_read()
  iommufd: Avoid partial fault group delivery in
    iommufd_fault_fops_read()
  iommufd/selftest: Cover invalid read counts on vEVENTQ FD

 drivers/iommu/iommufd/eventq.c          | 29 ++++++++++++++++++++++---
 tools/testing/selftests/iommu/iommufd.c | 17 +++++++++++++++
 2 files changed, 43 insertions(+), 3 deletions(-)


base-commit: f25989c19028e8bf81e26e1133a99e3436c3afc2
-- 
2.43.0

On Mon, Jun 01, 2026 at 01:42:31PM -0700, Nicolin Chen wrote:

> Nicolin Chen (7):
>   iommufd: Rewind header length in done if iommufd_veventq_fops_read()
>     fails
>   iommufd: Reject invalid read count in iommufd_veventq_fops_read()
>   iommufd: Propagate allocation failure in
>     iommufd_veventq_deliver_fetch()
>   iommufd: Reject invalid read count in iommufd_fault_fops_read()
>   iommufd: Break the loop on failure in iommufd_fault_fops_read()
>   iommufd: Avoid partial fault group delivery in
>     iommufd_fault_fops_read()
>   iommufd/selftest: Cover invalid read counts on vEVENTQ FD

Applied to for-next

Thanks,
Jason

> From: Nicolin Chen <nicolinc@nvidia.com>
> Sent: Tuesday, June 2, 2026 4:43 AM
> 
> Bugs were found in iommufd_veventq/fault_fops_read(), where userspace
> may:
>  - Receive a corrupted byte stream after a partial copy_to_user
>  - Spin in a poll/read loop when reading with an undersized buffer
>  - Miss notifications when the kernel cannot allocate a lost-events copy
>  - Receive duplicate faults with stale cookies after a mid-group failure
>  - Cause the kernel to retry the same failed copy_to_user indefinitely
> 
> Fix them, then add selftest coverage for the vEVENTQ count validation.
> 

for the whole series:

Reviewed-by: Kevin Tian <kevin.tian@intel.com>

On Mon, Jun 01, 2026 at 01:42:31PM -0700, Nicolin Chen wrote:
> Bugs were found in iommufd_veventq/fault_fops_read(), where userspace may:
>  - Receive a corrupted byte stream after a partial copy_to_user
>  - Spin in a poll/read loop when reading with an undersized buffer
>  - Miss notifications when the kernel cannot allocate a lost-events copy
>  - Receive duplicate faults with stale cookies after a mid-group failure
>  - Cause the kernel to retry the same failed copy_to_user indefinitely
> 
> Fix them, then add selftest coverage for the vEVENTQ count validation.
> 
> This is on github:
> https://github.com/nicolinc/iommufd/commits/fix_eventq_read_bugs-v1
> 
> Rebased on Jason's for-next tree with the veventq_depth series applied.
[...]
> base-commit: f25989c19028e8bf81e26e1133a99e3436c3afc2

I realized that I sent this too fast, before Jason's for-next tree
is available in linux-next. So maybe this is why Sashiko failed to
review.

FWIW, I've done a local Sashiko review, which came out clean. But,
maybe we can respin a v2 once it collects some comments and tags.

Thanks
Nicolin