From nobody Mon Jun 8 09:48:03 2026 Received: from PH7PR06CU001.outbound.protection.outlook.com (mail-westus3azon11010047.outbound.protection.outlook.com [52.101.201.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B36AB49252E; Wed, 3 Jun 2026 21:27:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.201.47 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780522067; cv=fail; b=R0kVdAb40kHo84VPWHHWnlHJvtoDPLwD3K4g+c4QdEGKflvWFrKd2aHDyz9P1iNxI/X8gFHJ/bCAHkZTozsbSeOHFVu0z09UW3vtwmH3ShTTA/KkbAnofLFrqlzNTX53isg4dQGo3suObQwB2S+MfBLWYX6BqVCAXIEecJvEbcU= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780522067; c=relaxed/simple; bh=b2V8s+fW49YUeGY3qq2JmE61S2yy3W5YA2dmGLZMBCk=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=f18UcSX+xHtgjWuI/yrtG3ZKRVUuL3O9Nvfu8QG12JVruk0R0wBOCjUTdCa3AJbkMnqky48LwZatnJ3NIxZ06e2k3s1F+tyQO81NaPyYZby747VmPmdQHPtSmOJ02zEzZpwE5yMfptrCwbdUs+j4ZDHp+swuTGSPGeFp68Nkato= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=CmRGBcQj; arc=fail smtp.client-ip=52.101.201.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="CmRGBcQj" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=myTDZfnppVSr4KG+Wi/rAj1ciKwaqAxHdfWxJLTcmPdp+Qd/JfhLi0AdV2qy6OO2qHYSAopOlIhY3jCuATMTrGJy5ynuEpOxcJF9AUgOLt6towLk6+h9l1VSyEJKvPoxqc0ro+468Hi+68pIvU3fGABAxIgbpOGuupPxEY0Jv+yz9F4/1l9l5vfca1jWO9wTpaxCTyY3fMSM3OEjPHmInqI4FGWVaorKN2cpS6i237q9m44K2yxdMgXJRtvCQ2/3JvCWMZ97pww41J+mhtZb9KUlBXNwXo+PTHSd3Qa+VoqYzhImeNAZQl5tq6rJHG+ZUiwENCx2Eb2UCRX4hzIaow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ex6Rg1IQ5rGQOORM8KUxa6zu/9YU1wgr2KOIyqArPTc=; b=vIoAk1Ri6HYWsQWoi8YIFazhhVCHEXw/rRVTgyJwNPO+Ai41s8MUhhaRiBRPP+so1bjDPktXisa73wZ8iQEx1tYDNDUk3yeW0XFlkacEQTV9lEIeR/G1NVNKJv3axCN8ZOQL9cqes2D096A4Q7st+UJbZnes/1e1TEXyUDmzMhGkSOd/B8c6Hmc80EF5ZN1u5davENyC3rpL6LUdjl8VZhdXcUABI3JVE60bNV6zQXprCejH5NIQ96QI9zyJ+BfSd6MUhrINn1Yh0YZ29r7c5AOMR5LOnDw1s42haaOKBMh+GWpvLTiGANyXdujYCymHGO+c+8jgGE8Qvo2LIhoFTA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ex6Rg1IQ5rGQOORM8KUxa6zu/9YU1wgr2KOIyqArPTc=; b=CmRGBcQj458sAwodnCWmk0ds+9Oi2y0qHr3ZOnMBIxfP9oDdLIbY/CQkyAC4fY24dnYekYR42629e+J5EyS6zkbvmSSeRwWaEEb2Wj39ii7jOAsbYht1pKsVeSDU19lsUA+8zNonVSHRwAkBBblWo0gmNzzdfAfrMhIwrJ7KQZWnX3YZQ6hVa3UNlOMKFNdlpqG5UMMJiw4f36PrWsF1EYkH7KSskVfK5u3G9f5AMH7HI34Z7iVAMa5OXK+IKJaNc2lAlekdjBd24ZqH4X647I6lvgfHk5d0mXJ7chCGbbcSbr9eqNWec/nQUXF1mE+nbrEG/uKC0d0diOZCAksNHg== Received: from BN9PR03CA0796.namprd03.prod.outlook.com (2603:10b6:408:13f::21) by BN5PR12MB9485.namprd12.prod.outlook.com (2603:10b6:408:2a8::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.7; Wed, 3 Jun 2026 21:27:42 +0000 Received: from BL6PEPF0001AB55.namprd02.prod.outlook.com (2603:10b6:408:13f:cafe::7e) by BN9PR03CA0796.outlook.office365.com (2603:10b6:408:13f::21) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.7 via Frontend Transport; Wed, 3 Jun 2026 21:27:42 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BL6PEPF0001AB55.mail.protection.outlook.com (10.167.241.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.5 via Frontend Transport; Wed, 3 Jun 2026 21:27:42 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Wed, 3 Jun 2026 14:27:19 -0700 Received: from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Wed, 3 Jun 2026 14:27:19 -0700 Received: from Asurada-Nvidia.nvidia.com (10.127.8.9) by mail.nvidia.com (10.129.68.9) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Wed, 3 Jun 2026 14:27:18 -0700 From: Nicolin Chen To: Will Deacon , Jason Gunthorpe , "Kevin Tian" CC: Robin Murphy , Joerg Roedel , "Shuah Khan" , Pranjal Shrivastava , Kees Cook , Yi Liu , Eric Auger , , , , Subject: [PATCH v1 1/4] iommufd: Set upper bounds on cache invalidation entry_num and entry_len Date: Wed, 3 Jun 2026 14:26:53 -0700 Message-ID: <447fa93663f7526eb361719e83fa8b649464483d.1780521606.git.nicolinc@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF0001AB55:EE_|BN5PR12MB9485:EE_ X-MS-Office365-Filtering-Correlation-Id: 2b4da638-c59a-4fb0-caf0-08dec1b6f21e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|82310400026|36860700016|56012099006|11063799006|18002099003|22082099003; X-Microsoft-Antispam-Message-Info: ZFKwLA50GXzzppehhzpk1H5UlzZ01DiMHBZ3hgPTF/QutVA2rbpDKD8Q25Iyz/bBQix5sP9bP5npqJbCxWIZNn/dSKvJulVW0K9waQKW/oPrTQ+y47rf/eK3lQlyZjO6Bkf1bohMHw64svV7/lz8h6OvZ6M8Q9VKF6SfHW8FEPvkk21UdIqEEVB7WevGo1AJtIDWnX0sqOIHkyaDcPjpS2oH4H2L8YFnkOYJmtDAYR7KsAXxd1+GmWEgT8xMkJFlZXR9Jc2kl6B8YOAlbZ2mQ6LDZe6PQ+27eTHhNmHUweKSAxmZClrAC9scJDwfARrUl331Sm/ywL1VlHyBPivbCoXOltZLHLjbbKjOqz78dSeyURD7iR3k/QnZ9RauMkMJxrvCwIwtY5+JX8xYnmPfaJH1FJ7a+V1JP/CaC5Lfsrlskvd0UI4B83ROyB1XjfTsknzr2PF8T98El95rW6kqzmn7LW2DEMvD7o74ATg1/aakGFNgKAQHHvOhRyTOYWL+VKEXmRS7sf5c5EtzQgoJux2xB6ahhakOA1yBblmC3irDlbsOiu9sBICGNXo1PSf4guOJI+HBTSzZ/Q+1TN4EpzhWqQPQnsYnIdQRoA8oMGa6BNY29i1nJR9SRgquS85v9/k2r9ysmrsO6M54dGdEZmVzMx1Wj9U5IRbz/wdEdq8sUdUZisKJwHwAM7E1eHruoEeN2TVIVfaP/eGefYHBZJrsJUAJYWrAyhOOgpL4CNQ= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(82310400026)(36860700016)(56012099006)(11063799006)(18002099003)(22082099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: LccMkQ626uEalGgjixkKMmpPqhl9FVvODL7+o/VEU6//cfC9/kkVNEUBqGZH8ay/SRThTWbYtGuhhMMJeRqoGNFDsPIWmQq01s+aaQz4w7pyJ8ri02mdnNOGQn975JbK8d4riovcQvMqOs4k/rAKGnnsWTSdhqTyz1E9ZTa07hlVInqPOIOM+y6qcYa6mL6wQdU6O8hHf+nsQRyK587QYpfp5PU1B2izVrI+oxreIvyRWSdxQ5Os33yGOEGEHoUru1PUhb+63eLOmOk+04Bq/aJ1pjB83u6qS96Gf06nW8F80qh/L233xo/4lrUaT9CZ8LlXyA7tlQ7h9PsCA0lHMun8Gsng4DUPyuSqoidzfsptLkVwEDkyr1w2y8KtjfM0BXlrDv/nSHiVH2L0CrsELd5YUaJcipYWA2ZlQ996FCVS0mshVSO9VOFFh9YuHxkP X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jun 2026 21:27:42.0935 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 2b4da638-c59a-4fb0-caf0-08dec1b6f21e X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0001AB55.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN5PR12MB9485 Content-Type: text/plain; charset="utf-8" iommufd_hwpt_invalidate() takes a user-controlled entry_num and entry_len, each bounded only by U32_MAX. An entry_len beyond the kernel's struct size makes the copy helper verify the extra bytes are zero, scanning that excess in one uninterruptible pass; a multi-gigabyte value over zeroed user memory trips the soft-lockup watchdog. A large entry_num is the other half, driving the backend invalidation loop with no reschedule. The VT-d nested handler, for one, copies each entry and flushes caches per iteration, pinning the CPU on a non-preemptible kernel. Cap both in the ioctl. entry_len is held under PAGE_SIZE, above any request struct, and entry_num under 1 << 19, the order of a hardware invalidation queue and well beyond any real batch, bounding the per-call loop length. Fixes: 8c6eabae3807 ("iommufd: Add IOMMU_HWPT_INVALIDATE") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Nicolin Chen --- drivers/iommu/iommufd/hw_pagetable.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/iommufd/hw_pagetable.c b/drivers/iommu/iommufd/h= w_pagetable.c index fe789c2dc0c97..623cc608ca0cd 100644 --- a/drivers/iommu/iommufd/hw_pagetable.c +++ b/drivers/iommu/iommufd/hw_pagetable.c @@ -489,6 +489,9 @@ int iommufd_hwpt_get_dirty_bitmap(struct iommufd_ucmd *= ucmd) return rc; } =20 +/* An arbitrary entry_num cap, far above any realistic invalidation batch = */ +#define IOMMU_HWPT_INVALIDATE_ENTRY_NUM_MAX (1U << 19) + int iommufd_hwpt_invalidate(struct iommufd_ucmd *ucmd) { struct iommu_hwpt_invalidate *cmd =3D ucmd->cmd; @@ -507,7 +510,13 @@ int iommufd_hwpt_invalidate(struct iommufd_ucmd *ucmd) goto out; } =20 - if (cmd->entry_num && (!cmd->data_uptr || !cmd->entry_len)) { + /* + * Bound entry_num and entry_len so a single call cannot pin the CPU; + * entry_len also caps the copy_struct_from_user() trailing-zero scan. + */ + if (cmd->entry_num && + (!cmd->data_uptr || !cmd->entry_len || cmd->entry_len > PAGE_SIZE || + cmd->entry_num > IOMMU_HWPT_INVALIDATE_ENTRY_NUM_MAX)) { rc =3D -EINVAL; goto out; } --=20 2.43.0 From nobody Mon Jun 8 09:48:04 2026 Received: from BYAPR05CU005.outbound.protection.outlook.com (mail-westusazon11010023.outbound.protection.outlook.com [52.101.85.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90FCB40758E; Wed, 3 Jun 2026 21:27:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.85.23 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780522062; cv=fail; b=ufXN35gIuj6HsoW+j8ueVBbht1aGQFwijuJmtmoG7BKCdy36O7A3fWTgXTtoL9MEqFIYtpYA6HKTXRa3O5KJ8ee7Sgn3OsMGPCIw9wNv9jQ/80vE5VrgNd+NI7fnHFNRiBnSLAbxWNGLBw7g/QMfP7XBygUEAb4y5kxqr13xgX0= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780522062; c=relaxed/simple; bh=9B/KwBb99o9r/olvx4gcCE5fvq6vYXysUR7ce9qF8LU=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=bZkBUwZqJsfVOzF5SvN3L8X0tOLGSbDPvCJ2cjSXNzUWwL2jo7KL8Zgmbl/1TOSleq5ifueJXW1ZGCnNJEhWWsNrXt+irgeK1PvOLOSElkNIMmdEoPCOvYHUiHD+bkcIO64FBpk2/ct6H64bRo2yW63XMC8U72acb6P39tkCAXI= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=bd5X3NJr; arc=fail smtp.client-ip=52.101.85.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="bd5X3NJr" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=JaU2HAdFYOwHs1FpolnIH2JaiQKMhodfxXkMUqBoW96v58iTMaCv/Tue4BDUMQ6mzhZKAfh4KiibIA2Sz3kOXMojOSSl1Lx8s1G7M6QT6AhUjrewdRCViHbN4sMvQ3iFbfopKYRr0BrBBO10FJOapq1VTRssc1Ll1/Q+DbDt2MJGEcTMyWyMluNZbqgRZcgGoCFhJ000MseiZWCGh6PjK33kzymxtJYOejelq1QOmBV2TBcufDhpm/R/fc6omJFQc/VPnldNpEdu91FPzTrWr4FhEEsy6doucX+R/r7vmvJGQ+SZ/bPIG8p7Kf+EULNCCt1llu/lRBE2Tc2AHkmg4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cRrqe9cEovCzcz2iSeX7VotKclDVRcvvA5IM39CYRzo=; b=Yo/4CJSiPaqjyneKW0sVzBbXxcNibrygTBr7ZWcm2P+jT/sq4GL6bzD6aUXVIrKTxhpF1tl9vu3BgHHd7NR0ZJsrPHTODC6TIj8ot9wbjsd9gQbu2W0HRGNE8quaJf7UwELF8V8iO2yNiFMuMblGw5+UPBuO+9Y8pz7UuJdg6iGPrCw6AZQSB6Qxz7R2FHNvaFzCeF8QQcRfMENxGM75fhfJiCgYmd6bXKIuQZT8Lrrmkr4A9jKZW8KcG62/wbVBTcm987dKozvl4XNW6oKXcHExGX4xJJ9qkvxmAoZLPvIHHkjfAvHRCPHNHy68GpUlWaYWbcyzpcfVK4wkatWVSQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cRrqe9cEovCzcz2iSeX7VotKclDVRcvvA5IM39CYRzo=; b=bd5X3NJrZn3z4RJQlYGf+Vx1Fyj57na7sE7EegH8hIZK5GH6pmnRTDN+xnvAnWt8dhtmYere6lr7G3SizsEhSJ/kWRWNJHhPA6WcGAYGr3OBdqkPPffOGBMnrEzaZugJhG8zedEU82N8kn67Fbk8RgmGoCq4VrS9XeY5DWmLREuqmwtPU80Y9RJa9sOhDHcXh55D+8frNUcdFz2CH5pd5USrLwCv4JoacRIm353wuESJ/tTsVJbprOl+bUUQBsEStL4FeUYK6uhc25TAJKMiP9afX8rUGl25cCIGgNes0S2B5nhXUM1iaBX9F5mGFG3J3allqpcKmES3x6uJZxbM7Q== Received: from CY3P220CA0007.NAMP220.PROD.OUTLOOK.COM (2603:10b6:930:fb::9) by SJ0PR12MB8615.namprd12.prod.outlook.com (2603:10b6:a03:484::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.7; Wed, 3 Jun 2026 21:27:37 +0000 Received: from CY4PEPF0000EDD0.namprd03.prod.outlook.com (2603:10b6:930:fb:cafe::98) by CY3P220CA0007.outlook.office365.com (2603:10b6:930:fb::9) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.7 via Frontend Transport; Wed, 3 Jun 2026 21:27:35 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CY4PEPF0000EDD0.mail.protection.outlook.com (10.167.241.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.5 via Frontend Transport; Wed, 3 Jun 2026 21:27:35 +0000 Received: from rnnvmail204.nvidia.com (10.129.68.6) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Wed, 3 Jun 2026 14:27:20 -0700 Received: from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail204.nvidia.com (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Wed, 3 Jun 2026 14:27:20 -0700 Received: from Asurada-Nvidia.nvidia.com (10.127.8.9) by mail.nvidia.com (10.129.68.9) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Wed, 3 Jun 2026 14:27:19 -0700 From: Nicolin Chen To: Will Deacon , Jason Gunthorpe , "Kevin Tian" CC: Robin Murphy , Joerg Roedel , "Shuah Khan" , Pranjal Shrivastava , Kees Cook , Yi Liu , Eric Auger , , , , Subject: [PATCH v1 2/4] iommufd/selftest: Add invalidation entry_num and entry_len boundary tests Date: Wed, 3 Jun 2026 14:26:54 -0700 Message-ID: <9ae78ed8e64afbb2f2df27d03466380061adf7d9.1780521606.git.nicolinc@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000EDD0:EE_|SJ0PR12MB8615:EE_ X-MS-Office365-Filtering-Correlation-Id: 76f94387-7810-40eb-bad2-08dec1b6ee21 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|82310400026|7416014|36860700016|56012099006|18002099003|22082099003|11063799006|6133799003; X-Microsoft-Antispam-Message-Info: 9lmOY4QGg1h3maNurBeMrZKyasWNEhBDLKse/gozkMmS+en1fd68PeJkqXjxsFWfNRoryZo1kENg9y3HMc9Pn7RVmRuyxz/Ho0dH9bJAKLgu+Pn/ciHjns4XknnqfeTgZCBpsYOGqJlAleqsfuBL5HyjhtKcIu71ODymWcgs8P2IuycIr9keovLHge6oRihpGjlma8TdeUxucMtH9427qb5JAyO6/byjmZE9KGv+aHgWelwcyYEuXscrNm8VXY9/8sMCLWTqHPpYZiouCatZonXTjQJltUnwPn/jSTckxpEZS+kZvsO+yvxYDCLS1SRPv+8KYVb5oa0UbtbPKlY8qVbd1vcKwscqzUBAmGixQF/e1YVUcNqshe9FF3WYgyD7idGI7DYBQh+5+1a5K9PDiDA5Bqh7bEPrRTlXSuzuyfDyV6angKW0Q3k9AJ7AsyIBdVAQl/2uEfaBXo8lRFwEXukdRlOA8zhJdCPvCfDs8GzNpWB/7YV3rRp1Obar4Wjf74USI2g1A9tmWLCeLBUO5G5hqDBJslCip731aK/6KiTud3xEoZSoufGytVxEtbxAX0jk0JiXq4W1IHI0U3vvaR9E5lL+M1cHOurxzbnpZjYhfOXQguDFkKlOKW6FPob7Ct277tZebz7gdz+rK3aTccoK2iipowGfybGtvxxE7/JQR/ggDPA8leD11LLF5QY/Kdka/tnIa02zhNE0Jy+h3JCGI9YNzZo62heFw0GzQw0= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230040)(376014)(1800799024)(82310400026)(7416014)(36860700016)(56012099006)(18002099003)(22082099003)(11063799006)(6133799003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 2W8ORsJr7ia+Q57QxIuIESU08E3Tst3P4Kvja3AnzGNw/a1p7l7smXulM5hg/iI1DC/jHTKYRH78NNPEx61ydVk5HtRuBRFvCXjh0TgdXHpUZDN+7+FDMeRunuAPsypuaULy89jOzHWxClsi5rEC8ED7RABTwteT5pnuqw8BVWv8vyZNGmwNF+z6C0bJXXByAk1KjOITEoBdsoY2dl/klL0qhO1pftg1rmpQug7YALlqoxgG9hI79cRFhYJn3rOIrKeMsdjj29TN5AAI1CnuU2y8q+mPeg1Lc3IhDZ+lwewcte0zcGr7AzIrMUPwBCzx6eMamgT5g90o/TlKQyTLZUcZVe7iQunUK14xcnHU/YeE7hxcf+pqhLUEmLGDyNxSA9cJLwP2HlYINf4kNTfmVnICBBcydGgTRbCYHho2r0xxjHoPoN4j4RxlETqVoJhv X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jun 2026 21:27:35.5211 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 76f94387-7810-40eb-bad2-08dec1b6ee21 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EDD0.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR12MB8615 Content-Type: text/plain; charset="utf-8" Test that the cache invalidation ioctl rejects an oversized entry_len and an oversized entry_num, covering the CPU soft-lockup paths the caps close. Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Nicolin Chen --- tools/testing/selftests/iommu/iommufd.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tools/testing/selftests/iommu/iommufd.c b/tools/testing/selfte= sts/iommu/iommufd.c index d1fe5dbc2813e..653aa251f8122 100644 --- a/tools/testing/selftests/iommu/iommufd.c +++ b/tools/testing/selftests/iommu/iommufd.c @@ -556,6 +556,21 @@ TEST_F(iommufd_ioas, alloc_hwpt_nested) 1, &num_inv); assert(!num_inv); =20 + /* Negative test: entry_len is bounded by PAGE_SIZE */ + num_inv =3D 1; + test_err_hwpt_invalidate(EINVAL, nested_hwpt_id[0], inv_reqs, + IOMMU_HWPT_INVALIDATE_DATA_SELFTEST, + PAGE_SIZE + 1, &num_inv); + assert(!num_inv); + + /* Negative test: entry_num is bounded */ +#define IOMMU_HWPT_INVALIDATE_ENTRY_NUM_MAX (1U << 19) + num_inv =3D IOMMU_HWPT_INVALIDATE_ENTRY_NUM_MAX + 1; + test_err_hwpt_invalidate(EINVAL, nested_hwpt_id[0], inv_reqs, + IOMMU_HWPT_INVALIDATE_DATA_SELFTEST, + sizeof(*inv_reqs), &num_inv); + assert(!num_inv); + /* Negative test: invalid flag is passed */ num_inv =3D 1; inv_reqs[0].flags =3D 0xffffffff; --=20 2.43.0 From nobody Mon Jun 8 09:48:04 2026 Received: from BYAPR05CU005.outbound.protection.outlook.com (mail-westusazon11010041.outbound.protection.outlook.com [52.101.85.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F58D402BB8; Wed, 3 Jun 2026 21:27:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.85.41 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780522069; cv=fail; b=bST67eRn45V0sXbwcc/JF7jeIQo9JeJ123wRhFBcXaGP0zGCGa5u0rDO+rLbhZkg6RG3vnbmvsNYksFxyyUckn45NV2WHcpgSLNiOjnqYDQpjxMNk37ItAODMwNVWCkhIYtvbG+w2oGIuXwT3QyDKriTJwBmk7bAWR6kTWLnU+M= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780522069; c=relaxed/simple; bh=4aJTRb/bXe+Klnpkv4QzXxEN4MrsqzL27y2TPU1PJoI=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=OJWI0bqy0m53laQpBC1nXIFoDNzbSQ9KKd6t2CjYkhxcuXsSG8rdVTfREmx52D3eawDBUW7CgPjhz9bUbVWT91jxIbRK8yssP8N2ElfJ2tjxwvzi+oDr1Fz4RcGq1Cb06rQpDalGStBJ6iu8j4hp9nVWAKfHoHYXhc21GQ/GdO8= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=LmvO8Qng; arc=fail smtp.client-ip=52.101.85.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="LmvO8Qng" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=a4SQ6mE5IH7eKgodR3pW0UJU2+bwUhzDDCEoVnyn4GZsFJPbfeCRMyabn8jLJ0Yry3bOcmunhnKi4iPp6HgSpqtVSdJGAG2i6E/LhPpTiQvcQXTUlB3yK3//sc7fhlkUOj2472wz9tpPZr8so78fR0uWu7ThOTzwGtRz4bctlm3K0vG41Ir2a+9iFfh9BjMA+Bo49b4nXnP3EKZqgkm3xIoUG4r+56/Sbw6DEKDG5StyD8GL72GV210bSAN+ysq4NbpObr6+OHfx5HbJYJTLOSTszWXVbTDV1YQpkbeK99aBHXwZMUIZKFGYsjIHUWtDlL/cCNVfWAemsHQZMjmAHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Jro+oWb50BLSYPPGkHvb0B1CsoYVX5cPW7wYzIpozBM=; b=X16qz+iojTLbhI10TKJlaaIEt7EYXQ6e+iVjMJRrJimeOWZItiBIyWxwwcIpqijd4PJR8n1SEdIejGjBdowTeta5OMRY2IPURz/zroSE/k4dPrDZzHsrR93StZGpgs3rQanGUeFWXADwDLouxisQzqTyget++3idCCHrRLWMyfEqbteCQBJjNyNow326U36lL4hy7K5J62y6Q4od5Tf6m1Xlf9KNRWKr+2LjAdoX8LCQNzqTFwU2IBuFCj6OGU984pQX7+v8SGKXzw13460iHgPgxQHIKQdrWtb74HC7ky2DLrrdoR+BoX/HcfAlhETEWqqFk2KOGSvzOg4Pghk8rw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Jro+oWb50BLSYPPGkHvb0B1CsoYVX5cPW7wYzIpozBM=; b=LmvO8QngPzRsn8NVxoT7hKfXTHmCI3FfSWx2rGcEe4eJFMZ9SYbJSIhuw40dPze2Yj7kfFvRy7osK19OTpPoG1LDQWCLRIuNpoCNTnW5lU9MHtgvuYzKBitGj5omrAbfSfiGipKl7C9dFCPTcsLdzQY3fAK3cUVlBw6xPhu3Q/DNY8WXPTLmObaSAE5edHDEBU2XCS8ezHdK1i+rWMtQveO1aaUMUv1cQVVlcEM7BDqfpd3TZgXIiR+L4cgViyGIWZaC8ZslFOihNThvR+QZ7tzocjB5SQEOs1E+hQgsgdaGOS0IY+Xx3ChIUXr7d2yG6XAF/NWEsyP0j5ZtaPLOSw== Received: from DM6PR07CA0076.namprd07.prod.outlook.com (2603:10b6:5:337::9) by SJ0PR12MB8092.namprd12.prod.outlook.com (2603:10b6:a03:4ee::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.7; Wed, 3 Jun 2026 21:27:38 +0000 Received: from CY4PEPF0000EDD5.namprd03.prod.outlook.com (2603:10b6:5:337:cafe::4d) by DM6PR07CA0076.outlook.office365.com (2603:10b6:5:337::9) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.7 via Frontend Transport; Wed, 3 Jun 2026 21:27:38 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CY4PEPF0000EDD5.mail.protection.outlook.com (10.167.241.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.5 via Frontend Transport; Wed, 3 Jun 2026 21:27:38 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Wed, 3 Jun 2026 14:27:22 -0700 Received: from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Wed, 3 Jun 2026 14:27:21 -0700 Received: from Asurada-Nvidia.nvidia.com (10.127.8.9) by mail.nvidia.com (10.129.68.9) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Wed, 3 Jun 2026 14:27:20 -0700 From: Nicolin Chen To: Will Deacon , Jason Gunthorpe , "Kevin Tian" CC: Robin Murphy , Joerg Roedel , "Shuah Khan" , Pranjal Shrivastava , Kees Cook , Yi Liu , Eric Auger , , , , Subject: [PATCH v1 3/4] iommu: Avoid copying the user array twice in the full-array copy helper Date: Wed, 3 Jun 2026 14:26:55 -0700 Message-ID: <6c9eca4ff584cb977661e97799ac6fe934e7f51c.1780521606.git.nicolinc@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000EDD5:EE_|SJ0PR12MB8092:EE_ X-MS-Office365-Filtering-Correlation-Id: 5a659e8b-d6e6-4928-1213-08dec1b6efae X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|82310400026|36860700016|7416014|8126099003|18002099003|22082099003|56012099006|11063799006; X-Microsoft-Antispam-Message-Info: ZTo1Kx48EQCcCAqt6v4sB4+uHyC9C2sbwNDkORsImfnW+ZqNORrKmlsclQUEEjngoU1SXejvab8Maj/RkpcVHgE7MSBikFme7pP5+Sq2kan4mdtFM1t5FaPQRMbECkI1QHU02v9I0xmfZ8pceF8n527C4zHTUE7p5m2ul6c/963Raqp0iUrVN9b7Hxl31k9I1gfcxy22uoijoofF7uj2iygQOuRuejRL5piGuw0PvT5dtubT47+9Buhk2rdfcBUKg7jbEmk8NfpmnRFdFCwKuiX62tbkNLDaR+U/JFXMquZdNAkfYrRLIHeeKm/3AbKe4ImTrhoKq5my7WWAb7/wejBQKjTgxgTOmTtzyu99qP2haZXQl+R//iG8jLZ2kW/dJMGFJd44I61iIc6CMWUHuVYgNnOJ3mnmLJ9HAGp00PEmNXibwaYpCrT9QkoeQ4p8un2Gu/Hbfs42TAph7EP7r28KwoPIfWqbKiGANv61oJaM/aZMd0BhAvDMDx9MC0+Xl9HpYk97He4GlIeM8a6cDFGkZouZb34uL0PkUXaoDV5GbrMNgDc5XtWVzY6TjzvA/TyEQGhQUoTTPqxwYmOFM18SgWGZyqMNgQ1vVJ+H2X1eeuDXPHS3U14ESFXsOOPuR1JpoYj4GMlmFP4XkSk5BmybdV5km8tste205BR3VfpQ8tovjpWwJftaqp4m6NTJiHKZSPiIyhqTE0zrDyHVFUl0rZyUwZLbNDLez7ToXGc= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230040)(376014)(1800799024)(82310400026)(36860700016)(7416014)(8126099003)(18002099003)(22082099003)(56012099006)(11063799006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: xXkQzksmkY2DTbuBnpfxm56+b2anyyAvhV7f0BdN6ubz98xqR2t7ZFuiTi+WIkT6DnQHyBcVltiq0QAkkzCPrLHHvuEY/yZs1zoHChwFML6WYjFgM671q9eqUiWRaEjb8RfWKXkfJ61CDvZwuX4QgLJzNyQXyNWJxcXGKWy4B+U9uHlE6CZLWVTLbYJYuJcXPkYhwDXMDNzyKyoH9bT4eI1dOVn5dmBP20/DRiZuXy6hkTd3UM5IcV2AxgwR0sS+7yYOmfPQc8Rd8wENnGfPUOmHS95TTtGNWiXmMCZyCNU7xxtqydm9QoErGXnkN3GbggwVnE1OAFe2kNepPvpQpOvhw+uJgRw+IM4gZjqz8w5v4zuxq38jgeOQqy8wIBiMBcgmj1yb1tqO2MoD7aJglAI0RXiSm02Gcj7Cp7vMT7yewcS62+Tlosy+PhS85rxs X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jun 2026 21:27:38.1159 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 5a659e8b-d6e6-4928-1213-08dec1b6efae X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EDD5.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR12MB8092 Content-Type: text/plain; charset="utf-8" iommu_copy_struct_from_full_user_array() copies a whole user array into a kernel buffer. In the common case, where user entry_len equals destination entry size, it takes a fast path and copies the whole array with a single copy_from_user(). That fast path does not return, so it falls through into the item-by-item copy_struct_from_user() loop and copies every entry a second time. For an equal entry_len that loop is just a copy_from_user() of the same bytes, so the whole array is copied twice for no benefit. Return right after the bulk copy. The per-item loop then runs only on the slow path, where entry_len differs and each entry needs size adaption. Fixes: 4f2e59ccb698 ("iommu: Add iommu_copy_struct_from_full_user_array hel= per") Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Nicolin Chen --- include/linux/iommu.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/iommu.h b/include/linux/iommu.h index e587d4ac4d331..6957144263793 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -547,6 +547,7 @@ iommu_copy_struct_from_full_user_array(void *kdst, size= _t kdst_entry_size, user_array->entry_num * user_array->entry_len)) return -EFAULT; + return 0; } =20 /* Copy item by item */ --=20 2.43.0 From nobody Mon Jun 8 09:48:04 2026 Received: from SJ2PR03CU001.outbound.protection.outlook.com (mail-westusazon11012042.outbound.protection.outlook.com [52.101.43.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90DB9401485; Wed, 3 Jun 2026 21:27:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.43.42 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780522067; cv=fail; b=ryQWRoGRcROxin8453B20t8/nRnYQQs8FmjWJRn4xXzEO1Y3x5zXbccegP3Acuu+zLpe9tlxNC6/tw2m2TYBwSJmE6JQwbi21vKuzYM4SmL3Da3E/Q+b75vlkVm285SU2fCvAqLYtUC49fMPruhlK6aRwNggZM8UXk7+TuRRlIM= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780522067; c=relaxed/simple; bh=g3LVhud8I+30tCmMDykOYSVgLDmGzHnzm2+u9wG4P3c=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=OXq2OuDr5r9QCHnZDqQsZkdfptkyjxSKPen2flAS/qTO0K2Qv1S05lz9VPjdEM9DLbB3PjKmXameKYWgoI/2PzMH2ud29Bp111i62prIiYF9PWqTYfpA9wGMMkeq8jhp4jjFc6e2kcJk13yxoCl5NhbhAwPLrevhPfmSvG6Mpd0= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=AUjVyAea; arc=fail smtp.client-ip=52.101.43.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="AUjVyAea" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=fL+d53G3JMXU7q1M30nnE3qzXwgOUFGgijoE+erV7YsV6VASWnBN4DuQmYtnNdezYkF+Av8m5MMqLAPeSa6HRsmHO0JVmIoCo+mkXGkULaQ5vUjO+CZp+zwthvUA5HEBTBHh6DQftpoS3Rifilj474FCickSdLMe8SQN6ffymq+8C32Hh8IH+Xudh0M9rDVEa+5dV6WUnEZBH7I4OLMRg4p27pzJCxBDWHaoQ4f5kfk4AWqeAlzdAJ2x4DaFLSzVfgcqDR36u07BnVcKPG3BP1b7aeo+lUquUUZgT7je7x0RFAYh/zeL5XHG6UBulQRju3i3EjTzbdvkAjhBmhDejw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ScDLmsf2XZV9b7pSAVLE6qhmAIgX2e0BGQG+cYT6CrY=; b=xX5dBFV4z9iPPvIp5SZtpgLquJ2ARIgn1xia9YfBrHKzZq/0gmw0rEXJRYeuz83cZAcii/CvrlW8YsBZSfE9HV2wKZNuV+xF0EFhQ/QY+caKzZaSwUDUlEd3p7z+COd6cR/lFlPmQR+6ssb0U4YFvIAg1iIYk5ALiZJ4uz4gcfN0M8iDPH76mVMNjt4PzxZdS7jWu7+gnS1NHM+bkyc/vq2AGxk/bVWYbRQS50wWhKntMB5raUbc7hDvl8YCh9vREQFlN701HFT0lP7P6d8j4/cmnUNFKuaLBhLjZxXR1hmKnCMr8w0A/lfaMYapqzuY+H98u0mKpTfAz24FG/37Rg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ScDLmsf2XZV9b7pSAVLE6qhmAIgX2e0BGQG+cYT6CrY=; b=AUjVyAeav8GrL6TK/8U0rvvWTNo+b/WMSQqfMQT7pIxBtHpQIfeYfrK1a8hoSY3j9acPdlDUa6fbjWVtKRfSJaPj8k5aYWY3UCj1p2wsfnATK/zAsJ9tTPtqY9MtLrmKux/fyolPTLoIUcSriXnamAqJs9fMgw2bXNF+QafwMGu0UrQbqIoEWGM2+oQF0G5BlwTxlP23mt+sAZM98TAs+6i6RhaVTtJj5lDUVh2X9s5aO8vbmX5RzXrUOT11NeUUxDwKxJTZgQjYW7x++Kp6WfdxcbiPTDA1fM5qm8/2q8QTC5GojGPAMPthVEWCQdoTEe8NHtK3UHYeCJaQxFtUsw== Received: from CY3P220CA0012.NAMP220.PROD.OUTLOOK.COM (2603:10b6:930:fb::12) by CH3PR12MB8074.namprd12.prod.outlook.com (2603:10b6:610:12b::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.7; Wed, 3 Jun 2026 21:27:39 +0000 Received: from CY4PEPF0000EDD0.namprd03.prod.outlook.com (2603:10b6:930:fb:cafe::15) by CY3P220CA0012.outlook.office365.com (2603:10b6:930:fb::12) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.7 via Frontend Transport; Wed, 3 Jun 2026 21:27:39 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CY4PEPF0000EDD0.mail.protection.outlook.com (10.167.241.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.5 via Frontend Transport; Wed, 3 Jun 2026 21:27:39 +0000 Received: from rnnvmail205.nvidia.com (10.129.68.10) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Wed, 3 Jun 2026 14:27:23 -0700 Received: from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail205.nvidia.com (10.129.68.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Wed, 3 Jun 2026 14:27:22 -0700 Received: from Asurada-Nvidia.nvidia.com (10.127.8.9) by mail.nvidia.com (10.129.68.9) with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Wed, 3 Jun 2026 14:27:22 -0700 From: Nicolin Chen To: Will Deacon , Jason Gunthorpe , "Kevin Tian" CC: Robin Murphy , Joerg Roedel , "Shuah Khan" , Pranjal Shrivastava , Kees Cook , Yi Liu , Eric Auger , , , , Subject: [PATCH v1 4/4] iommu/arm-smmu-v3: Process vIOMMU invalidations in batches Date: Wed, 3 Jun 2026 14:26:56 -0700 Message-ID: <00748c5cbea95a938d032269001a598203b06bbc.1780521606.git.nicolinc@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000EDD0:EE_|CH3PR12MB8074:EE_ X-MS-Office365-Filtering-Correlation-Id: 15258bfa-5138-4836-d2dc-08dec1b6f06b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700016|82310400026|7416014|376014|3023799007|22082099003|18002099003|56012099006|11063799006; X-Microsoft-Antispam-Message-Info: v6Aj6sz5iJUuhxIhYWRyLMude+nqnUP47ua5Xn6Jox9XeH2MUx33p76VsR3XGhPHn5eBqi5K4Ph3W70gxeP8skWneXXtYNq0/CqVrJEi4IYkpQxfkgVRxuwcJkZmPs0+sNwsRYEacPtmxffiKBj+tOSRf7yu2cNQYMHAdf9Jul/bZ2I2lnZnlpHJGpuY5BwhdfkggvgkCDwFsUTMQ6u42F+EbbLADyzGgl2OF55QzDLwzaFZEVn/kkbiLv+XyTz1db2s1AhHE5RmB0XrOVnTCcZ3wtDxdM3ypMKSXWUutUb766ve0r+dsl2NWM/939E2d5PlQnUA7mdbEhD1Tztwb3fr1PMu0QxDGRd8nyy2nqUiF4rORJWtYwV67tVtZn3VQsI3z9K0LfRnkzui7Lx2CdyUOrxOhSXBRiJ6CRjfaG52dNNs6U9bR6QfDGcP+7mayQ7kjPrOWOzoOGFF4FJrbiQ2swjgxbXaWwFPRgjvZsLRezaghn5h1nfAzxxTp4PQGKqYbI9F6rqDgi+HZVIyPsSvbNM1yj/fVFiH1HDTzGzLdQWCHCRpTrvtZXR+fguJ3uy1T6orWvrNLi1LlwxirR2vgrvGmx5xV68zXVTVsJZl8erESf+tfX6tUhtFYHcJghqXenkg5grfToVXNgeOVPGlcQ3oFVJtet3SHRkPSVLAJ2v1Sn1dp5r1Kxlhr5xNCkKtA2/CwEbcJcx7y2PKAH5oJ9pMI0DPRWWjKWk37zE= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(36860700016)(82310400026)(7416014)(376014)(3023799007)(22082099003)(18002099003)(56012099006)(11063799006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: gmFMLfHYzEb0bvFU7U81nyCr2mKi6X5sKP2UhCSTigAS1bNEWzfvrNCLHVXf9n71FhWJfuX5OQ6YUdcOe2STZWx52yLZbec4m2Wo9ePQFmViIk04r8a9ENfYa7bIkrWAHtfR9owcq9VqiT7cSejmJSpWDLh4qb0Dj+okK5cUDyWLiZ1ABW5DDce6YxnyE0AUhqPnSfgsCIurK1v3RQuYtd9PCvnor0pNPIiZNOiXglZJLtkleW6iEZBrGJv3LBkgQ9tr0DOrfuhr2B6Md8YEQNlXuDCZq64FCj9GRScrZSDrIgTsVPeTZel4pKX7nXqvMnKKR0aa5jEZTPOfngsuouqCJUXyWMToibY2HhkxpgN4w7C6ddn9wp2IQJIxdJMWOjt17DVMvhwT5BUM0sNsu2VuCOXeLpgV9jgLCry1qLlUOGlgYTQ4ccqNmbfCWnRt X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jun 2026 21:27:39.3702 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 15258bfa-5138-4836-d2dc-08dec1b6f06b X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EDD0.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR12MB8074 Content-Type: text/plain; charset="utf-8" arm_vsmmu_cache_invalidate() copies the entire user invalidation array into one kernel allocation, then converts and submits those commands in batches of CMDQ_BATCH_ENTRIES - 1. Sizing a single allocation from a user-supplied count while tracking progress with a separate cursor is the root of several independent problems: - entry_num, the in/out count of successfully handled requests, is set to "cur - cmds" on every error path. "cur" counts converted commands, not submitted ones, so a conversion or submission failure reports the unsent batch as handled, telling user space that invalidations which never made it to the hardware have completed. - The allocation is sized straight from the user's entry_num with no upper bound and no __GFP_ACCOUNT, letting a large request drive an oversized, unaccounted allocation and spam the page allocator. - The -ENOMEM path returns without touching entry_num, once more reporting the full input count as handled on a failure. - A zero-length array, which the uAPI defines as a probe for a data_type the kernel supports, reaches the full-array copy helper, which rejects zero entries, so a supported type fails exactly like an unsupported one. Rework the function to process the array one batch at a time, copying up to CMDQ_BATCH_ENTRIES - 1 entries into a fixed-size stack buffer, converting them in place, and issuing the batch, which removes the user-sized buffer. A refactor is preferred over a series of smaller fixes because the problems above are symptoms of one structure; changing the structure removes them as a class rather than patching each in place: - Dropping the allocation makes the size bound, the __GFP_ACCOUNT, and the -ENOMEM accounting question moot, not three separate fixes. - entry_num advances only as batches are issued, so the count it reports tracks submitted commands and needs no correction on the error paths. - The type is checked once up front, and an empty array then iterates zero times, so the probe case falls out for free. Each batch is still copied in one bulk transfer via the full-array helper, iommu_copy_struct_from_full_user_array(); the whole-array copy becomes one copy per batch that the preceding helper fix keeps to a single bulk copy. If converting an entry fails, the already-converted prefix of the batch is issued before the error is returned; if that issue fails, the batch is not counted. So entry_num stays tied only to commands that actually reached the hardware, without dropping the valid ones that preceded the failure. Fixes: d68beb276ba2 ("iommu/arm-smmu-v3: Support IOMMU_HWPT_INVALIDATE usin= g a VIOMMU object") Assisted-by: Codex:GPT-5 Signed-off-by: Nicolin Chen --- .../arm/arm-smmu-v3/arm-smmu-v3-iommufd.c | 91 +++++++++++-------- 1 file changed, 55 insertions(+), 36 deletions(-) diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-iommufd.c b/drivers/= iommu/arm/arm-smmu-v3/arm-smmu-v3-iommufd.c index ddae0b07c76b5..5574ccaecf381 100644 --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-iommufd.c +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-iommufd.c @@ -350,53 +350,72 @@ static int arm_vsmmu_convert_user_cmd(struct arm_vsmm= u *vsmmu, return 0; } =20 -int arm_vsmmu_cache_invalidate(struct iommufd_viommu *viommu, - struct iommu_user_data_array *array) +static int arm_vsmmu_cache_invalidate_batch(struct arm_vsmmu *vsmmu, + struct iommu_user_data_array *array, + u32 *idx) { - struct arm_vsmmu *vsmmu =3D container_of(viommu, struct arm_vsmmu, core); + struct arm_vsmmu_invalidation_cmd cmds[CMDQ_BATCH_ENTRIES - 1]; struct arm_smmu_device *smmu =3D vsmmu->smmu; - struct arm_vsmmu_invalidation_cmd *last; - struct arm_vsmmu_invalidation_cmd *cmds; - struct arm_vsmmu_invalidation_cmd *cur; - struct arm_vsmmu_invalidation_cmd *end; - int ret; - - cmds =3D kzalloc_objs(*cmds, array->entry_num); - if (!cmds) - return -ENOMEM; - cur =3D cmds; - end =3D cmds + array->entry_num; + struct iommu_user_data_array batch =3D { + .type =3D array->type, + .entry_len =3D array->entry_len, + }; + unsigned int num, i; + int ret, issue_ret; =20 static_assert(sizeof(*cmds) =3D=3D 2 * sizeof(u64)); + + /* Copy one batch of the user array in a single bulk copy */ + num =3D min_t(u32, array->entry_num - *idx, ARRAY_SIZE(cmds)); + batch.uptr =3D array->uptr + array->entry_len * *idx; + batch.entry_num =3D num; ret =3D iommu_copy_struct_from_full_user_array( - cmds, sizeof(*cmds), array, + cmds, sizeof(*cmds), &batch, IOMMU_VIOMMU_INVALIDATE_DATA_ARM_SMMUV3); if (ret) - goto out; - - last =3D cmds; - while (cur !=3D end) { - ret =3D arm_vsmmu_convert_user_cmd(vsmmu, cur); - if (ret) - goto out; - - /* FIXME work in blocks of CMDQ_BATCH_ENTRIES and copy each block? */ - cur++; - if (cur !=3D end && (cur - last) !=3D CMDQ_BATCH_ENTRIES - 1) - continue; + return ret; =20 - /* FIXME always uses the main cmdq rather than trying to group by type */ - ret =3D arm_smmu_cmdq_issue_cmdlist(smmu, &smmu->cmdq, last->cmd, - cur - last, true); + /* Convert in place; only the converted prefix may be issued */ + for (i =3D 0; i < num; i++) { + ret =3D arm_vsmmu_convert_user_cmd(vsmmu, &cmds[i]); if (ret) { - cur--; - goto out; + num =3D i; + break; } - last =3D cur; } -out: - array->entry_num =3D cur - cmds; - kfree(cmds); + if (!num) + return ret; + + /* FIXME always uses the main cmdq rather than trying to group by type */ + issue_ret =3D arm_smmu_cmdq_issue_cmdlist(smmu, &smmu->cmdq, cmds->cmd, + num, true); + if (issue_ret) + return issue_ret; + + *idx +=3D num; + return ret; +} + +int arm_vsmmu_cache_invalidate(struct iommufd_viommu *viommu, + struct iommu_user_data_array *array) +{ + struct arm_vsmmu *vsmmu =3D container_of(viommu, struct arm_vsmmu, core); + u32 issued =3D 0; + int ret =3D 0; + + if (array->type !=3D IOMMU_VIOMMU_INVALIDATE_DATA_ARM_SMMUV3) { + array->entry_num =3D 0; + return -EINVAL; + } + + while (issued !=3D array->entry_num) { + /* Process and issue the command(s) in batch */ + ret =3D arm_vsmmu_cache_invalidate_batch(vsmmu, array, &issued); + if (ret) + break; + } + + array->entry_num =3D issued; return ret; } =20 --=20 2.43.0