git.ipfire.org Git - thirdparty/linux.git/commit

author	Nicolin Chen <nicolinc@nvidia.com>
	Fri, 22 May 2026 00:36:34 +0000 (17:36 -0700)
committer	Jason Gunthorpe <jgg@nvidia.com>
	Mon, 1 Jun 2026 17:54:19 +0000 (14:54 -0300)
commit	6ebf2eb46fbd5b40393ff8fbb847ba96925beaff
tree	cbe632fd06694a78ea20797ed502f72469dad31f	tree \| snapshot
parent	47443565d10c51366c9382dbc8597cd6c460b8a2	commit \| diff

iommufd: Set veventq_depth upper bound

iommufd_veventq_alloc() accepts any !0 veventq_depth from userspace, with
an upper bound at U32_MAX.

This leaves a vulnerability where userspace can allocate excessively large
queues to exhaust kernel memory reserves.

Cap the veventq_depth (maximum number of entries) to 1 << 19, matching the
maximum number of entries in the SMMUv3 EVTQ (the largest use case today).

Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Link: https://patch.msgid.link/r/8426cbaa5e8294472ec7f076ef427cc473be5985.1779408671.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>