iommufd: Fix return value of iommufd_fault_fops_write()

copy_from_user() may return number of bytes failed to copy, we should
not pass over this number to user space to cheat that write() succeed.
Instead, -EFAULT should be returned.

Link: https://patch.msgid.link/r/20260330030755.12856-1-zhenzhong.duan@intel.com
Cc: stable@vger.kernel.org
Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object")
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Pranjal Shrivastava <praan@google.com>
Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/iommu/iommufd/eventq.c b/drivers/iommu/iommufd/eventq.c
index f1e686b3a2657b8d0882c990944d30e49f04e6b9..710eef0b6004542eb0ca21a6bf9ec0e4f8adcfa7 100644 (file)
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -187,9 +187,10 @@ static ssize_t iommufd_fault_fops_write(struct file *filep, const char __user *b
 
        mutex_lock(&fault->mutex);
        while (count > done) {
-               rc = copy_from_user(&response, buf + done, response_size);
-               if (rc)
+               if (copy_from_user(&response, buf + done, response_size)) {
+                       rc = -EFAULT;
                        break;
+               }
 
                static_assert((int)IOMMUFD_PAGE_RESP_SUCCESS ==
                              (int)IOMMU_PAGE_RESP_SUCCESS);