diff options
| author | Nicolin Chen <nicolinc@nvidia.com> | 2026-05-21 17:36:32 -0700 |
|---|---|---|
| committer | Jason Gunthorpe <jgg@nvidia.com> | 2026-06-01 14:54:18 -0300 |
| commit | 85345becfead3255a5f875d4b4d82ea01d926239 (patch) | |
| tree | 68db43233c953b8d3efa7a74bf5ce6a175874c8f | |
| parent | be93d186ae88a92e7aa77e122d4e661fa57b1e39 (diff) | |
iommufd: Fix data_len byte-count vs element-count mismatch
kzalloc_flex() computes the allocation size. With event_data typed as u64,
data_len is interpreted as a u64 element count. Yet, every caller and the
read path treat data_len as a byte count. The current code over-allocates
by sizeof(u64) and the __counted_by() annotation overstates the length by
the same factor.
Re-type event_data as u8. No functional change in user-visible behavior.
Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Link: https://patch.msgid.link/r/f7665f839b9dce917d6bd394375a1cf56568d86b.1779408671.git.nicolinc@nvidia.com
Cc: stable@vger.kernel.org
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
| -rw-r--r-- | drivers/iommu/iommufd/iommufd_private.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/iommu/iommufd/iommufd_private.h b/drivers/iommu/iommufd/iommufd_private.h index 6ac1965199e9..43fbc5bed8de 100644 --- a/drivers/iommu/iommufd/iommufd_private.h +++ b/drivers/iommu/iommufd/iommufd_private.h @@ -602,7 +602,7 @@ struct iommufd_vevent { struct iommufd_vevent_header header; struct list_head node; /* for iommufd_eventq::deliver */ ssize_t data_len; - u64 event_data[] __counted_by(data_len); + u8 event_data[] __counted_by(data_len); }; #define vevent_for_lost_events_header(vevent) \ |
