diff options
| author | Raghavendra Rao Ananta <rananta@google.com> | 2025-10-31 17:06:02 +0000 |
|---|---|---|
| committer | Alex Williamson <alex@shazbot.org> | 2025-11-06 14:42:04 -0700 |
| commit | 2f03f21fe7516902283b135de272d3c7b10672de (patch) | |
| tree | b2c26b97e9335427ee1a25c61a15e121b342b8e2 /drivers/vfio | |
| parent | 2131c1517f3004da208b7f1a3b06b8119172e194 (diff) | |
vfio: Fix ksize arg while copying user struct in vfio_df_ioctl_bind_iommufd()
For the cases where user includes a non-zero value in 'token_uuid_ptr'
field of 'struct vfio_device_bind_iommufd', the copy_struct_from_user()
in vfio_df_ioctl_bind_iommufd() fails with -E2BIG. For the 'minsz' passed,
copy_struct_from_user() expects the newly introduced field to be zero-ed,
which would be incorrect in this case.
Fix this by passing the actual size of the kernel struct. If working
with a newer userspace, copy_struct_from_user() would copy the
'token_uuid_ptr' field, and if working with an old userspace, it would
zero out this field, thus still retaining backward compatibility.
Fixes: 86624ba3b522 ("vfio/pci: Do vf_token checks for VFIO_DEVICE_BIND_IOMMUFD")
Cc: stable@vger.kernel.org
Signed-off-by: Raghavendra Rao Ananta <rananta@google.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://lore.kernel.org/r/20251031170603.2260022-2-rananta@google.com
Signed-off-by: Alex Williamson <alex@shazbot.org>
Diffstat (limited to 'drivers/vfio')
| -rw-r--r-- | drivers/vfio/device_cdev.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/vfio/device_cdev.c b/drivers/vfio/device_cdev.c index 480cac3a0c27..8ceca24ac136 100644 --- a/drivers/vfio/device_cdev.c +++ b/drivers/vfio/device_cdev.c @@ -99,7 +99,7 @@ long vfio_df_ioctl_bind_iommufd(struct vfio_device_file *df, return ret; if (user_size < minsz) return -EINVAL; - ret = copy_struct_from_user(&bind, minsz, arg, user_size); + ret = copy_struct_from_user(&bind, sizeof(bind), arg, user_size); if (ret) return ret; |