> From: Nicolin Chen <[email protected]>
> Sent: Friday, May 22, 2026 8:37 AM
>
> iommufd_veventq_alloc() accepts any !0 veventq_depth from userspace,
> with
> an upper bound at U32_MAX.
>
> This leaves a vulnerability where userspace can allocate excessively large
> queues to exhaust kernel memory reserves.
>
> Cap the veventq_depth (maximum number of entries) to 1 << 19, matching
> the
> maximum number of entries in the SMMUv3 EVTQ (the largest use case
> today).
probably add a comment to uapi header that the maximum number of
supported veventq depth is implementation specific hence user may
expect -EINVAL returned if the specified value is too large?
>
> Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and
> IOMMUFD_CMD_VEVENTQ_ALLOC")
> Cc: [email protected]
> Reviewed-by: Jason Gunthorpe <[email protected]>
> Signed-off-by: Nicolin Chen <[email protected]>
Reviewed-by: Kevin Tian <[email protected]>
