On Mon, Jun 01, 2026 at 01:42:36PM -0700, Nicolin Chen wrote:
> On a copy_to_user() failure inside the inner list_for_each_entry, only the
> inner loop breaks; the outer while re-fetches the just-restored fault group
> and retries the failing copy_to_user() forever, spinning the reader at 100%
> CPU with fault->mutex held.
>
> Check rc after the inner loop and break the outer while as well.
>
> Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object")
> Cc: [email protected]
> Signed-off-by: Nicolin Chen <[email protected]>
> ---
> drivers/iommu/iommufd/eventq.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/iommu/iommufd/eventq.c b/drivers/iommu/iommufd/eventq.c
> index 613024ca8f1ff..1c010e691f972 100644
> --- a/drivers/iommu/iommufd/eventq.c
> +++ b/drivers/iommu/iommufd/eventq.c
> @@ -168,6 +168,8 @@ static ssize_t iommufd_fault_fops_read(struct file
> *filep, char __user *buf,
> }
> done += fault_size;
> }
> + if (rc)
> + break;
> }
> mutex_unlock(&fault->mutex);
>
Reviewed-by: Pranjal Shrivastava <[email protected]>
Thanks,
Praan
