iommufd: Add check on user response code

The response code from user space is only allowed to be SUCCESS or
INVALID. All other values are treated by the device as a response code of
Response Failure according to PCI spec, section 10.4.2.1.  This response
disables the Page Request Interface for the Function.

Add a check in iommufd_fault_fops_write() to avoid invalid response
code.

Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Lu Baolu <[email protected]>
Reviewed-by: Kevin Tian <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>

diff --git a/drivers/iommu/iommufd/fault.c b/drivers/iommu/iommufd/fault.c
index 54d6cd20a6730d4ea82d9aa89b290ffc2f7b003e..9c142cefa2d2c0653224f920448e52867e342b15 100644 (file)
--- a/drivers/iommu/iommufd/fault.c
+++ b/drivers/iommu/iommufd/fault.c
@@ -305,6 +305,16 @@ static ssize_t iommufd_fault_fops_write(struct file *filep, const char __user *b
                if (rc)
                        break;
 
+               static_assert((int)IOMMUFD_PAGE_RESP_SUCCESS ==
+                             (int)IOMMU_PAGE_RESP_SUCCESS);
+               static_assert((int)IOMMUFD_PAGE_RESP_INVALID ==
+                             (int)IOMMU_PAGE_RESP_INVALID);
+               if (response.code != IOMMUFD_PAGE_RESP_SUCCESS &&
+                   response.code != IOMMUFD_PAGE_RESP_INVALID) {
+                       rc = -EINVAL;
+                       break;
+               }
+
                group = xa_erase(&fault->response, response.cookie);
                if (!group) {
                        rc = -EINVAL;