iommufd: Fix struct iommu_hwpt_pgfault init and padding

JIRA: https://issues.redhat.com/browse/RHEL-75942

commit e721f61
Author: Nicolin Chen <nicolinc@nvidia.com>
Date:   Mon Jan 20 11:50:51 2025 -0800

    iommufd: Fix struct iommu_hwpt_pgfault init and padding

    The iommu_hwpt_pgfault is used to report IO page fault data to userspace,
    but iommufd_fault_fops_read was never zeroing its padding. This leaks the
    content of the kernel stack memory to userspace.

    Also, the iommufd uAPI requires explicit padding and use of __aligned_u64
    to ensure ABI compatibility's with 32 bit.

    pahole result, before:
    struct iommu_hwpt_pgfault {
            __u32     flags;                /*     0     4 */
            __u32     dev_id;               /*     4     4 */
            __u32     pasid;                /*     8     4 */
            __u32     grpid;                /*    12     4 */
            __u32     perm;                 /*    16     4 */

            /* XXX 4 bytes hole, try to pack */

            __u64     addr;                 /*    24     8 */
            __u32     length;               /*    32     4 */
            __u32     cookie;               /*    36     4 */

            /* size: 40, cachelines: 1, members: 8 */
            /* sum members: 36, holes: 1, sum holes: 4 */
            /* last cacheline: 40 bytes */
    };

    pahole result, after:
    struct iommu_hwpt_pgfault {
            __u32      flags;                /*     0     4 */
            __u32      dev_id;               /*     4     4 */
            __u32      pasid;                /*     8     4 */
            __u32      grpid;                /*    12     4 */
            __u32      perm;                 /*    16     4 */
            __u32      __reserved;           /*    20     4 */
            __u64      addr __attribute__((__aligned__(8))); /*    24     8 */
            __u32      length;               /*    32     4 */
            __u32      cookie;               /*    36     4 */

            /* size: 40, cachelines: 1, members: 9 */
            /* forced alignments: 1 */
            /* last cacheline: 40 bytes */
    } __attribute__((__aligned__(8)));

    Fixes: c714f15 ("iommufd: Add fault and response message definitions")
    Link: https://patch.msgid.link/r/20250120195051.2450-1-nicolinc@nvidia.com
    Cc: stable@vger.kernel.org
    Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
    Reviewed-by: Kevin Tian <kevin.tian@intel.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

Signed-off-by: Eder Zulian <ezulian@redhat.com>

Author: efzrh

drivers/iommu/iommufd/fault.c

@@ -258,7 +258,7 @@ static ssize_t iommufd_fault_fops_read(struct file *filep, char __user *buf,
 {
 	size_t fault_size = sizeof(struct iommu_hwpt_pgfault);
 	struct iommufd_fault *fault = filep->private_data;
-	struct iommu_hwpt_pgfault data;
+	struct iommu_hwpt_pgfault data = {};
 	struct iommufd_device *idev;
 	struct iopf_group *group;
 	struct iopf_fault *iopf;

include/uapi/linux/iommufd.h

@@ -737,6 +737,7 @@ enum iommu_hwpt_pgfault_perm {
  * @pasid: Process Address Space ID
  * @grpid: Page Request Group Index
  * @perm: Combination of enum iommu_hwpt_pgfault_perm
+ * @__reserved: Must be 0.
  * @addr: Fault address
  * @length: a hint of how much data the requestor is expecting to fetch. For
  *          example, if the PRI initiator knows it is going to do a 10MB
@@ -752,7 +753,8 @@ struct iommu_hwpt_pgfault {
 	__u32 pasid;
 	__u32 grpid;
 	__u32 perm;
-	__u64 addr;
+	__u32 __reserved;
+	__aligned_u64 addr;
 	__u32 length;
 	__u32 cookie;
 };