On Tue, May 26, 2026 at 10:04 AM rom.wang <[email protected]> wrote: > > From: Yufeng Wang <[email protected]> > > The clear_user() call in VHOST_GET_FEATURES_ARRAY incorrectly starts > at argp, which is the beginning of the features array, overwriting the > data just written by copy_to_user(). It should start after the copied > elements at argp + copied * sizeof(u64) to only zero the trailing > unused space. > > Fixes: 333c515d1896 ("vhost-net: allow configuring extended features") > Signed-off-by: Yufeng Wang <[email protected]> > --- > drivers/vhost/net.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c > index db341c922673..70c578acf840 100644 > --- a/drivers/vhost/net.c > +++ b/drivers/vhost/net.c > @@ -1777,7 +1777,8 @@ static long vhost_net_ioctl(struct file *f, unsigned > int ioctl, > return -EFAULT; > > /* Zero the trailing space provided by user-space, if any */ > - if (clear_user(argp, size_mul(count - copied, sizeof(u64)))) > + if (clear_user(argp + copied * sizeof(u64), > + size_mul(count - copied, sizeof(u64))))
The fix looks good to me, but why not use size_mul() macro for copied * sizeof(u64) multiplication? > return -EFAULT; > return 0; > case VHOST_SET_FEATURES_ARRAY: > -- > 2.34.1 > >
