From: Yousef Alhouseen <[email protected]> Sent: Thursday, June 25, 2026 11:13 AM > > mshv_vtl_hvcall_call() copies output_size bytes to userspace. > > The output page is freshly allocated. Userspace chooses the copyout length. > > If the hypercall writes less, the tail can contain stale page data. > > Clear the copied range before issuing the hypercall. > > Also check both bounce page allocations before either page is used. > > Signed-off-by: Yousef Alhouseen <[email protected]> > --- > Changes in v2: > - Use the mshv_vtl subject prefix. > - Clear only the requested output byte range instead of the whole page. > - Add a comment explaining why the output range is cleared. > - Keep free_page() calls unconditional. > - v1: > https://lore.kernel.org/all/[email protected]/ > > drivers/hv/mshv_vtl_main.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/drivers/hv/mshv_vtl_main.c b/drivers/hv/mshv_vtl_main.c > index 0d3d41619..dbf03b667 100644 > --- a/drivers/hv/mshv_vtl_main.c > +++ b/drivers/hv/mshv_vtl_main.c > @@ -1148,12 +1148,22 @@ static int mshv_vtl_hvcall_call(struct > mshv_vtl_hvcall_fd *fd, > */ > in = (void *)__get_free_page(GFP_KERNEL); > out = (void *)__get_free_page(GFP_KERNEL); > + if (!in || !out) { > + ret = -ENOMEM; > + goto free_pages; > + } > > if (copy_from_user(in, (void __user *)hvcall.input_ptr, > hvcall.input_size)) { > ret = -EFAULT; > goto free_pages; > } > > + /* > + * The caller supplies output_size, so clear the range copied back to > + * userspace in case the hypercall writes fewer bytes than requested. > + */ > + memset(out, 0, hvcall.output_size); > + > hvcall.status = hv_do_hypercall(hvcall.control, in, out); > > if (copy_to_user((void __user *)hvcall.output_ptr, out, > hvcall.output_size)) { > -- > 2.54.0
Reviewed-by: Michael Kelley <[email protected]>
