RE: [PATCH v2] mshv_vtl: clear hypercall output before copyout

From: Michael Kelley

Date: Thu Jun 25 2026 - 14:25:27 EST

From: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx> Sent: Thursday, June 25, 2026 11:13 AM
>
> mshv_vtl_hvcall_call() copies output_size bytes to userspace.
>
> The output page is freshly allocated. Userspace chooses the copyout length.
>
> If the hypercall writes less, the tail can contain stale page data.
>
> Clear the copied range before issuing the hypercall.
>
> Also check both bounce page allocations before either page is used.
>
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
> ---
> Changes in v2:
> - Use the mshv_vtl subject prefix.
> - Clear only the requested output byte range instead of the whole page.
> - Add a comment explaining why the output range is cleared.
> - Keep free_page() calls unconditional.
> - v1: https://lore.kernel.org/all/20260624172157.2790-1-alhouseenyousef@xxxxxxxxx/
>
> drivers/hv/mshv_vtl_main.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/hv/mshv_vtl_main.c b/drivers/hv/mshv_vtl_main.c
> index 0d3d41619..dbf03b667 100644
> --- a/drivers/hv/mshv_vtl_main.c
> +++ b/drivers/hv/mshv_vtl_main.c
> @@ -1148,12 +1148,22 @@ static int mshv_vtl_hvcall_call(struct mshv_vtl_hvcall_fd *fd,
> */
> in = (void *)__get_free_page(GFP_KERNEL);
> out = (void *)__get_free_page(GFP_KERNEL);
> + if (!in || !out) {
> + ret = -ENOMEM;
> + goto free_pages;
> + }
>
> if (copy_from_user(in, (void __user *)hvcall.input_ptr, hvcall.input_size)) {
> ret = -EFAULT;
> goto free_pages;
> }
>
> + /*
> + * The caller supplies output_size, so clear the range copied back to
> + * userspace in case the hypercall writes fewer bytes than requested.
> + */
> + memset(out, 0, hvcall.output_size);
> +
> hvcall.status = hv_do_hypercall(hvcall.control, in, out);
>
> if (copy_to_user((void __user *)hvcall.output_ptr, out, hvcall.output_size)) {
> --
> 2.54.0

Reviewed-by: Michael Kelley <mhklinux@xxxxxxxxxxx>