The bounceing is not necessarily page aligned, so current VDUSE can
leak kernel information through mapping bounce pages to
userspace. Allocate bounce pages with __GFP_ZERO to avoid leaking
information to userspace.
Fixes: 8c773d53fb7b ("vduse: Implement an MMU-based software IOTLB")
Cc: [email protected]
Signed-off-by: Jason Wang <[email protected]>
---
drivers/vdpa/vdpa_user/iova_domain.c | 2 +-
drivers/vdpa/vdpa_user/vduse_dev.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vdpa/vdpa_user/iova_domain.c
b/drivers/vdpa/vdpa_user/iova_domain.c
index 0a9f668467a8..ec743bed361c 100644
--- a/drivers/vdpa/vdpa_user/iova_domain.c
+++ b/drivers/vdpa/vdpa_user/iova_domain.c
@@ -124,7 +124,7 @@ static int vduse_domain_map_bounce_page(struct
vduse_iova_domain *domain,
if (!map->bounce_page) {
head_map = &domain->bounce_maps[(iova & PAGE_MASK) >>
BOUNCE_MAP_SHIFT];
if (!head_map->bounce_page) {
- tmp_page = alloc_page(GFP_ATOMIC);
+ tmp_page = alloc_page(GFP_ATOMIC | __GFP_ZERO);
if (!tmp_page)
return -ENOMEM;
if (cmpxchg(&head_map->bounce_page, NULL,
tmp_page))
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c
b/drivers/vdpa/vdpa_user/vduse_dev.c
index 73d1d517dc6c..57a40a821c65 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -976,7 +976,7 @@ static void *vduse_dev_alloc_coherent(union virtio_map
token, size_t size,
if (!token.group)
return NULL;
- addr = alloc_pages_exact(size, flag);
+ addr = alloc_pages_exact(size, flag | __GFP_ZERO);
if (!addr)
return NULL;
--
2.34.1
