Re: [PATCH] VDUSE: avoid leaking information to userspace

Fri, 30 Jan 2026 00:56:11 -0800 

On Fri, Jan 30, 2026 at 6:08 AM Jason Wang <[email protected]> wrote:
>
> The bounceing is not necessarily page aligned, so current VDUSE can
> leak kernel information through mapping bounce pages to
> userspace. Allocate bounce pages with __GFP_ZERO to avoid leaking
> information to userspace.
>
> Fixes: 8c773d53fb7b ("vduse: Implement an MMU-based software IOTLB")
> Cc: [email protected]

Reviewed-by: Eugenio Pérez <[email protected]>

Thanks!

> Signed-off-by: Jason Wang <[email protected]>
> ---
>  drivers/vdpa/vdpa_user/iova_domain.c | 2 +-
>  drivers/vdpa/vdpa_user/vduse_dev.c   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/vdpa/vdpa_user/iova_domain.c 
> b/drivers/vdpa/vdpa_user/iova_domain.c
> index 0a9f668467a8..ec743bed361c 100644
> --- a/drivers/vdpa/vdpa_user/iova_domain.c
> +++ b/drivers/vdpa/vdpa_user/iova_domain.c
> @@ -124,7 +124,7 @@ static int vduse_domain_map_bounce_page(struct 
> vduse_iova_domain *domain,
>                 if (!map->bounce_page) {
>                         head_map = &domain->bounce_maps[(iova & PAGE_MASK) >> 
> BOUNCE_MAP_SHIFT];
>                         if (!head_map->bounce_page) {
> -                               tmp_page = alloc_page(GFP_ATOMIC);
> +                               tmp_page = alloc_page(GFP_ATOMIC | 
> __GFP_ZERO);
>                                 if (!tmp_page)
>                                         return -ENOMEM;
>                                 if (cmpxchg(&head_map->bounce_page, NULL, 
> tmp_page))
> diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c 
> b/drivers/vdpa/vdpa_user/vduse_dev.c
> index 73d1d517dc6c..57a40a821c65 100644
> --- a/drivers/vdpa/vdpa_user/vduse_dev.c
> +++ b/drivers/vdpa/vdpa_user/vduse_dev.c
> @@ -976,7 +976,7 @@ static void *vduse_dev_alloc_coherent(union virtio_map 
> token, size_t size,
>         if (!token.group)
>                 return NULL;
>
> -       addr = alloc_pages_exact(size, flag);
> +       addr = alloc_pages_exact(size, flag | __GFP_ZERO);
>         if (!addr)
>                 return NULL;
>
> --
> 2.34.1
>

Reply via email to