On Wed, Apr 29, 2026 at 07:18:44PM -0700, Mukesh R wrote:
> On 4/29/26 11:17, Stanislav Kinsburskii wrote:
> > This series addresses bugs found during a review of the mshv_root module
> > introduced by commit 621191d709b14 ("Drivers: hv: Introduce mshv_root
> > module to expose /dev/mshv to VMMs").
> >
> > The fixes range from data corruption and use-after-free to silent
> > functional failures:
> >
> > - IRQ state leak and type truncation in hypercall helpers
> > (hv_call_modify_spa_host_access)
> > - Integer overflow on userspace-controlled allocation size
> > (mshv_region_create)
> > - Missing locking, broken seqcount read protection, and a check on
> > uninitialized data in the irqfd path ? the latter makes
> > level-triggered interrupt resampling completely non-functional
> > - Duplicate GSI 0 detection using the wrong predicate
> > - Use-after-RCU in port ID lookup
> > - Missing VP index bounds check in intercept ISR (OOB in interrupt
> > context)
> > - Missing error code on VP allocation failure (silent success to
> > userspace)
>
> Lot of changes here, curious, how were all these discovered
> suddenly? Stress testing, internal/external? Or reported by
> copilot/sashiko/etc..
>
These are suggested by Claude Opus 4.6.
> How were the fixes tested?
>
I ran cloud hypervisor intergration tests suite against these changes,
which covers a wide range of scenarios including interrupt handling,
memory management, and VP lifecycle.
Thanks,
Stanislav
> Thanks,
> -Mukesh
>
>
> > ---
> >
> > Stanislav Kinsburskii (10):
> > mshv: Fix IRQ leak and type hazards in hv_call_modify_spa_host_access
> > mshv: Fix potential integer overflow in mshv_region_create
> > mshv: Fix missing lock in mshv_irqfd_deassign
> > mshv: Fix broken seqcount read protection
> > mshv: Fix level-triggered check on uninitialized data
> > mshv: Fix duplicate GSI detection for GSI 0
> > mshv: Fix use-after-RCU in mshv_portid_lookup
> > mshv: Use kfree_rcu in mshv_portid_free
> > mshv: Add missing vp_index bounds check in intercept ISR
> > mshv: Fix missing error code on VP allocation failure
> >
> >
> > drivers/hv/mshv_eventfd.c | 75
> > ++++++++++++++++++++++------------------
> > drivers/hv/mshv_irq.c | 2 +
> > drivers/hv/mshv_portid_table.c | 6 +--
> > drivers/hv/mshv_regions.c | 2 +
> > drivers/hv/mshv_root_hv_call.c | 18 +++-------
> > drivers/hv/mshv_root_main.c | 4 ++
> > drivers/hv/mshv_synic.c | 4 ++
> > 7 files changed, 59 insertions(+), 52 deletions(-)
> >
>
