On Mon, May 04, 2026 at 06:59:01PM +0000, Stanislav Kinsburskii wrote:
> This series addresses bugs found during a continued review of the
> mshv_root module introduced by commit 621191d709b14 ("Drivers: hv:
> Introduce mshv_root module to expose /dev/mshv to VMMs").
>
THis series is malformed.
Please disregard.
Thanks,
Stanislav
> Changes since v2:
> - "Fix mshv_prepare_pinned_region error path for unencrypted
> partitions": removed inline mshv_region_invalidate() to prevent
> zeroing mreg_pages before mshv_region_destroy() can unmap partial
> SLAT mappings; for encrypted share-failure, memset the page array
> without unpinning (pages are host-inaccessible).
> - "Consolidate irqfd interrupt injection paths": fixed data race in
> mshv_irqfd_assign EPOLLIN path — girq_ent is now snapshotted inside
> the seqcount loop (matching mshv_irqfd_wakeup) to prevent a
> concurrent routing update from injecting vector 0 to VP 0.
> - "Add missing vp_index bounds check in intercept ISR": added
> array_index_nospec() after the bounds check to prevent speculative
> out-of-bounds array access.
> - "Add store/load ordering for VP array publish": added missing
> smp_load_acquire in mshv_try_assert_irq_fast.
>
> Changes since v1:
> - Added 8 new patches addressing issues found by Sashiko (automated
> review) covering the irqfd, portid, scheduler message, and VP
> lifecycle paths.
> - Consolidated the irqfd fast/slow injection paths to eliminate
> duplicated seqcount reads and fix the GSI 0 validity bypass.
> - Added memory ordering for the lockless VP array.
>
> The fixes range from data corruption and use-after-free to silent
> functional failures and sleeping-while-atomic:
>
> Memory region management:
> - Integer overflow on userspace-controlled allocation size
> (mshv_region_create)
> - Silent success on map failure for unencrypted partitions
> (mshv_prepare_pinned_region)
> - u64 overflow in region overlap check allowing overlapping mappings
>
> IRQ/eventfd path:
> - IRQ state leak and type truncation in hypercall helpers
> - Missing locking and hlist_del vs hlist_del_init race in irqfd
> deassign
> - Defensive synchronize_srcu in irqfd shutdown (follows KVM pattern)
> - NULL pointer dereference on spurious interrupt to non-existent VP
> (mshv_try_assert_irq_fast)
> - Broken seqcount read protection — torn reads of interrupt routing
> - Duplicated and inconsistent validity checks between fast/slow
> injection paths; fast path could inject vector 0 spuriously
> - Level-triggered check on uninitialized data making interrupt
> resampling completely non-functional
> - Duplicate GSI 0 detection using the wrong predicate
>
> Port ID table:
> - Use-after-RCU in mshv_portid_lookup (dereference outside read-side
> critical section)
> - Sleeping under spinlock in mshv_portid_alloc (GFP_KERNEL inside
> idr_lock)
> - Use kfree_rcu for deferred free without blocking
>
> SynIC / ISR paths:
> - Missing VP index bounds check in intercept ISR (OOB in interrupt
> context from untrusted hypervisor data)
> - Missing store/load ordering for VP array publish — lockless ISR
> readers could observe partially-initialized VP
> - Missing bounds validation in scheduler messages
> (handle_pair_message vp_count, handle_bitset_message bank_mask)
>
> Miscellaneous:
> - Missing error code on VP allocation failure (silent success to
> userspace)
>
> Kudos to Claude and Sashiko for assisting with analysis and
> implementation.
>
>
> ---
>
> Stanislav Kinsburskii (18):
> mshv: Fix IRQ leak and type hazards in hv_call_modify_spa_host_access
> mshv: Fix potential integer overflow in mshv_region_create
> mshv: Fix mshv_prepare_pinned_region error path for unencrypted
> partitions
> mshv: Fix potential u64 overflow in region overlap check
> mshv: Fix race in mshv_irqfd_deassign
> mshv: Add defensive synchronize_srcu in irqfd shutdown
> mshv: Add NULL check for vp in mshv_try_assert_irq_fast
> mshv: Fix broken seqcount read protection
> mshv: Consolidate irqfd interrupt injection paths
> mshv: Fix level-triggered check on uninitialized data
> mshv: Fix duplicate GSI detection for GSI 0
> mshv: Fix use-after-RCU in mshv_portid_lookup
> mshv: Fix sleeping under spinlock in mshv_portid_alloc
> mshv: Use kfree_rcu in mshv_portid_free
> mshv: Add missing vp_index bounds check in intercept ISR
> mshv: Add store/load ordering for VP array publish
> mshv: Validate scheduler message bounds from hypervisor
> mshv: Fix missing error code on VP allocation failure
>
>
> drivers/hv/mshv_eventfd.c | 108
> +++++++++++++++++++++++++---------------
> drivers/hv/mshv_irq.c | 2 -
> drivers/hv/mshv_portid_table.c | 12 ++--
> drivers/hv/mshv_regions.c | 2 -
> drivers/hv/mshv_root_hv_call.c | 18 ++-----
> drivers/hv/mshv_root_main.c | 39 ++++++++++----
> drivers/hv/mshv_synic.c | 36 +++++++++++--
> 7 files changed, 136 insertions(+), 81 deletions(-)
>
