This series addresses bugs found during a continued review of the
mshv_root module mostly introduced by commit 621191d709b14 ("Drivers: hv:
Introduce mshv_root module to expose /dev/mshv to VMMs").
Changes in v4:
- Dropped the following patches as the issues they fix don't happen in
practice:
- mshv: Fix potential integer overflow in mshv_region_create
- mshv: Fix potential u64 overflow in region overlap check
- mshv: Add defensive synchronize_srcu in irqfd shutdown
- Added new fixes:
- mshv: irqfd: Reject routing updates that invalidate resampler binding
- mshv: Fix sleeping under spinlock in mshv_portid_alloc
- mshv: Order pt_vp_array publish against irqfd assertion path
- mshv: Defer mshv_vp free to an RCU grace period
- mshv: Publish VP to pt_vp_array before installing the file descriptor
- Replaced:
- mshv: Fix use-after-RCU in mshv_portid_lookup
by
mshv: portid_table: Make mshv_portid_lookup() RCU-aware by contract
- mshv: Add store/load ordering for VP array publish
by
mshv: Order pt_vp_array publish against irqfd assertion path
Changes in v3:
- "Fix mshv_prepare_pinned_region error path for unencrypted
partitions": removed inline mshv_region_invalidate() to prevent
zeroing mreg_pages before mshv_region_destroy() can unmap partial
SLAT mappings; for encrypted share-failure, memset the page array
without unpinning (pages are host-inaccessible).
- "Consolidate irqfd interrupt injection paths": fixed data race in
mshv_irqfd_assign EPOLLIN path — girq_ent is now snapshotted inside
the seqcount loop (matching mshv_irqfd_wakeup) to prevent a
concurrent routing update from injecting vector 0 to VP 0.
- "Add missing vp_index bounds check in intercept ISR": added
array_index_nospec() after the bounds check to prevent speculative
out-of-bounds array access.
- "Add store/load ordering for VP array publish": added missing
smp_load_acquire in mshv_try_assert_irq_fast.
Changes in v2:
- Added 8 new patches addressing issues found by Sashiko (automated
review) covering the irqfd, portid, scheduler message, and VP
lifecycle paths.
- Consolidated the irqfd fast/slow injection paths to eliminate
duplicated seqcount reads and fix the GSI 0 validity bypass.
- Added memory ordering for the lockless VP array.
The fixes range from data corruption and use-after-free to silent
functional failures and sleeping-while-atomic:
Memory region management:
- Integer overflow on userspace-controlled allocation size
(mshv_region_create)
- Silent success on map failure for unencrypted partitions
(mshv_prepare_pinned_region)
- u64 overflow in region overlap check allowing overlapping mappings
IRQ/eventfd path:
- IRQ state leak and type truncation in hypercall helpers
- Missing locking and hlist_del vs hlist_del_init race in irqfd
deassign
- Defensive synchronize_srcu in irqfd shutdown (follows KVM pattern)
- NULL pointer dereference on spurious interrupt to non-existent VP
(mshv_try_assert_irq_fast)
- Broken seqcount read protection — torn reads of interrupt routing
- Duplicated and inconsistent validity checks between fast/slow
injection paths; fast path could inject vector 0 spuriously
- Level-triggered check on uninitialized data making interrupt
resampling completely non-functional
- Duplicate GSI 0 detection using the wrong predicate
Port ID table:
- Use-after-RCU in mshv_portid_lookup (dereference outside read-side
critical section)
- Sleeping under spinlock in mshv_portid_alloc (GFP_KERNEL inside
idr_lock)
- Use kfree_rcu for deferred free without blocking
SynIC / ISR paths:
- Missing VP index bounds check in intercept ISR (OOB in interrupt
context from untrusted hypervisor data)
- Missing store/load ordering for VP array publish — lockless ISR
readers could observe partially-initialized VP
- Missing bounds validation in scheduler messages
(handle_pair_message vp_count, handle_bitset_message bank_mask)
Miscellaneous:
- Missing error code on VP allocation failure (silent success to
userspace)
Kudos to Claude and Sashiko for assisting with analysis and
implementation.
---
Stanislav Kinsburskii (18):
mshv: Fix IRQ leak and type hazards in hv_call_modify_spa_host_access
mshv: Fix mshv_prepare_pinned_region error path for unencrypted partitions
mshv: Fix race in mshv_irqfd_deassign
mshv: Add NULL check for vp in mshv_try_assert_irq_fast
mshv: irqfd: Reject routing updates that invalidate resampler binding
mshv: Fix broken seqcount read protection
mshv: Consolidate irqfd interrupt injection paths
mshv: Fix level-triggered check on uninitialized data
mshv: Fix duplicate GSI detection for GSI 0
mshv: portid_table: Make mshv_portid_lookup() RCU-aware by contract
mshv: Fix sleeping under spinlock in mshv_portid_alloc
mshv: Use kfree_rcu in mshv_portid_free
mshv: Add missing vp_index bounds check in intercept ISR
mshv: Order pt_vp_array publish against irqfd assertion path
mshv: Defer mshv_vp free to an RCU grace period
mshv: Validate scheduler message bounds from hypervisor
mshv: Publish VP to pt_vp_array before installing the file descriptor
mshv: Fix missing error code on VP allocation failure
drivers/hv/mshv_eventfd.c | 136 +++++++++++++++++++++++++---------------
drivers/hv/mshv_irq.c | 46 +++++++++++++-
drivers/hv/mshv_portid_table.c | 31 ++++-----
drivers/hv/mshv_root.h | 3 +
drivers/hv/mshv_root_hv_call.c | 18 ++---
drivers/hv/mshv_root_main.c | 72 +++++++++++++++------
drivers/hv/mshv_synic.c | 40 +++++++++---
7 files changed, 233 insertions(+), 113 deletions(-)
