From: Anirudh Rayabharam <anirudh@anirudhrb.com>
To: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com>
Cc: kys@microsoft.com, haiyangz@microsoft.com, wei.liu@kernel.org,
decui@microsoft.com, longli@microsoft.com,
linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4 03/18] mshv: Fix race in mshv_irqfd_deassign
Date: Mon, 11 May 2026 13:57:42 +0000 [thread overview]
Message-ID: <20260511-musical-discerning-stoat-cbacce@anirudhrb> (raw)
In-Reply-To: <177816859556.21765.6200058614819106223.stgit@skinsburskii-cloud-desktop.internal.cloudapp.net>
On Thu, May 07, 2026 at 03:43:15PM +0000, Stanislav Kinsburskii wrote:
> mshv_irqfd_deactivate() and the hlist traversal of pt_irqfds_list
> require pt->pt_irqfds_lock to be held, but mshv_irqfd_deassign()
> omits it. This races with the EPOLLHUP path in mshv_irqfd_wakeup(),
> which does take the lock before calling mshv_irqfd_deactivate().
>
> Additionally, mshv_irqfd_deactivate() uses hlist_del() which poisons
> the node pointers rather than resetting them. Since
> mshv_irqfd_is_active() relies on hlist_unhashed() (checks pprev ==
> NULL), a poisoned node still appears active. If a concurrent path calls
> mshv_irqfd_deactivate() again on the same irqfd, the guard fails to
> prevent a double hlist_del() on poisoned pointers.
>
> Fix both issues:
> - Add the missing spin_lock_irq/spin_unlock_irq around the list
> traversal in mshv_irqfd_deassign(), matching mshv_irqfd_release().
> - Use hlist_del_init() instead of hlist_del() so the node is properly
> marked as unhashed after removal, making the is_active guard reliable.
>
> Fixes: 621191d709b14 ("Drivers: hv: Introduce mshv_root module to expose /dev/mshv to VMMs")
> Signed-off-by: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com>
> ---
> drivers/hv/mshv_eventfd.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
Reviewed-by: Anirudh Rayabharam (Microsoft) <anirudh@anirudhrb.com>
next prev parent reply other threads:[~2026-05-11 13:58 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 15:42 [PATCH v4 00/18] mshv: Bug fixes across the mshv_root module Stanislav Kinsburskii
2026-05-07 15:43 ` [PATCH v4 01/18] mshv: Fix IRQ leak and type hazards in hv_call_modify_spa_host_access Stanislav Kinsburskii
2026-05-11 3:46 ` Anirudh Rayabharam
2026-05-07 15:43 ` [PATCH v4 02/18] mshv: Fix mshv_prepare_pinned_region error path for unencrypted partitions Stanislav Kinsburskii
2026-05-11 13:48 ` Anirudh Rayabharam
2026-05-11 15:06 ` Stanislav Kinsburskii
2026-05-13 11:15 ` Anirudh Rayabharam
2026-05-13 17:31 ` Stanislav Kinsburskii
2026-05-11 15:12 ` Stanislav Kinsburskii
2026-05-07 15:43 ` [PATCH v4 03/18] mshv: Fix race in mshv_irqfd_deassign Stanislav Kinsburskii
2026-05-11 13:57 ` Anirudh Rayabharam [this message]
2026-05-07 15:43 ` [PATCH v4 04/18] mshv: Add NULL check for vp in mshv_try_assert_irq_fast Stanislav Kinsburskii
2026-05-11 3:24 ` Anirudh Rayabharam
2026-05-07 15:43 ` [PATCH v4 05/18] mshv: irqfd: Reject routing updates that invalidate resampler binding Stanislav Kinsburskii
2026-05-07 15:43 ` [PATCH v4 06/18] mshv: Fix broken seqcount read protection Stanislav Kinsburskii
2026-05-07 15:43 ` [PATCH v4 07/18] mshv: Consolidate irqfd interrupt injection paths Stanislav Kinsburskii
2026-05-07 15:43 ` [PATCH v4 08/18] mshv: Fix level-triggered check on uninitialized data Stanislav Kinsburskii
2026-05-13 12:14 ` Anirudh Rayabharam
2026-05-13 17:38 ` Stanislav Kinsburskii
2026-05-14 5:49 ` Anirudh Rayabharam
2026-05-07 15:43 ` [PATCH v4 09/18] mshv: Fix duplicate GSI detection for GSI 0 Stanislav Kinsburskii
2026-05-13 11:36 ` Anirudh Rayabharam
2026-05-07 15:43 ` [PATCH v4 10/18] mshv: portid_table: Make mshv_portid_lookup() RCU-aware by contract Stanislav Kinsburskii
2026-05-13 11:20 ` Anirudh Rayabharam
2026-05-07 15:43 ` [PATCH v4 11/18] mshv: Fix sleeping under spinlock in mshv_portid_alloc Stanislav Kinsburskii
2026-05-11 3:33 ` Anirudh Rayabharam
2026-05-07 15:44 ` [PATCH v4 12/18] mshv: Use kfree_rcu in mshv_portid_free Stanislav Kinsburskii
2026-05-13 11:22 ` Anirudh Rayabharam
2026-05-07 15:44 ` [PATCH v4 13/18] mshv: Add missing vp_index bounds check in intercept ISR Stanislav Kinsburskii
2026-05-13 5:32 ` Anirudh Rayabharam
2026-05-07 15:44 ` [PATCH v4 14/18] mshv: Order pt_vp_array publish against irqfd assertion path Stanislav Kinsburskii
2026-05-13 9:57 ` Anirudh Rayabharam
2026-05-07 15:44 ` [PATCH v4 15/18] mshv: Defer mshv_vp free to an RCU grace period Stanislav Kinsburskii
2026-05-13 10:11 ` Anirudh Rayabharam
2026-05-07 15:44 ` [PATCH v4 16/18] mshv: Validate scheduler message bounds from hypervisor Stanislav Kinsburskii
2026-05-13 11:12 ` Anirudh Rayabharam
2026-05-13 17:39 ` Stanislav Kinsburskii
2026-05-14 5:49 ` Anirudh Rayabharam
2026-05-14 15:17 ` Stanislav Kinsburskii
2026-05-07 15:44 ` [PATCH v4 17/18] mshv: Publish VP to pt_vp_array before installing the file descriptor Stanislav Kinsburskii
2026-05-11 14:26 ` Anirudh Rayabharam
2026-05-11 15:29 ` Stanislav Kinsburskii
2026-05-12 12:46 ` Anirudh Rayabharam
2026-05-07 15:44 ` [PATCH v4 18/18] mshv: Fix missing error code on VP allocation failure Stanislav Kinsburskii
2026-05-11 3:35 ` Anirudh Rayabharam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260511-musical-discerning-stoat-cbacce@anirudhrb \
--to=anirudh@anirudhrb.com \
--cc=decui@microsoft.com \
--cc=haiyangz@microsoft.com \
--cc=kys@microsoft.com \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=longli@microsoft.com \
--cc=skinsburskii@linux.microsoft.com \
--cc=wei.liu@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox