From: sashiko-bot@kernel.org
Cc: linux-hyperv@vger.kernel.org
Subject: Re: [PATCH v4] mshv: support 1G hugepages by passing them as 2M-aligned chunks
Date: Thu, 14 May 2026 05:47:10 +0000 [thread overview]
Message-ID: <20260514054711.0963CC2BCB7@smtp.kernel.org> (raw)
In-Reply-To: <20260513-huge_1g-v4-1-33cda59e4a70@anirudhrb.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Missing physical contiguity validation in large folio chunking leads to guest memory corruption and host-guest VMA inconsistencies.
--
commit 8234ab081cfc742915853b13b8eaeeb12adcc021
Author: Anirudh Rayabharam (Microsoft) <anirudh@anirudhrb.com>
mshv: support 1G hugepages by passing them as 2M-aligned chunks
This commit modifies the mshv driver to support 1G hugepages by treating
them as a sequence of 2M chunks, since the hypervisor map GPA hypercall
coalesces contiguous 2M-aligned chunks. It uses a 2M stride for folios
of at least PMD_ORDER.
> diff --git a/drivers/hv/mshv_regions.c b/drivers/hv/mshv_regions.c
> index fdffd4f002f6f..6d65e5b421529 100644
> --- a/drivers/hv/mshv_regions.c
> +++ b/drivers/hv/mshv_regions.c
[ ... ]
> @@ -86,15 +84,14 @@ static long mshv_region_process_chunk(struct mshv_mem_region *region,
> u64 gfn = region->start_gfn + page_offset;
> u64 count;
> struct page *page;
> - int stride, ret;
> + unsigned int stride;
> + int ret;
>
> page = region->mreg_pages[page_offset];
> if (!page)
> return -EINVAL;
>
> stride = mshv_chunk_stride(page, gfn, page_count);
> - if (stride < 0)
> - return stride;
>
> /* Start at stride since the first stride is validated */
> for (count = stride; count < page_count; count += stride) {
Does this code assume that all intermediate pages within the stride are
physically contiguous simply because the first page belongs to a large folio?
If a VMM constructs a fragmented VMA, for example by using MADV_DONTNEED
on a shmem folio for guest memory ballooning, or MAP_FIXED to remap
specific pages, get_user_pages() could populate mreg_pages with a mix of
different pages.
Since the loop advances by the stride without inspecting the intermediate
pages between the stride boundaries, could this instruct the hypervisor to
map the contiguous physical block of the large folio into the guest,
ignoring the actual VMA mappings?
Would this cause the guest to read and write the host large folio's tail
pages instead of the VMM's intended pages?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260513-huge_1g-v4-1-33cda59e4a70@anirudhrb.com?part=1
prev parent reply other threads:[~2026-05-14 5:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 13:25 [PATCH v4] mshv: support 1G hugepages by passing them as 2M-aligned chunks Anirudh Rayabharam (Microsoft)
2026-05-13 15:13 ` Michael Kelley
2026-05-14 5:47 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514054711.0963CC2BCB7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox