Re: [PATCH v3 00/18] mshv: Bug fixes across the mshv_root module

[Stanislav Kinsburskii <skinsburskii@linux.microsoft.com>]

On Mon, May 04, 2026 at 06:59:01PM +0000, Stanislav Kinsburskii wrote:
> This series addresses bugs found during a continued review of the
> mshv_root module introduced by commit 621191d709b14 ("Drivers: hv:
> Introduce mshv_root module to expose /dev/mshv to VMMs").
> 

THis series is malformed.
Please disregard.

Thanks,
Stanislav

> Changes since v2:
> - "Fix mshv_prepare_pinned_region error path for unencrypted
>   partitions": removed inline mshv_region_invalidate() to prevent
>   zeroing mreg_pages before mshv_region_destroy() can unmap partial
>   SLAT mappings; for encrypted share-failure, memset the page array
>   without unpinning (pages are host-inaccessible).
> - "Consolidate irqfd interrupt injection paths": fixed data race in
>   mshv_irqfd_assign EPOLLIN path — girq_ent is now snapshotted inside
>   the seqcount loop (matching mshv_irqfd_wakeup) to prevent a
>   concurrent routing update from injecting vector 0 to VP 0.
> - "Add missing vp_index bounds check in intercept ISR": added
>   array_index_nospec() after the bounds check to prevent speculative
>   out-of-bounds array access.
> - "Add store/load ordering for VP array publish": added missing
>   smp_load_acquire in mshv_try_assert_irq_fast.
> 
> Changes since v1:
> - Added 8 new patches addressing issues found by Sashiko (automated
>   review) covering the irqfd, portid, scheduler message, and VP
>   lifecycle paths.
> - Consolidated the irqfd fast/slow injection paths to eliminate
>   duplicated seqcount reads and fix the GSI 0 validity bypass.
> - Added memory ordering for the lockless VP array.
> 
> The fixes range from data corruption and use-after-free to silent
> functional failures and sleeping-while-atomic:
> 
>  Memory region management:
>   - Integer overflow on userspace-controlled allocation size
>     (mshv_region_create)
>   - Silent success on map failure for unencrypted partitions
>     (mshv_prepare_pinned_region)
>   - u64 overflow in region overlap check allowing overlapping mappings
> 
>  IRQ/eventfd path:
>   - IRQ state leak and type truncation in hypercall helpers
>   - Missing locking and hlist_del vs hlist_del_init race in irqfd
>     deassign
>   - Defensive synchronize_srcu in irqfd shutdown (follows KVM pattern)
>   - NULL pointer dereference on spurious interrupt to non-existent VP
>     (mshv_try_assert_irq_fast)
>   - Broken seqcount read protection — torn reads of interrupt routing
>   - Duplicated and inconsistent validity checks between fast/slow
>     injection paths; fast path could inject vector 0 spuriously
>   - Level-triggered check on uninitialized data making interrupt
>     resampling completely non-functional
>   - Duplicate GSI 0 detection using the wrong predicate
> 
>  Port ID table:
>   - Use-after-RCU in mshv_portid_lookup (dereference outside read-side
>     critical section)
>   - Sleeping under spinlock in mshv_portid_alloc (GFP_KERNEL inside
>     idr_lock)
>   - Use kfree_rcu for deferred free without blocking
> 
>  SynIC / ISR paths:
>   - Missing VP index bounds check in intercept ISR (OOB in interrupt
>     context from untrusted hypervisor data)
>   - Missing store/load ordering for VP array publish — lockless ISR
>     readers could observe partially-initialized VP
>   - Missing bounds validation in scheduler messages
>     (handle_pair_message vp_count, handle_bitset_message bank_mask)
> 
>  Miscellaneous:
>   - Missing error code on VP allocation failure (silent success to
>     userspace)
> 
> Kudos to Claude and Sashiko for assisting with analysis and
> implementation.
> 
> 
> ---
> 
> Stanislav Kinsburskii (18):
>       mshv: Fix IRQ leak and type hazards in hv_call_modify_spa_host_access
>       mshv: Fix potential integer overflow in mshv_region_create
>       mshv: Fix mshv_prepare_pinned_region error path for unencrypted partitions
>       mshv: Fix potential u64 overflow in region overlap check
>       mshv: Fix race in mshv_irqfd_deassign
>       mshv: Add defensive synchronize_srcu in irqfd shutdown
>       mshv: Add NULL check for vp in mshv_try_assert_irq_fast
>       mshv: Fix broken seqcount read protection
>       mshv: Consolidate irqfd interrupt injection paths
>       mshv: Fix level-triggered check on uninitialized data
>       mshv: Fix duplicate GSI detection for GSI 0
>       mshv: Fix use-after-RCU in mshv_portid_lookup
>       mshv: Fix sleeping under spinlock in mshv_portid_alloc
>       mshv: Use kfree_rcu in mshv_portid_free
>       mshv: Add missing vp_index bounds check in intercept ISR
>       mshv: Add store/load ordering for VP array publish
>       mshv: Validate scheduler message bounds from hypervisor
>       mshv: Fix missing error code on VP allocation failure
> 
> 
>  drivers/hv/mshv_eventfd.c      |  108 +++++++++++++++++++++++++---------------
>  drivers/hv/mshv_irq.c          |    2 -
>  drivers/hv/mshv_portid_table.c |   12 ++--
>  drivers/hv/mshv_regions.c      |    2 -
>  drivers/hv/mshv_root_hv_call.c |   18 ++-----
>  drivers/hv/mshv_root_main.c    |   39 ++++++++++----
>  drivers/hv/mshv_synic.c        |   36 +++++++++++--
>  7 files changed, 136 insertions(+), 81 deletions(-)
>