From: Anirudh Rayabharam <anirudh@anirudhrb.com>
To: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com>
Cc: kys@microsoft.com, haiyangz@microsoft.com, wei.liu@kernel.org,
decui@microsoft.com, longli@microsoft.com,
linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4 14/18] mshv: Order pt_vp_array publish against irqfd assertion path
Date: Wed, 13 May 2026 09:57:13 +0000 [thread overview]
Message-ID: <20260513-wealthy-prudent-tortoise-94deab@anirudhrb> (raw)
In-Reply-To: <177816865606.21765.9555294064589953949.stgit@skinsburskii-cloud-desktop.internal.cloudapp.net>
On Thu, May 07, 2026 at 03:44:16PM +0000, Stanislav Kinsburskii wrote:
> mshv_partition_ioctl_create_vp() initialises a VP struct (allocations,
> mutex_init, init_waitqueue_head, page mappings) and then publishes the
> pointer into partition->pt_vp_array. Several ISR paths read this array
> locklessly: the intercept ISR, the two scheduler ISRs, and
> mshv_try_assert_irq_fast() on the irqfd fast path.
>
> Of these, only mshv_try_assert_irq_fast() can structurally race the
> publish. It runs from an eventfd waker without holding pt_mutex, and
> MSHV_IRQFD does not require the target lapic_apic_id (== vp_index) to
> refer to an existing VP at registration time. A user can therefore
> register an irqfd targeting a yet-to-be-created VP, then trigger
> mshv_try_assert_irq_fast() concurrently with MSHV_CREATE_VP for the
> same index. On weakly-ordered architectures the reader can observe a
> non-NULL pointer in pt_vp_array before the initialising stores to the
> VP struct become visible, leading to use of partially-initialised
> fields (e.g. vp_register_page).
>
> The other ISR readers cannot reach this race: the hypervisor will not
> generate intercept or scheduler messages for a VP that has never been
> told to run, and the user can only call MSHV_RUN_VP on the VP fd
> returned by MSHV_CREATE_VP, which by construction is returned after
> the publish. Leave those readers as plain loads.
>
> Use smp_store_release() in mshv_partition_ioctl_create_vp() to publish
> the pointer, and pair it with smp_load_acquire() in
> mshv_try_assert_irq_fast(). On x86 these compile to plain accesses
> under TSO; on ARM64 they emit one-instruction acquire/release barriers,
> acceptable on this fast path.
>
> The destroy-side path (destroy_partition() clearing pt_vp_array[i] to
> NULL after kfree(vp)) has a separate ordering and lifetime concern
> that is out of scope here.
>
> Fixes: 621191d709b14 ("Drivers: hv: Introduce mshv_root module to expose /dev/mshv to VMMs")
> Signed-off-by: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com>
> ---
> drivers/hv/mshv_eventfd.c | 9 ++++++++-
> drivers/hv/mshv_root_main.c | 8 +++++++-
> 2 files changed, 15 insertions(+), 2 deletions(-)
Reviewed-by: Anirudh Rayabharam (Microsoft) <anirudh@anirudhrb.com>
next prev parent reply other threads:[~2026-05-13 9:57 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 15:42 [PATCH v4 00/18] mshv: Bug fixes across the mshv_root module Stanislav Kinsburskii
2026-05-07 15:43 ` [PATCH v4 01/18] mshv: Fix IRQ leak and type hazards in hv_call_modify_spa_host_access Stanislav Kinsburskii
2026-05-11 3:46 ` Anirudh Rayabharam
2026-05-07 15:43 ` [PATCH v4 02/18] mshv: Fix mshv_prepare_pinned_region error path for unencrypted partitions Stanislav Kinsburskii
2026-05-11 13:48 ` Anirudh Rayabharam
2026-05-11 15:06 ` Stanislav Kinsburskii
2026-05-13 11:15 ` Anirudh Rayabharam
2026-05-13 17:31 ` Stanislav Kinsburskii
2026-05-11 15:12 ` Stanislav Kinsburskii
2026-05-07 15:43 ` [PATCH v4 03/18] mshv: Fix race in mshv_irqfd_deassign Stanislav Kinsburskii
2026-05-11 13:57 ` Anirudh Rayabharam
2026-05-07 15:43 ` [PATCH v4 04/18] mshv: Add NULL check for vp in mshv_try_assert_irq_fast Stanislav Kinsburskii
2026-05-11 3:24 ` Anirudh Rayabharam
2026-05-07 15:43 ` [PATCH v4 05/18] mshv: irqfd: Reject routing updates that invalidate resampler binding Stanislav Kinsburskii
2026-05-07 15:43 ` [PATCH v4 06/18] mshv: Fix broken seqcount read protection Stanislav Kinsburskii
2026-05-07 15:43 ` [PATCH v4 07/18] mshv: Consolidate irqfd interrupt injection paths Stanislav Kinsburskii
2026-05-07 15:43 ` [PATCH v4 08/18] mshv: Fix level-triggered check on uninitialized data Stanislav Kinsburskii
2026-05-13 12:14 ` Anirudh Rayabharam
2026-05-13 17:38 ` Stanislav Kinsburskii
2026-05-07 15:43 ` [PATCH v4 09/18] mshv: Fix duplicate GSI detection for GSI 0 Stanislav Kinsburskii
2026-05-13 11:36 ` Anirudh Rayabharam
2026-05-07 15:43 ` [PATCH v4 10/18] mshv: portid_table: Make mshv_portid_lookup() RCU-aware by contract Stanislav Kinsburskii
2026-05-13 11:20 ` Anirudh Rayabharam
2026-05-07 15:43 ` [PATCH v4 11/18] mshv: Fix sleeping under spinlock in mshv_portid_alloc Stanislav Kinsburskii
2026-05-11 3:33 ` Anirudh Rayabharam
2026-05-07 15:44 ` [PATCH v4 12/18] mshv: Use kfree_rcu in mshv_portid_free Stanislav Kinsburskii
2026-05-13 11:22 ` Anirudh Rayabharam
2026-05-07 15:44 ` [PATCH v4 13/18] mshv: Add missing vp_index bounds check in intercept ISR Stanislav Kinsburskii
2026-05-13 5:32 ` Anirudh Rayabharam
2026-05-07 15:44 ` [PATCH v4 14/18] mshv: Order pt_vp_array publish against irqfd assertion path Stanislav Kinsburskii
2026-05-13 9:57 ` Anirudh Rayabharam [this message]
2026-05-07 15:44 ` [PATCH v4 15/18] mshv: Defer mshv_vp free to an RCU grace period Stanislav Kinsburskii
2026-05-13 10:11 ` Anirudh Rayabharam
2026-05-07 15:44 ` [PATCH v4 16/18] mshv: Validate scheduler message bounds from hypervisor Stanislav Kinsburskii
2026-05-13 11:12 ` Anirudh Rayabharam
2026-05-13 17:39 ` Stanislav Kinsburskii
2026-05-07 15:44 ` [PATCH v4 17/18] mshv: Publish VP to pt_vp_array before installing the file descriptor Stanislav Kinsburskii
2026-05-11 14:26 ` Anirudh Rayabharam
2026-05-11 15:29 ` Stanislav Kinsburskii
2026-05-12 12:46 ` Anirudh Rayabharam
2026-05-07 15:44 ` [PATCH v4 18/18] mshv: Fix missing error code on VP allocation failure Stanislav Kinsburskii
2026-05-11 3:35 ` Anirudh Rayabharam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513-wealthy-prudent-tortoise-94deab@anirudhrb \
--to=anirudh@anirudhrb.com \
--cc=decui@microsoft.com \
--cc=haiyangz@microsoft.com \
--cc=kys@microsoft.com \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=longli@microsoft.com \
--cc=skinsburskii@linux.microsoft.com \
--cc=wei.liu@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox