[PATCH] mshv: Fix error handling in mshv_region_populate_pages

Next message: Audra Mitchell: "Re: [PATCH] selftests/mm: Fix soft-dirty kselftest supported check"
Previous message: Mathieu Poirier: "Re: [PATCH] remoteproc: xlnx: do not send new mailbox notification"
Next in thread: Michael Kelley: "RE: [PATCH] mshv: Fix error handling in mshv_region_populate_pages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stanislav Kinsburskii

Date: Tue Mar 17 2026 - 11:15:07 EST

The current error handling has two issues:

First, pin_user_pages_fast() can return a short pin count (less than
requested but greater than zero) when it cannot pin all requested pages.
This is treated as success, leading to partially pinned regions being
used, which causes memory corruption.

Second, when an error occurs mid-loop, already pinned pages from the
current batch are not released before calling mshv_region_evict_pages(),
causing a page reference leak.

Fix by treating short pins as errors and explicitly unpinning the
partial batch before cleanup.

Signed-off-by: Stanislav Kinsburskii <skinsburskii@xxxxxxxxxxxxxxxxxxx>
---
drivers/hv/mshv_regions.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/hv/mshv_regions.c b/drivers/hv/mshv_regions.c
index c28aac0726de..fdffd4f002f6 100644
--- a/drivers/hv/mshv_regions.c
+++ b/drivers/hv/mshv_regions.c
@@ -314,15 +314,17 @@ int mshv_region_pin(struct mshv_mem_region *region)
ret = pin_user_pages_fast(userspace_addr, nr_pages,
FOLL_WRITE | FOLL_LONGTERM,
pages);
- if (ret < 0)
+ if (ret != nr_pages)
goto release_pages;
}

return 0;

release_pages:
+ if (ret > 0)
+ done_count += ret;
mshv_region_invalidate_pages(region, 0, done_count);
- return ret;
+ return ret < 0 ? ret : -ENOMEM;
}

static int mshv_region_chunk_unmap(struct mshv_mem_region *region,