This change disable la57 paging on the mshv hypervisor on both the
mshv processor feature bitmap and mask the cpuid feature leaf to the
guest.

Since the removal of hypervisor-assisted gva=>gpa translation in
1c85a4a3d7 we have seen MMIO errors in guests on la57-enabled hw. We
will have to investigate and test this further.

Signed-off-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
---
 accel/mshv/mshv-all.c       | 7 +++++++
 target/i386/mshv/mshv-cpu.c | 6 ++++++
 2 files changed, 13 insertions(+)

diff --git a/accel/mshv/mshv-all.c b/accel/mshv/mshv-all.c
index eab967ff07..ea3aacf6e0 100644
--- a/accel/mshv/mshv-all.c
+++ b/accel/mshv/mshv-all.c
@@ -142,6 +142,8 @@ static int create_partition(int mshv_fd, int *vm_fd)
     int ret;
     uint64_t pt_flags, host_proc_features;
     union hv_partition_processor_xsave_features disabled_xsave_features;
+    union hv_partition_processor_features disabled_proc_features = {0};
+
     struct mshv_create_partition_v2 args = {0};
     uint32_t feature_banks[] = {
         HV_PARTITION_PROPERTY_PROCESSOR_FEATURES0,
@@ -181,6 +183,11 @@ static int create_partition(int mshv_fd, int *vm_fd)
     }
     args.pt_cpu_fbanks[1] = ~host_proc_features;
 
+    /* features we disable regardless of host support */
+    disabled_proc_features.la57_support = 1;
+    args.pt_cpu_fbanks[0] |= disabled_proc_features.as_uint64[0];
+    args.pt_cpu_fbanks[1] |= disabled_proc_features.as_uint64[1];
+
     /* populate args structure */
     args.pt_flags = pt_flags;
     args.pt_isolation = MSHV_PT_ISOLATION_NONE;
diff --git a/target/i386/mshv/mshv-cpu.c b/target/i386/mshv/mshv-cpu.c
index 2c66a52709..31fb788657 100644
--- a/target/i386/mshv/mshv-cpu.c
+++ b/target/i386/mshv/mshv-cpu.c
@@ -1677,6 +1677,12 @@ uint32_t mshv_get_supported_cpuid(uint32_t func, uint32_t idx, int reg)
      */
     if (func == 0x07 && idx == 0 && reg == R_ECX) {
         ret &= ~CPUID_7_0_ECX_CET_SHSTK;
+        /*
+         * LA57 (5-level paging) causes incorrect GVA=>GPA translations
+         * in the instruction decoder/emulator. Disable until page table
+         * walk in x86_mmu.c works w/ 5-level paging.
+         */
+        ret &= ~CPUID_7_0_ECX_LA57;
     }
     if (func == 0x07 && idx == 0 && reg == R_EDX) {
         ret &= ~CPUID_7_0_EDX_CET_IBT;
-- 
2.34.1

> On 11. Mar 2026, at 12:35, Magnus Kulke <magnuskulke@linux.microsoft.com> wrote:
> 
> This change disable la57 paging on the mshv hypervisor on both the
> mshv processor feature bitmap and mask the cpuid feature leaf to the
> guest.
> 
> Since the removal of hypervisor-assisted gva=>gpa translation in
> 1c85a4a3d7 we have seen MMIO errors in guests on la57-enabled hw. We
> will have to investigate and test this further.

Hello,

This should already be fixed on master since yesterday. Can you repro this?

Thank you,
-Mohamed
> 
> Signed-off-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
> ---
> accel/mshv/mshv-all.c       | 7 +++++++
> target/i386/mshv/mshv-cpu.c | 6 ++++++
> 2 files changed, 13 insertions(+)
> 
> diff --git a/accel/mshv/mshv-all.c b/accel/mshv/mshv-all.c
> index eab967ff07..ea3aacf6e0 100644
> --- a/accel/mshv/mshv-all.c
> +++ b/accel/mshv/mshv-all.c
> @@ -142,6 +142,8 @@ static int create_partition(int mshv_fd, int *vm_fd)
>     int ret;
>     uint64_t pt_flags, host_proc_features;
>     union hv_partition_processor_xsave_features disabled_xsave_features;
> +    union hv_partition_processor_features disabled_proc_features = {0};
> +
>     struct mshv_create_partition_v2 args = {0};
>     uint32_t feature_banks[] = {
>         HV_PARTITION_PROPERTY_PROCESSOR_FEATURES0,
> @@ -181,6 +183,11 @@ static int create_partition(int mshv_fd, int *vm_fd)
>     }
>     args.pt_cpu_fbanks[1] = ~host_proc_features;
> 
> +    /* features we disable regardless of host support */
> +    disabled_proc_features.la57_support = 1;
> +    args.pt_cpu_fbanks[0] |= disabled_proc_features.as_uint64[0];
> +    args.pt_cpu_fbanks[1] |= disabled_proc_features.as_uint64[1];
> +
>     /* populate args structure */
>     args.pt_flags = pt_flags;
>     args.pt_isolation = MSHV_PT_ISOLATION_NONE;
> diff --git a/target/i386/mshv/mshv-cpu.c b/target/i386/mshv/mshv-cpu.c
> index 2c66a52709..31fb788657 100644
> --- a/target/i386/mshv/mshv-cpu.c
> +++ b/target/i386/mshv/mshv-cpu.c
> @@ -1677,6 +1677,12 @@ uint32_t mshv_get_supported_cpuid(uint32_t func, uint32_t idx, int reg)
>      */
>     if (func == 0x07 && idx == 0 && reg == R_ECX) {
>         ret &= ~CPUID_7_0_ECX_CET_SHSTK;
> +        /*
> +         * LA57 (5-level paging) causes incorrect GVA=>GPA translations
> +         * in the instruction decoder/emulator. Disable until page table
> +         * walk in x86_mmu.c works w/ 5-level paging.
> +         */
> +        ret &= ~CPUID_7_0_ECX_LA57;
>     }
>     if (func == 0x07 && idx == 0 && reg == R_EDX) {
>         ret &= ~CPUID_7_0_EDX_CET_IBT;
> -- 
> 2.34.1
> 
> 

On Wed, Mar 11, 2026 at 12:54:12PM +0100, Mohamed Mediouni wrote:

> This should already be fixed on master since yesterday. Can you repro this?
> 

Hey Mohamed,

if you refer to "cb02fc2284 target/i386: emulate: LA57 fix", I don't
think that was sufficient. It addressed a stack smashing issue, but the
guest would still run into MMIO problems on la57-enabled hw.

> On 11. Mar 2026, at 16:17, Magnus Kulke <magnuskulke@linux.microsoft.com> wrote:
> 
> On Wed, Mar 11, 2026 at 12:54:12PM +0100, Mohamed Mediouni wrote:
> 
>> This should already be fixed on master since yesterday. Can you repro this?
>> 
> 
> Hey Mohamed,
> 
> if you refer to "cb02fc2284 target/i386: emulate: LA57 fix", I don't
> think that was sufficient. It addressed a stack smashing issue, but the
> guest would still run into MMIO problems on la57-enabled hw.

Hello,

Thank you, I’ll test this further. Boot-tested it on an Alpine Linux VM but looks like
that wasn’t enough...

FYI I added a new callback interface in x86_emul_ops (mmu_gva_to_gpa) to support
adding the Hyper-V page table walker, but if it’s anything like the WHP one it’s going to
be very slow… which is why I moved to the new interface in the first place.

On Wed, Mar 11, 2026 at 04:31:41PM +0100, Mohamed Mediouni wrote:
> Thank you, I’ll test this further. Boot-tested it on an Alpine Linux VM but looks like
> that wasn’t enough...
> 
> FYI I added a new callback interface in x86_emul_ops (mmu_gva_to_gpa) to support
> adding the Hyper-V page table walker, but if it’s anything like the WHP one it’s going to
> be very slow… which is why I moved to the new interface in the first place.

hmm, I quickly tried that and implemented a hook like this:

static MMUTranslateResult gva_to_gpa(CPUState *cpu, target_ulong gva,
                                     uint64_t *gpa, MMUTranslateFlags flags)
{
    uint64_t hv_flags = 0;

    if (!x86_is_paging_mode(cpu)) {
        *gpa = gva;

        return MMU_TRANSLATE_SUCCESS;
    }

    if (flags & MMU_TRANSLATE_VALIDATE_WRITE) {
        hv_flags = HV_TRANSLATE_GVA_VALIDATE_WRITE;
    } else if (flags & MMU_TRANSLATE_VALIDATE_EXECUTE) {
        hv_flags = HV_TRANSLATE_GVA_VALIDATE_EXECUTE;
    } else {
        hv_flags = HV_TRANSLATE_GVA_VALIDATE_READ;
    }

    if (translate_gva(cpu, gva, gpa, hv_flags) < 0) {
        return MMU_TRANSLATE_PAGE_NOT_MAPPED;
    }

    return MMU_TRANSLATE_SUCCESS;
}

static const struct x86_emul_ops mshv_x86_emul_ops = {
    .read_segment_descriptor = read_segment_descriptor,
    .mmu_gva_to_gpa = gva_to_gpa,
};

but without explicitly disabling la57, I still see the same MMIO errors
during guest boot (ubuntu jammy). probably needs more investigation. I
think for now disabling la57 seems ok.