This change disable la57 paging on the mshv hypervisor on both the
mshv processor feature bitmap and mask the cpuid feature leaf to the
guest.
Since the removal of hypervisor-assisted gva=>gpa translation in
1c85a4a3d7 we have seen MMIO errors in guests on la57-enabled hw. We
will have to investigate and test this further.
Signed-off-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
---
accel/mshv/mshv-all.c | 7 +++++++
include/system/mshv_int.h | 2 ++
target/i386/mshv/mshv-cpu.c | 12 ++++++++++++
3 files changed, 21 insertions(+)
diff --git a/accel/mshv/mshv-all.c b/accel/mshv/mshv-all.c
index c50641f174..a557623531 100644
--- a/accel/mshv/mshv-all.c
+++ b/accel/mshv/mshv-all.c
@@ -142,6 +142,8 @@ static int create_partition(int mshv_fd, int *vm_fd)
int ret;
uint64_t pt_flags, host_proc_features;
union hv_partition_processor_xsave_features disabled_xsave_features;
+ union hv_partition_processor_features disabled_partition_features = {0};
+
struct mshv_create_partition_v2 args = {0};
QEMU_BUILD_BUG_ON(MSHV_NUM_CPU_FEATURES_BANKS != 2);
@@ -177,6 +179,11 @@ static int create_partition(int mshv_fd, int *vm_fd)
}
args.pt_cpu_fbanks[1] = ~host_proc_features;
+ /* arch-specific features we disable regardless of host support */
+ mshv_arch_disable_partition_proc_features(&disabled_partition_features);
+ args.pt_cpu_fbanks[0] |= disabled_partition_features.as_uint64[0];
+ args.pt_cpu_fbanks[1] |= disabled_partition_features.as_uint64[1];
+
/* populate args structure */
args.pt_flags = pt_flags;
args.pt_isolation = MSHV_PT_ISOLATION_NONE;
diff --git a/include/system/mshv_int.h b/include/system/mshv_int.h
index 35386c422f..ca156cdf4b 100644
--- a/include/system/mshv_int.h
+++ b/include/system/mshv_int.h
@@ -94,6 +94,8 @@ void mshv_arch_init_vcpu(CPUState *cpu);
void mshv_arch_destroy_vcpu(CPUState *cpu);
void mshv_arch_amend_proc_features(
union hv_partition_synthetic_processor_features *features);
+void mshv_arch_disable_partition_proc_features(
+ union hv_partition_processor_features *disabled_features);
int mshv_arch_post_init_vm(int vm_fd);
typedef struct mshv_root_hvcall mshv_root_hvcall;
diff --git a/target/i386/mshv/mshv-cpu.c b/target/i386/mshv/mshv-cpu.c
index 2c66a52709..433f7a4069 100644
--- a/target/i386/mshv/mshv-cpu.c
+++ b/target/i386/mshv/mshv-cpu.c
@@ -1111,6 +1111,12 @@ void mshv_arch_amend_proc_features(
features->access_guest_idle_reg = 1;
}
+void mshv_arch_disable_partition_proc_features(
+ union hv_partition_processor_features *disabled_features)
+{
+ disabled_features->la57_support = 1;
+}
+
static int set_memory_info(const struct hyperv_message *msg,
struct hv_x64_memory_intercept_message *info)
{
@@ -1677,6 +1683,12 @@ uint32_t mshv_get_supported_cpuid(uint32_t func, uint32_t idx, int reg)
*/
if (func == 0x07 && idx == 0 && reg == R_ECX) {
ret &= ~CPUID_7_0_ECX_CET_SHSTK;
+ /*
+ * LA57 (5-level paging) causes incorrect GVA=>GPA translations
+ * in the instruction decoder/emulator. Disable until page table
+ * walk in x86_mmu.c works w/ 5-level paging.
+ */
+ ret &= ~CPUID_7_0_ECX_LA57;
}
if (func == 0x07 && idx == 0 && reg == R_EDX) {
ret &= ~CPUID_7_0_EDX_CET_IBT;
--
2.34.1On 3/23/26 12:57, Magnus Kulke wrote:
> This change disable la57 paging on the mshv hypervisor on both the
> mshv processor feature bitmap and mask the cpuid feature leaf to the
> guest.
>
> Since the removal of hypervisor-assisted gva=>gpa translation in
> 1c85a4a3d7 we have seen MMIO errors in guests on la57-enabled hw. We
> will have to investigate and test this further.
>
> Signed-off-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
Is this still true with the latest target/i386/emulate changes from 11.0?
Paolo
> ---
> accel/mshv/mshv-all.c | 7 +++++++
> include/system/mshv_int.h | 2 ++
> target/i386/mshv/mshv-cpu.c | 12 ++++++++++++
> 3 files changed, 21 insertions(+)
>
> diff --git a/accel/mshv/mshv-all.c b/accel/mshv/mshv-all.c
> index c50641f174..a557623531 100644
> --- a/accel/mshv/mshv-all.c
> +++ b/accel/mshv/mshv-all.c
> @@ -142,6 +142,8 @@ static int create_partition(int mshv_fd, int *vm_fd)
> int ret;
> uint64_t pt_flags, host_proc_features;
> union hv_partition_processor_xsave_features disabled_xsave_features;
> + union hv_partition_processor_features disabled_partition_features = {0};
> +
> struct mshv_create_partition_v2 args = {0};
>
> QEMU_BUILD_BUG_ON(MSHV_NUM_CPU_FEATURES_BANKS != 2);
> @@ -177,6 +179,11 @@ static int create_partition(int mshv_fd, int *vm_fd)
> }
> args.pt_cpu_fbanks[1] = ~host_proc_features;
>
> + /* arch-specific features we disable regardless of host support */
> + mshv_arch_disable_partition_proc_features(&disabled_partition_features);
> + args.pt_cpu_fbanks[0] |= disabled_partition_features.as_uint64[0];
> + args.pt_cpu_fbanks[1] |= disabled_partition_features.as_uint64[1];
> +
> /* populate args structure */
> args.pt_flags = pt_flags;
> args.pt_isolation = MSHV_PT_ISOLATION_NONE;
> diff --git a/include/system/mshv_int.h b/include/system/mshv_int.h
> index 35386c422f..ca156cdf4b 100644
> --- a/include/system/mshv_int.h
> +++ b/include/system/mshv_int.h
> @@ -94,6 +94,8 @@ void mshv_arch_init_vcpu(CPUState *cpu);
> void mshv_arch_destroy_vcpu(CPUState *cpu);
> void mshv_arch_amend_proc_features(
> union hv_partition_synthetic_processor_features *features);
> +void mshv_arch_disable_partition_proc_features(
> + union hv_partition_processor_features *disabled_features);
> int mshv_arch_post_init_vm(int vm_fd);
>
> typedef struct mshv_root_hvcall mshv_root_hvcall;
> diff --git a/target/i386/mshv/mshv-cpu.c b/target/i386/mshv/mshv-cpu.c
> index 2c66a52709..433f7a4069 100644
> --- a/target/i386/mshv/mshv-cpu.c
> +++ b/target/i386/mshv/mshv-cpu.c
> @@ -1111,6 +1111,12 @@ void mshv_arch_amend_proc_features(
> features->access_guest_idle_reg = 1;
> }
>
> +void mshv_arch_disable_partition_proc_features(
> + union hv_partition_processor_features *disabled_features)
> +{
> + disabled_features->la57_support = 1;
> +}
> +
> static int set_memory_info(const struct hyperv_message *msg,
> struct hv_x64_memory_intercept_message *info)
> {
> @@ -1677,6 +1683,12 @@ uint32_t mshv_get_supported_cpuid(uint32_t func, uint32_t idx, int reg)
> */
> if (func == 0x07 && idx == 0 && reg == R_ECX) {
> ret &= ~CPUID_7_0_ECX_CET_SHSTK;
> + /*
> + * LA57 (5-level paging) causes incorrect GVA=>GPA translations
> + * in the instruction decoder/emulator. Disable until page table
> + * walk in x86_mmu.c works w/ 5-level paging.
> + */
> + ret &= ~CPUID_7_0_ECX_LA57;
> }
> if (func == 0x07 && idx == 0 && reg == R_EDX) {
> ret &= ~CPUID_7_0_EDX_CET_IBT;
On Fri, Mar 27, 2026 at 05:08:34PM +0100, Paolo Bonzini wrote: ah pardon, I referenced the wrong commit. The fix for the overflow that I tested (and that was apparently not sufficient) was cb02fc2284. best, magnus
On Fri, Mar 27, 2026 at 05:08:34PM +0100, Paolo Bonzini wrote: > Is this still true with the latest target/i386/emulate changes from 11.0? > > Paolo Unfortunately yes, d1d985a34d addresses an overflow issue, but we're still seeing MMIO errors after the change from TRANSLATE_GVA hypercall to the userland tablewalk for the mshv accelerator. I've tracked this issue and we will investigate further. best, magnus
On Mon, Mar 23, 2026 at 12:57:11PM +0100, Magnus Kulke wrote: > This change disable la57 paging on the mshv hypervisor on both the > mshv processor feature bitmap and mask the cpuid feature leaf to the > guest. > > Since the removal of hypervisor-assisted gva=>gpa translation in > 1c85a4a3d7 we have seen MMIO errors in guests on la57-enabled hw. We > will have to investigate and test this further. > > Signed-off-by: Magnus Kulke <magnuskulke@linux.microsoft.com> > --- > accel/mshv/mshv-all.c | 7 +++++++ > include/system/mshv_int.h | 2 ++ > target/i386/mshv/mshv-cpu.c | 12 ++++++++++++ > 3 files changed, 21 insertions(+) Reviewed-by: Anirudh Rayabharam (Microsoft) <anirudh@anirudhrb.com>
© 2016 - 2026 Red Hat, Inc.