Commit 2fc0f3e2 authored Mar 27, 2026 by Will Deacon Committed by Marc Zyngier Apr 01, 2026

KVM: arm64: Don't leave mmu->pgt dangling on kvm_init_stage2_mmu() error

If kvm_init_stage2_mmu() fails to allocate 'mmu->last_vcpu_ran', it
destroys the newly allocated stage-2 page-table before returning ENOMEM.

Unfortunately, it also leaves a dangling pointer in 'mmu->pgt' which
points at the freed 'kvm_pgtable' structure. This is likely to confuse
the kvm_vcpu_init_nested() failure path which can double-free the
structure if it finds it via kvm_free_stage2_pgd().

Ensure that the dangling 'mmu->pgt' pointer is cleared when returning an
error from kvm_init_stage2_mmu().

Link: https://sashiko.dev/#/patchset/20260327140039.21228-1-will%40kernel.org?patch=12265

Signed-off-by: Will Deacon <will@kernel.org>
Link: https://patch.msgid.link/20260327192758.21739-2-will@kernel.org

Signed-off-by: Marc Zyngier <maz@kernel.org>

parent cf6348af

arch/arm64/kvm/mmu.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -1013,6 +1013,7 @@ int kvm_init_stage2_mmu(struct kvm kvm, struct kvm_s2_mmu mmu, unsigned long t

		out_destroy_pgtable:
		kvm_stage2_destroy(pgt);
		mmu->pgt = NULL;
		out_free_pgtable:
		kfree(pgt);
		return err;