Commit 6922db25 authored Mar 12, 2026 by Stanislav Kinsburskii Committed by Wei Liu Mar 13, 2026

mshv: Fix use-after-free in mshv_map_user_memory error path



In the error path of mshv_map_user_memory(), calling vfree() directly on
the region leaves the MMU notifier registered. When userspace later unmaps
the memory, the notifier fires and accesses the freed region, causing a
use-after-free and potential kernel panic.

Replace vfree() with mshv_partition_put() to properly unregister
the MMU notifier before freeing the region.

Fixes: b9a66cd5 ("mshv: Add support for movable memory regions")
Signed-off-by: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>

parent 0fc773b0

drivers/hv/mshv_root_main.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1347,7 +1347,7 @@ mshv_map_user_memory(struct mshv_partition *partition,
		return 0;

		errout:
		vfree(region);
		mshv_region_put(region);
		return ret;
		}