mshv: Fix use-after-free in mshv_map_user_memory error path

Stanislav Kinsburskii · gregkh · commit 34861bdc0c01 · 2026-03-25T11:13:31.000+01:00
[ Upstream commit 6922db2 ] In the error path of mshv_map_user_memory(), calling vfree() directly on the region leaves the MMU notifier registered. When userspace later unmaps the memory, the notifier fires and accesses the freed region, causing a use-after-free and potential kernel panic. Replace vfree() with mshv_partition_put() to properly unregister the MMU notifier before freeing the region. Fixes: b9a66cd ("mshv: Add support for movable memory regions") Signed-off-by: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com> Signed-off-by: Wei Liu <wei.liu@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/drivers/hv/mshv_root_main.c b/drivers/hv/mshv_root_main.c
@@ -1334,7 +1334,7 @@ mshv_map_user_memory(struct mshv_partition *partition,
 	return 0;
 
 errout:
-	vfree(region);
+	mshv_region_put(region);
 	return ret;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1334,7 +1334,7 @@ mshv_map_user_memory(struct mshv_partition *partition,`
`1334`	`1334`	`return 0;`
`1335`	`1335`
`1336`	`1336`	`errout:`
`1337`		`- vfree(region);`
	`1337`	`+ mshv_region_put(region);`
`1338`	`1338`	`return ret;`
`1339`	`1339`	`}`
`1340`	`1340`