mshv: Fix use-after-free in mshv_map_user_memory error path

Stanislav Kinsburskii · liuw · commit 6922db250422 · 2026-03-13T21:11:18.000Z
In the error path of mshv_map_user_memory(), calling vfree() directly on the region leaves the MMU notifier registered. When userspace later unmaps the memory, the notifier fires and accesses the freed region, causing a use-after-free and potential kernel panic. Replace vfree() with mshv_partition_put() to properly unregister the MMU notifier before freeing the region. Fixes: b9a66cd ("mshv: Add support for movable memory regions") Signed-off-by: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com> Signed-off-by: Wei Liu <wei.liu@kernel.org>
diff --git a/drivers/hv/mshv_root_main.c b/drivers/hv/mshv_root_main.c
@@ -1347,7 +1347,7 @@ mshv_map_user_memory(struct mshv_partition *partition,
 	return 0;
 
 errout:
-	vfree(region);
+	mshv_region_put(region);
 	return ret;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1347,7 +1347,7 @@ mshv_map_user_memory(struct mshv_partition *partition,`
`1347`	`1347`	`return 0;`
`1348`	`1348`
`1349`	`1349`	`errout:`
`1350`		`- vfree(region);`
	`1350`	`+ mshv_region_put(region);`
`1351`	`1351`	`return ret;`
`1352`	`1352`	`}`
`1353`	`1353`