github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-29 17:43:52 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

mshv: Fix use-after-free in mshv_map_user_memory error path

Browse Source 
In the error path of mshv_map_user_memory(), calling vfree() directly on
the region leaves the MMU notifier registered. When userspace later unmaps
the memory, the notifier fires and accesses the freed region, causing a
use-after-free and potential kernel panic.

Replace vfree() with mshv_partition_put() to properly unregister
the MMU notifier before freeing the region.

Fixes: b9a66cd5cc ("mshv: Add support for movable memory regions")
Signed-off-by: Stanislav Kinsburskii <skinsburskii@linux.microsoft.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
This commit is contained in:
Stanislav Kinsburskii 2026-03-12 16:02:53 +00:00 committed by Wei Liu
parent 0fc773b0e4
commit 6922db2504
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/hv/mshv_root_main.c
View File

@ -1347,7 +1347,7 @@ mshv_map_user_memory(struct mshv_partition *partition,
return 0;
errout:
vfree(region);
mshv_region_put(region);
return ret;
}