On Thu, Mar 12, 2026 at 04:02:53PM +0000, Stanislav Kinsburskii wrote:
> In the error path of mshv_map_user_memory(), calling vfree() directly on
> the region leaves the MMU notifier registered. When userspace later unmaps
> the memory, the notifier fires and accesses the freed region, causing a
> use-after-free and potential kernel panic.
>
> Replace vfree() with mshv_partition_put() to properly unregister
> the MMU notifier before freeing the region.
>
> Fixes: b9a66cd5ccbb9 ("mshv: Add support for movable memory regions")
> Signed-off-by: Stanislav Kinsburskii <[email protected]>
Applied to hyperv-fixes. Thanks.
