[PATCH 1/2] KVM: arm64: Free hyp-share tracking node when share hypercall fails

Next message: tabba: "[PATCH 0/2] KVM: arm64: Fix host/hyp tracking on share/unshare hypercall failure"
Previous message: Ding Hui: "Re:Re: [PATCH v2] net: stmmac: fix fatal bus error on resume by reinitializing RX buffers"
In reply to: tabba: "[PATCH 0/2] KVM: arm64: Fix host/hyp tracking on share/unshare hypercall failure"
Next in thread: tabba: "[PATCH 2/2] KVM: arm64: Avoid host/hyp share desync on unshare hypercall failure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: tabba

Date: Fri May 29 2026 - 03:47:11 EST

share_pfn_hyp() inserts a tracking node into hyp_shared_pfns and
then invokes __pkvm_host_share_hyp. If the hypercall rejects the
share (page-state mismatch at EL2), the node stays in the tree
with refcount 1: a phantom share that leaks the allocation and
that a later unshare will trust.

Erase the node and free it on hypercall failure.

Fixes: a83e2191b7f1 ("KVM: arm64: pkvm: Refcount the pages shared with EL2")
Reported-by: Sashiko (local):gemini-3.1-pro
Signed-off-by: Fuad Tabba <tabba@xxxxxxxxxx>
---
arch/arm64/kvm/mmu.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index 4da9281312eb..4a928fb003ff 100644
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -501,6 +501,10 @@ static int share_pfn_hyp(u64 pfn)
rb_link_node(&this->node, parent, node);
rb_insert_color(&this->node, &hyp_shared_pfns);
ret = kvm_call_hyp_nvhe(__pkvm_host_share_hyp, pfn);
+ if (ret) {
+ rb_erase(&this->node, &hyp_shared_pfns);
+ kfree(this);
+ }
unlock:
mutex_unlock(&hyp_shared_pfns_lock);

--
2.54.0.929.g9b7fa37559-goog