KVM: arm64: Free hyp-share tracking node when share hypercall fails

share_pfn_hyp() inserts a tracking node into hyp_shared_pfns and
then invokes __pkvm_host_share_hyp. If the hypercall rejects the
share (page-state mismatch at EL2), the node stays in the tree
with refcount 1: a phantom share that leaks the allocation and
that a later unshare will trust.

Erase the node and free it on hypercall failure.

Fixes: a83e2191b7f1 ("KVM: arm64: pkvm: Refcount the pages shared with EL2")
Reported-by: Sashiko (local):gemini-3.1-pro
Suggested-by: Vincent Donnefort <vdonnefort@google.com>
Signed-off-by: Fuad Tabba <tabba@google.com>
Reviewed-by: Vincent Donnefort <vdonnefort@google.com>
Link: https://patch.msgid.link/20260529121755.2923500-2-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>

diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index d089c107d9b7112b4fa3d1ef5c53595ee4cf8fcf..0abf3a2d587b45e347be32343fea914cb086b660 100644 (file)
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -501,6 +501,10 @@ static int share_pfn_hyp(u64 pfn)
        rb_link_node(&this->node, parent, node);
        rb_insert_color(&this->node, &hyp_shared_pfns);
        ret = kvm_call_hyp_nvhe(__pkvm_host_share_hyp, pfn);
+       if (ret) {
+               rb_erase(&this->node, &hyp_shared_pfns);
+               kfree(this);
+       }
 unlock:
        mutex_unlock(&hyp_shared_pfns_lock);