KVM: arm64: Don't leak PFN when kvm_translate_vncr() races MMU notifier

In the case that kvm_translate_vncr() races with an MMU notifier the
early return does not release a reference on the faulted in PFN. Add
the necessary call to kvm_release_faultin_page() for the unused PFN.

Cc: stable@vger.kernel.org
Fixes: 069a05e535496 ("KVM: arm64: nv: Handle VNCR_EL2-triggered faults")
Reported-by: Sashiko (local):gemini-3.1-pro
Signed-off-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/20260602235450.103057-2-oupton@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>

diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
index 883b6c1008fbb96a43f3d62c983f5c5293a6e800..4fa82e96454dd61287faf9331d477389e2091cd1 100644 (file)
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -1326,8 +1326,10 @@ static int kvm_translate_vncr(struct kvm_vcpu *vcpu, bool *is_gmem)
        }
 
        scoped_guard(write_lock, &vcpu->kvm->mmu_lock) {
-               if (mmu_invalidate_retry(vcpu->kvm, mmu_seq))
+               if (mmu_invalidate_retry(vcpu->kvm, mmu_seq)) {
+                       kvm_release_faultin_page(vcpu->kvm, page, true, false);
                        return -EAGAIN;
+               }
 
                vt->gva = va;
                vt->hpa = pfn << PAGE_SHIFT;