From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Mackerras Date: Thu, 19 Mar 2020 23:34:34 +0000 Subject: Re: [PATCH 0/3] KVM: PPC: Fix host kernel crash with PR KVM Message-Id: <20200319233434.GF3260@blackberry> List-Id: References: <158455340419.178873.11399595021669446372.stgit@bahia.lan> In-Reply-To: <158455340419.178873.11399595021669446372.stgit@bahia.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Greg Kurz Cc: kvm-ppc@vger.kernel.org, Sean Christopherson , Paolo Bonzini , linuxppc-dev@lists.ozlabs.org On Wed, Mar 18, 2020 at 06:43:24PM +0100, Greg Kurz wrote: > Recent cleanup from Sean Christopherson introduced a use-after-free > condition that crashes the kernel when shutting down the VM with > PR KVM. It went unnoticed so far because PR isn't tested/used much > these days (mostly used for nested on POWER8, not supported on POWER9 > where HV should be used for nested), and other KVM implementations for > ppc are unaffected. > > This all boils down to the fact that the path that frees the per-vCPU > MMU data goes through a complex set of indirections. This obfuscates > the code to the point that we didn't realize that the MMU data was > now being freed too early. And worse, most of the indirection isn't > needed because only PR KVM has some MMU data to free when the vCPU is > destroyed. > > Fix the issue (patch 1) and simplify the code (patch 2 and 3). I have put this series in my kvm-ppc-next branch, and I believe Michael Ellerman is putting patch 1 in his fixes branch so it gets into 5.6. Thanks, Paul.