| Message ID | 158455340419.178873.11399595021669446372.stgit@bahia.lan |
|---|---|
| Headers | show |
| Series | KVM: PPC: Fix host kernel crash with PR KVM | expand |
On Wed, Mar 18, 2020 at 06:43:24PM +0100, Greg Kurz wrote: > Recent cleanup from Sean Christopherson introduced a use-after-free > condition that crashes the kernel when shutting down the VM with > PR KVM. It went unnoticed so far because PR isn't tested/used much > these days (mostly used for nested on POWER8, not supported on POWER9 > where HV should be used for nested), and other KVM implementations for > ppc are unaffected. > > This all boils down to the fact that the path that frees the per-vCPU > MMU data goes through a complex set of indirections. This obfuscates > the code to the point that we didn't realize that the MMU data was > now being freed too early. And worse, most of the indirection isn't > needed because only PR KVM has some MMU data to free when the vCPU is > destroyed. > > Fix the issue (patch 1) and simplify the code (patch 2 and 3). I have put this series in my kvm-ppc-next branch, and I believe Michael Ellerman is putting patch 1 in his fixes branch so it gets into 5.6. Thanks, Paul.
Recent cleanup from Sean Christopherson introduced a use-after-free condition that crashes the kernel when shutting down the VM with PR KVM. It went unnoticed so far because PR isn't tested/used much these days (mostly used for nested on POWER8, not supported on POWER9 where HV should be used for nested), and other KVM implementations for ppc are unaffected. This all boils down to the fact that the path that frees the per-vCPU MMU data goes through a complex set of indirections. This obfuscates the code to the point that we didn't realize that the MMU data was now being freed too early. And worse, most of the indirection isn't needed because only PR KVM has some MMU data to free when the vCPU is destroyed. Fix the issue (patch 1) and simplify the code (patch 2 and 3). -- Greg --- Greg Kurz (3): KVM: PPC: Fix kernel crash with PR KVM KVM: PPC: Move kvmppc_mmu_init() PR KVM KVM: PPC: Kill kvmppc_ops::mmu_destroy() and kvmppc_mmu_destroy() arch/powerpc/include/asm/kvm_ppc.h | 3 --- arch/powerpc/kvm/book3s.c | 5 ----- arch/powerpc/kvm/book3s.h | 1 + arch/powerpc/kvm/book3s_32_mmu_host.c | 2 +- arch/powerpc/kvm/book3s_64_mmu_host.c | 2 +- arch/powerpc/kvm/book3s_hv.c | 6 ------ arch/powerpc/kvm/book3s_pr.c | 4 ++-- arch/powerpc/kvm/booke.c | 5 ----- arch/powerpc/kvm/booke.h | 2 -- arch/powerpc/kvm/e500.c | 1 - arch/powerpc/kvm/e500_mmu.c | 4 ---- arch/powerpc/kvm/e500mc.c | 1 - arch/powerpc/kvm/powerpc.c | 2 -- 13 files changed, 5 insertions(+), 33 deletions(-)