David Gibson wrote: > On Wed, Nov 29, 2017 at 11:38:22AM -0500, Serhii Popovych wrote: >> It is possible to trigger use after free during HPT resize >> causing host kernel to crash. More details and analysis of >> the problem can be found in change with corresponding subject >> (KVM: PPC: Book3S HV: Fix use after free in case of multiple >> resize requests). >> >> We need some changes to prepare for the fix, especially >> make ->error in HPT resize instance single point for >> tracking allocation state, improve kvmppc_allocate_hpt() >> and kvmppc_free_hpt() so they can be used more safely. >> >> See individual commit description message to get more >> information on changes presented. > > I spoke with Paul Mackerras about these patches on IRC today. We want > this as a fix, ASAP, in 4.15. However, he's uncomfortable with > pushing some of extra cleanups which aren't necessary for the bug fix > this late for 4.15, and was having trouble following what was the core > of the fix. He was also nervous about the addition of more BUG_ON()s. Good, no problem, cleanups will be pushed additionally. > > To avoid the round trip to Ukraine time and back, I've made revised > versions of patches 1 & 3 which should apply standalone, replaced the > BUG_ON()s with WARN_ON()s and revised the commit messages to better > explain the crucial part of the fix. > > However, I've run out of time to test them. I did the same test as for this v1 series and found no problem with v2 you sent to me: it seems patch improving kvmppc_allocate_hpt() and kvmppc_free_hpt() isn't actually necessary as I was thinking when submitting v1. > > Serhii, I'll send you my revised patches shortly. Can you please > test them and repost. Then you can rebase patches 2 & 4 from this > series on top of the revised patches and post those separately (as a > cleanup with less urgency than the actual fix). Tested with same test case as with v1: no problem so far. > > A couple of people have also suggested CCing kvm@vger.kernel.org on > the next round in addition to the lists already included. > Done. -- Thanks, Serhii