[PATCH 0/3] KVM: PPC: Fix host kernel crash with PR KVM

[Greg Kurz]

Recent cleanup from Sean Christopherson introduced a use-after-free
condition that crashes the kernel when shutting down the VM with
PR KVM. It went unnoticed so far because PR isn't tested/used much
these days (mostly used for nested on POWER8, not supported on POWER9
where HV should be used for nested), and other KVM implementations for
ppc are unaffected.

This all boils down to the fact that the path that frees the per-vCPU
MMU data goes through a complex set of indirections. This obfuscates
the code to the point that we didn't realize that the MMU data was
now being freed too early. And worse, most of the indirection isn't
needed because only PR KVM has some MMU data to free when the vCPU is
destroyed.

Fix the issue (patch 1) and simplify the code (patch 2 and 3).

--
Greg

---

Greg Kurz (3):
      KVM: PPC: Fix kernel crash with PR KVM
      KVM: PPC: Move kvmppc_mmu_init() PR KVM
      KVM: PPC: Kill kvmppc_ops::mmu_destroy() and kvmppc_mmu_destroy()


 arch/powerpc/include/asm/kvm_ppc.h    |    3 ---
 arch/powerpc/kvm/book3s.c             |    5 -----
 arch/powerpc/kvm/book3s.h             |    1 +
 arch/powerpc/kvm/book3s_32_mmu_host.c |    2 +-
 arch/powerpc/kvm/book3s_64_mmu_host.c |    2 +-
 arch/powerpc/kvm/book3s_hv.c          |    6 ------
 arch/powerpc/kvm/book3s_pr.c          |    4 ++--
 arch/powerpc/kvm/booke.c              |    5 -----
 arch/powerpc/kvm/booke.h              |    2 --
 arch/powerpc/kvm/e500.c               |    1 -
 arch/powerpc/kvm/e500_mmu.c           |    4 ----
 arch/powerpc/kvm/e500mc.c             |    1 -
 arch/powerpc/kvm/powerpc.c            |    2 --
 13 files changed, 5 insertions(+), 33 deletions(-)