Re: [RFC PATCH kernel] vfio/spapr_tce: Get rid of possible infinite loop

Alexey Kardashevskiy wrote: > As a part of cleanup, the SPAPR TCE IOMMU subdriver releases preregistered > memory. If there is a bug in memory release, the loop in > tce_iommu_release() becomes infinite; this actually happened to me. > > This makes the loop finite and prints a warning on every fai

Re: [PATCH 0/4] Fix use after free in HPT resizing code and related minor improvements

David Gibson wrote: > On Wed, Nov 29, 2017 at 11:38:22AM -0500, Serhii Popovych wrote: >> It is possible to trigger use after free during HPT resize >> causing host kernel to crash. More details and analysis of >> the problem can be found in change with corresponding subject

[PATCH v2 2/2] KVM: PPC: Book3S HV: Fix use after free in case of multiple resize requests

80814] Instruction dump: [ 635.280880] 7c0802a6 fba1ffe8 fbc1fff0 7cbd2b78 fbe1fff8 7c9e2378 7c7f1b78 f8010010 [ 635.281099] f821ff81 e8a50008 7fa52040 40de00b8 7fbd2840 40de008c 7fbff040 [ 635.281324] ---[ end trace b628b73449719b9d ]--- Signed-off-by: Serhii Popovych [dwg: Replaced BUG_ON()s

[PATCH v2 1/2] KVM: PPC: Book3S HV: Drop prepare_done from struct kvm_resize_hpt and cleanups

ore than once for resize request or resize_hpt_allocate() returns -EBUSY that is treated specially. Change comparison against zero to make checkpatch.pl happy. Signed-off-by: Serhii Popovych [dwg: Changed BUG_ON()s to WARN_ON()s and altered commit message for clarity] Signed-off-by: David Gibson --- arch/

[PATCH v2 0/2] Fix use after free in HPT resizing code and related minor improvements

the fix, especially make ->error in HPT resize instance single point for tracking allocation state. See individual commit description message to get more information on changes presented. v2: Serhii Popovych: Tested with current 4.15-rc2 as host kernel on P8 with same testcase

[PATCH 4/4] KVM: PPC: Book3S HV: Remove redundant parameter from resize_hpt_release()

NULL to make code simpler and we called with resize != NULL in all places except kvm_vm_ioctl_resize_hpt_commit(). Signed-off-by: Serhii Popovych --- arch/powerpc/kvm/book3s_64_mmu_hv.c | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/powerpc/kvm

[PATCH 3/4] KVM: PPC: Book3S HV: Fix use after free in case of multiple resize requests

880] 7c0802a6 fba1ffe8 fbc1fff0 7cbd2b78 fbe1fff8 7c9e2378 7c7f1b78 f8010010 [ 635.281099] f821ff81 e8a50008 7fa52040 40de00b8 7fbd2840 40de008c 7fbff040 [ 635.281324] ---[ end trace b628b73449719b9d ]--- Signed-off-by: Serhii Popovych --- arch/powerpc/kvm/book3s_64_mmu_hv.c | 45 ++

[PATCH 2/4] KVM: PPC: Book3S HV: Improve kvmppc_allocate_hpt()/kvmppc_free_hpt()

: kvmppc_free_hpt() can be reused on error path in kvmppc_allocate_hpt() to avoid code duplication. 4) No need to check for !hpt if allocated from CMA: neither pfn_to_kaddr() nor page_to_pfn() is 0 in case of page != NULL. Signed-off-by: Serhii Popovych --- arch/powerpc/kvm

[PATCH 1/4] KVM: PPC: Book3S HV: Drop prepare_done from struct kvm_resize_hpt and cleanups

happy. Signed-off-by: Serhii Popovych --- arch/powerpc/kvm/book3s_64_mmu_hv.c | 42 ++--- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c index 235319c..0534aab 100644 ---

[PATCH 0/4] Fix use after free in HPT resizing code and related minor improvements

the fix, especially make ->error in HPT resize instance single point for tracking allocation state, improve kvmppc_allocate_hpt() and kvmppc_free_hpt() so they can be used more safely. See individual commit description message to get more information on changes presented. Serhii Popovych (4):