From: "Haitao Huang" <haitao.huang@linux.intel.com>
To: "Jarkko Sakkinen" <jarkko@kernel.org>,
dave.hansen@linux.intel.com, linux-kernel@vger.kernel.org,
linux-sgx@vger.kernel.org, "Thomas Gleixner" <tglx@linutronix.de>,
"Ingo Molnar" <mingo@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
"Dave Hansen" <dave.hansen@intel.com>
Cc: kai.huang@intel.com, reinette.chatre@intel.com,
kristen@linux.intel.com, seanjc@google.com,
stable@vger.kernel.org
Subject: Re: [PATCH] x86/sgx: fix a NULL pointer
Date: Tue, 18 Jul 2023 11:39:56 -0500 [thread overview]
Message-ID: <op.18adwup7wjvjmi@hhuan26-mobl.amr.corp.intel.com> (raw)
In-Reply-To: <95371eef-73ec-5541-ad97-829954cfb848@intel.com>
On Tue, 18 Jul 2023 09:30:11 -0500, Dave Hansen <dave.hansen@intel.com>
wrote:
> On 7/17/23 13:29, Haitao Huang wrote:
> ...
>> @@ -248,11 +258,9 @@ static struct sgx_encl_page
>> *__sgx_encl_load_page(struct sgx_encl *encl,
>> return entry;
>> }
>>
>> - if (!(encl->secs.epc_page)) {
>> - epc_page = sgx_encl_eldu(&encl->secs, NULL);
>> - if (IS_ERR(epc_page))
>> - return ERR_CAST(epc_page);
>> - }
>> + epc_page = sgx_encl_load_secs(encl);
>> + if (IS_ERR(epc_page))
>> + return ERR_CAST(epc_page);
>>
>> epc_page = sgx_encl_eldu(entry, encl->secs.epc_page);
>> if (IS_ERR(epc_page))
>> @@ -339,6 +347,13 @@ static vm_fault_t sgx_encl_eaug_page(struct
>> vm_area_struct *vma,
>>
>> mutex_lock(&encl->lock);
>>
>> + epc_page = sgx_encl_load_secs(encl);
>> + if (IS_ERR(epc_page)) {
>> + if (PTR_ERR(epc_page) == -EBUSY)
>> + vmret = VM_FAULT_NOPAGE;
>> + goto err_out_unlock;
>> + }
>
> Whenever I see one of these "make sure it isn't NULL", I always jump to
> asking what *keeps* it from becoming NULL again. In both cases here, I
> think that's encl->lock.
>
Yes, encl->lock protects all enclave states, the xarray holding
encl_pages, SECS, VAs, etc.
> A comment would be really nice here, maybe on sgx_encl_load_secs().
> Maybe:
>
> /*
> * Ensure the SECS page is not swapped out. Must be called with
> * encl->lock to protect _____ and ensure the SECS page is not
> * swapped out again.
> */
>
Thanks for the suggestion. Lock should be held for the duration of SECS
usage.
So something like this?
/*
* Ensure the SECS page is not swapped out. Must be called with
* encl->lock to protect the enclave states including SECS and
* ensure the SECS page is not swapped out again while being used.
*/
>> diff --git a/arch/x86/kernel/cpu/sgx/main.c
>> b/arch/x86/kernel/cpu/sgx/main.c
>> index 166692f2d501..4662a364ce62 100644
>> --- a/arch/x86/kernel/cpu/sgx/main.c
>> +++ b/arch/x86/kernel/cpu/sgx/main.c
>> @@ -257,6 +257,10 @@ static void sgx_reclaimer_write(struct
>> sgx_epc_page *epc_page,
>>
>> mutex_lock(&encl->lock);
>>
>> + /* Should not be possible */
>> + if (WARN_ON(!(encl->secs.epc_page)))
>> + goto out;
>
> That comment isn't super helpful. We generally don't WARN_ON() things
> that should happen. *Why* is it not possible?
>
When this part of code is reached, the reclaimer is holding at least one
reclaimable EPC page to reclaim for the enclave and the code below only
reclaims SECS when no reclaimable EPCs (number of SECS children being
zero) of the enclave left. So it should not be possible.
I'll remove this change because this is really not needed for fixing the
bug as Kai pointed out.
I added this for sanity check when implementing multiple EPC tracking
lists for cgroups. At one point there were list corruption issues if
moving EPCs between lists not managed well. With those straightened out,
and clear definitions of EPC states for moving them from one list to
another, I no longer see much value to keep this even in later cgroup
patches.
Thanks
Haitao
next prev parent reply other threads:[~2023-07-18 16:40 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-17 18:17 [PATCH] x86/sgx: fix a NULL pointer Haitao Huang
2023-07-17 18:53 ` Jarkko Sakkinen
2023-07-17 18:54 ` Jarkko Sakkinen
2023-07-17 20:29 ` Haitao Huang
2023-07-17 22:42 ` Huang, Kai
2023-07-18 0:45 ` Haitao Huang
2023-07-18 1:39 ` Huang, Kai
2023-07-18 2:42 ` Haitao Huang
2023-07-18 14:27 ` Dave Hansen
2023-07-18 18:11 ` Haitao Huang
2023-07-18 18:53 ` Dave Hansen
2023-07-18 20:32 ` Haitao Huang
2023-07-18 20:56 ` Dave Hansen
2023-07-18 21:22 ` Haitao Huang
2023-07-18 21:36 ` Dave Hansen
2023-07-18 21:57 ` Haitao Huang
2023-07-18 22:05 ` Dave Hansen
2023-07-19 0:06 ` Haitao Huang
2023-07-19 0:14 ` Huang, Kai
2023-07-19 0:21 ` Dave Hansen
2023-07-19 13:53 ` Haitao Huang
2023-07-21 0:32 ` Huang, Kai
2023-07-21 0:52 ` Huang, Kai
2023-07-26 16:56 ` Haitao Huang
2023-07-18 14:30 ` Dave Hansen
2023-07-18 16:39 ` Haitao Huang [this message]
2023-07-18 15:37 ` Jarkko Sakkinen
2023-07-18 23:11 ` Haitao Huang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=op.18adwup7wjvjmi@hhuan26-mobl.amr.corp.intel.com \
--to=haitao.huang@linux.intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jarkko@kernel.org \
--cc=kai.huang@intel.com \
--cc=kristen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=reinette.chatre@intel.com \
--cc=seanjc@google.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox