Received: by 2002:a05:6358:bb9e:b0:b9:5105:a5b4 with SMTP id df30csp640819rwb; Fri, 2 Sep 2022 23:03:36 -0700 (PDT) X-Google-Smtp-Source: AA6agR6Mje20/7qBOe7OASTVUNaV4OCJPke4wDd8rSlzXKJefvZfKceGjjp8NUI38c4jC92PjeZO X-Received: by 2002:a17:907:720f:b0:731:8a9d:5ade with SMTP id dr15-20020a170907720f00b007318a9d5ademr28733437ejc.768.1662185016523; Fri, 02 Sep 2022 23:03:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662185016; cv=none; d=google.com; s=arc-20160816; b=Lu/2BtACT41C8NMzycp3XLfSuozuIbmFA2p2G/Qods5rsjOpNqLPFQfFDKO/R4/Jm4 Ky2inS6rXExgBGvcYD4+OwUZDounCDw5CMJv6eoT17J5WgayMa+pT0oGqdTLtaXf35+Q uo7MuSnrCJbual0Nd7/peWGRnyQzQfMMMnfZmC7pNo2O7Eg/a+JOoc9XtP+9rqshxxnC XaKnevlqJa3zIXFFIgglDCMpfP7pEdVi2KyxGRXYyjbCr0iiXl2Z7NWQ+R2qRoMNWYH8 U+zf9iFLpKiIAfHITN786SZFzNE0gHv6aq1pBXsdWhcW7JMw3YFHypt2/l6S8Xb3G31q Cljw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=TKsqUZ2SFFVTH1ZExvfJR2POrz/t82Xy8I42J9JHpKc=; b=0mHlzJTQVOTvGtP9hlJIRBj5W8w91krUp4S08m8E5zEd69oXFSDJQMQDY8F0dL/ZVp hXlYNyFcpHyAjmfY+2NNOsKlTacBBDJuG3aASaRdc9o7GcOq37B4DiX02WMe+B/P339+ iYTclNMVIfBAHPBQz2J5QBkihjU/ey3hDqkLTz1FuZH2tE76uZ289TMO+PJi3AOcZSfl vQTwFq0KeX7zF2rUyNPri53gbGShtVlcq6bgPw2AY1xwkkKLr9T0ALXYKFrocRz6hXJ/ fAdtpRX9MXwSbocYLYvYRjSyopHdYW9qnQVywrz7pPhvwYmvj3xJERhAiQb2mEmnSqmD SQ/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=eB5DpyHu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id go14-20020a1709070d8e00b0073dced72063si4518214ejc.570.2022.09.02.23.03.10; Fri, 02 Sep 2022 23:03:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=eB5DpyHu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231977AbiICGBh (ORCPT + 99 others); Sat, 3 Sep 2022 02:01:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47474 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229508AbiICGBf (ORCPT ); Sat, 3 Sep 2022 02:01:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E970918B2B; Fri, 2 Sep 2022 23:01:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5218E60B81; Sat, 3 Sep 2022 06:01:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 639E7C433D7; Sat, 3 Sep 2022 06:01:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1662184893; bh=sI33xlLAUaH4cdr016uruCb0i4EaryzepKAX77QNFME=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eB5DpyHuMXf92QJjvhjc2Vsy0SK8NOOpas+LQ9JWK9hVnazFZFzInAfoAyQhEMi20 KAi8qQDFK0ZwgnLaSo2lfvvLvxkNbwOs2L3oEmPZo7Hvlyl8OVrqnxVAw/KoDQ+5R0 zVXLKppvBnUdaj/eVtiyGdHLwV+0P/kDMra6Ze42JZooyRFewS50CzhO2tKQBElViN 1B+KIZ5bUd/DoOzzKtu9+VHSLbn7bvbrso6IwKunzR/NJ3+w98zZaXzjD/groQCGvv pPX29zEPwepcv/3fhCWMRrnz6uy1eR0ND6rojneFdSi52ifsL+4JZi53+sC3nZCRrO HF3xeI6L9Ul7w== From: Jarkko Sakkinen To: linux-sgx@vger.kernel.org Cc: Haitao Huang , Vijay Dhanraj , Reinette Chatre , Dave Hansen , Paul Menzel , Jarkko Sakkinen , stable@vger.kernel.org, Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org (maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)), "H. Peter Anvin" , linux-kernel@vger.kernel.org (open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)) Subject: [PATCH 1/2] x86/sgx: Do not fail on incomplete sanitization on premature stop of ksgxd Date: Sat, 3 Sep 2022 09:01:07 +0300 Message-Id: <20220903060108.1709739-2-jarkko@kernel.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220903060108.1709739-1-jarkko@kernel.org> References: <20220903060108.1709739-1-jarkko@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Unsanitized pages trigger WARN_ON() unconditionally, which can panic the whole computer, if /proc/sys/kernel/panic_on_warn is set. In sgx_init(), if misc_register() fails or misc_register() succeeds but neither sgx_drv_init() nor sgx_vepc_init() succeeds, then ksgxd will be prematurely stopped. This may leave unsanitized pages, which will result a false warning. Refine __sgx_sanitize_pages() to return: 1. Zero when the sanitization process is complete or ksgxd has been requested to stop. 2. The number of unsanitized pages otherwise. Use the return value as the criteria for triggering output, and tone down the output to pr_err() to prevent the whole system to be taken down if for some reason sanitization process does not complete. Link: https://lore.kernel.org/linux-sgx/20220825051827.246698-1-jarkko@kernel.org/T/#u Fixes: 51ab30eb2ad4 ("x86/sgx: Replace section->init_laundry_list with sgx_dirty_page_list") Cc: stable@vger.kernel.org # v5.13+ Reported-by: Paul Menzel Signed-off-by: Jarkko Sakkinen --- v7: - Rewrote commit message. - Do not return -ECANCELED on premature stop. Instead use zero both premature stop and complete sanitization. v6: - Address Reinette's feedback: https://lore.kernel.org/linux-sgx/Yw6%2FiTzSdSw%2FY%2FVO@kernel.org/ v5: - Add the klog dump and sysctl option to the commit message. v4: - Explain expectations for dirty_page_list in the function header, instead of an inline comment. - Improve commit message to explain the conditions better. - Return the number of pages left dirty to ksgxd() and print warning after the 2nd call, if there are any. v3: - Remove WARN_ON(). - Tuned comments and the commit message a bit. v2: - Replaced WARN_ON() with optional pr_info() inside __sgx_sanitize_pages(). - Rewrote the commit message. - Added the fixes tag. --- arch/x86/kernel/cpu/sgx/main.c | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c index 515e2a5f25bb..c0a5ce19c608 100644 --- a/arch/x86/kernel/cpu/sgx/main.c +++ b/arch/x86/kernel/cpu/sgx/main.c @@ -49,17 +49,23 @@ static LIST_HEAD(sgx_dirty_page_list); * Reset post-kexec EPC pages to the uninitialized state. The pages are removed * from the input list, and made available for the page allocator. SECS pages * prepending their children in the input list are left intact. + * + * Contents of the @dirty_page_list must be thread-local, i.e. + * not shared by multiple threads. + * + * Return 0 when sanitization was successful or kthread was stopped, and the + * number of unsanitized pages otherwise. */ -static void __sgx_sanitize_pages(struct list_head *dirty_page_list) +static unsigned long __sgx_sanitize_pages(struct list_head *dirty_page_list) { + unsigned long left_dirty = 0; struct sgx_epc_page *page; LIST_HEAD(dirty); int ret; - /* dirty_page_list is thread-local, no need for a lock: */ while (!list_empty(dirty_page_list)) { if (kthread_should_stop()) - return; + return 0; page = list_first_entry(dirty_page_list, struct sgx_epc_page, list); @@ -92,12 +98,14 @@ static void __sgx_sanitize_pages(struct list_head *dirty_page_list) } else { /* The page is not yet clean - move to the dirty list. */ list_move_tail(&page->list, &dirty); + left_dirty++; } cond_resched(); } list_splice(&dirty, dirty_page_list); + return left_dirty; } static bool sgx_reclaimer_age(struct sgx_epc_page *epc_page) @@ -388,17 +396,28 @@ void sgx_reclaim_direct(void) static int ksgxd(void *p) { + unsigned long left_dirty; + set_freezable(); /* * Sanitize pages in order to recover from kexec(). The 2nd pass is * required for SECS pages, whose child pages blocked EREMOVE. */ - __sgx_sanitize_pages(&sgx_dirty_page_list); - __sgx_sanitize_pages(&sgx_dirty_page_list); + left_dirty = __sgx_sanitize_pages(&sgx_dirty_page_list); + pr_debug("%ld unsanitized pages\n", left_dirty); - /* sanity check: */ - WARN_ON(!list_empty(&sgx_dirty_page_list)); + left_dirty = __sgx_sanitize_pages(&sgx_dirty_page_list); + /* + * Never expected to happen in a working driver. If it happens the bug + * is expected to be in the sanitization process, but successfully + * sanitized pages are still valid and driver can be used and most + * importantly debugged without issues. To put short, the global state + * of kernel is not corrupted so no reason to do any more complicated + * rollback. + */ + if (left_dirty) + pr_err("%ld unsanitized pages\n", left_dirty); while (!kthread_should_stop()) { if (try_to_freeze()) -- 2.37.2