Received: by 2002:a05:6358:bb9e:b0:b9:5105:a5b4 with SMTP id df30csp3707123rwb; Mon, 5 Sep 2022 17:20:18 -0700 (PDT) X-Google-Smtp-Source: AA6agR4Pa0tNyoJjMo5q/9Y2GDkPXVoysjYCc3qpeBy+e8CRGB6Vpesws8N2mM4GEcyy9T5ep2gg X-Received: by 2002:a17:902:f08a:b0:176:b477:8be0 with SMTP id p10-20020a170902f08a00b00176b4778be0mr6062766pla.66.1662423618741; Mon, 05 Sep 2022 17:20:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662423618; cv=none; d=google.com; s=arc-20160816; b=z8jqlYBJdIZiVRShBw3k6VbO8vOfW9spoGyXl37uvyHjAnUwFUzgwwr7wttOoWd5Y7 PGZunaE8CQoDhS3iGHiJMI/Hca2kMN+HHeHZkgAQuGo3bwpFt0LpojL9Mc22KFFNKEEZ L+SVQq4AjWGr1n6oGkvA3nKNpbyK8ra28e2Ai0Zu1LF2V4GMUcdeGrnZWCkAR7wKU6ax bxeNuqYGppSUVnnxXX14X9tDot/8dkJe2nOGgRjxB7XnV0AjxA8BeVAmRiUTSAldlwpQ S86MmtVGIvi7e4mV3ryVvaGRRLUc4OgKZiKscfcm63/Gda61kpwwYa1SFpaco/xNiVU6 U0TA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=JkCosIBkNce2HwI2sWgsT9mnlPe48Jq/ROfS+YIyI30=; b=xPlAwpjedqRR4TSF10NXJPrXh3snIcvc247MS12mc6UD0U+x4vQYbq+0vpHhcotYRR Om5OSqGeXLJP17HPsamphAvN1a6JzpSv1uJ+CyfuoNgXi0Xa5sM0cDkrvjEKQJPfqIW9 fD+aGB0cpthm2E3KBZRZmdK81jjrPqsr9aSHHfZOeuc9wCOlA71mAVvkDUbx3+LvcCx+ 26k1edICwSQquhQPNvZfgki0bTwmfQ2XqhplxdP9hpXcB97DSf2CKJ7p38fN8AZUc5za sb0Nu/iv2wuhS/Ghr6SqKsdgQ8iiujv2gXzeF4BV03PGJ7pVGD2hYpLYXZSv5Lrypw+k S8ww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=sJqlItya; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 123-20020a630981000000b0042b687e95d7si11357099pgj.734.2022.09.05.17.20.04; Mon, 05 Sep 2022 17:20:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=sJqlItya; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231688AbiIEXys (ORCPT + 99 others); Mon, 5 Sep 2022 19:54:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232432AbiIEXyh (ORCPT ); Mon, 5 Sep 2022 19:54:37 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E54BFE00C; Mon, 5 Sep 2022 16:54:29 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3AB1660EBD; Mon, 5 Sep 2022 23:54:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 50579C433C1; Mon, 5 Sep 2022 23:54:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1662422067; bh=vvuMPl31A2NsTLseaVjxryl65N/xiu0DmIwNE5n8IGU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sJqlItyapxrefZztsXaWBQvXBxOeula1KpJqHpWooIPapa8Yl61M4yjv+XNf4w9ao 9HyriwP9UOQ4x/j7vJb5ABM2KUia5XQe+asr1R+AwdALzHl7kkTnRIHa7QOtW5mJBX Ke22+fIg7MzEdyxoz8L/0yEt6uLY6vwMePcoOW/knL65oZeHFXCTRn2QfPn3uQaWY0 9zKQIHWegNhYqnoWrY8p6O2ISw6danXOlq97g1KE+OuyorFtO73D7027PGY3RQ4YWa oKy2Pc3rRhuAUQOjM57wf9sf2vkscIN89ZynoXeBvL4bibmSgZfSR8VHo3erWzTKxv Ohl7QK97BeIvg== From: Jarkko Sakkinen To: linux-sgx@vger.kernel.org Cc: Haitao Huang , Vijay Dhanraj , Reinette Chatre , Dave Hansen , Jarkko Sakkinen , stable@vger.kernel.org, Paul Menzel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org (maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)), "H. Peter Anvin" , linux-kernel@vger.kernel.org (open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)) Subject: [PATCH v2 1/2] x86/sgx: Do not fail on incomplete sanitization on premature stop of ksgxd Date: Tue, 6 Sep 2022 02:54:14 +0300 Message-Id: <20220905235415.9519-2-jarkko@kernel.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220905235415.9519-1-jarkko@kernel.org> References: <20220905235415.9519-1-jarkko@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Unsanitized pages trigger WARN_ON() unconditionally, which can panic the whole computer, if /proc/sys/kernel/panic_on_warn is set. In sgx_init(), if misc_register() fails or misc_register() succeeds but neither sgx_drv_init() nor sgx_vepc_init() succeeds, then ksgxd will be prematurely stopped. This may leave unsanitized pages, which will result a false warning. Refine __sgx_sanitize_pages() to return: 1. Zero when the sanitization process is complete or ksgxd has been requested to stop. 2. The number of unsanitized pages otherwise. Use the return value as the criteria for triggering output, and tone down the output to pr_err() to prevent the whole system to be taken down if for some reason sanitization process does not complete. Link: https://lore.kernel.org/linux-sgx/20220825051827.246698-1-jarkko@kernel.org/T/#u Fixes: 51ab30eb2ad4 ("x86/sgx: Replace section->init_laundry_list with sgx_dirty_page_list") Cc: stable@vger.kernel.org # v5.13+ Reported-by: Paul Menzel Signed-off-by: Jarkko Sakkinen --- v8: - Discard changes that are not relevant for the stable fix. This does absolutely minimum to address the bug: https://lore.kernel.org/linux-sgx/a5fa56bdc57d6472a306bd8d795afc674b724538.camel@intel.com/ v7: - Rewrote commit message. - Do not return -ECANCELED on premature stop. Instead use zero both premature stop and complete sanitization. v6: - Address Reinette's feedback: https://lore.kernel.org/linux-sgx/Yw6%2FiTzSdSw%2FY%2FVO@kernel.org/ v5: - Add the klog dump and sysctl option to the commit message. v4: - Explain expectations for dirty_page_list in the function header, instead of an inline comment. - Improve commit message to explain the conditions better. - Return the number of pages left dirty to ksgxd() and print warning after the 2nd call, if there are any. v3: - Remove WARN_ON(). - Tuned comments and the commit message a bit. v2: - Replaced WARN_ON() with optional pr_info() inside __sgx_sanitize_pages(). - Rewrote the commit message. - Added the fixes tag. --- arch/x86/kernel/cpu/sgx/main.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c index 515e2a5f25bb..2ec2d7b7da54 100644 --- a/arch/x86/kernel/cpu/sgx/main.c +++ b/arch/x86/kernel/cpu/sgx/main.c @@ -49,9 +49,13 @@ static LIST_HEAD(sgx_dirty_page_list); * Reset post-kexec EPC pages to the uninitialized state. The pages are removed * from the input list, and made available for the page allocator. SECS pages * prepending their children in the input list are left intact. + * + * Return 0 when sanitization was successful or kthread was stopped, and the + * number of unsanitized pages otherwise. */ -static void __sgx_sanitize_pages(struct list_head *dirty_page_list) +static unsigned long __sgx_sanitize_pages(struct list_head *dirty_page_list) { + unsigned long left_dirty = 0; struct sgx_epc_page *page; LIST_HEAD(dirty); int ret; @@ -59,7 +63,7 @@ static void __sgx_sanitize_pages(struct list_head *dirty_page_list) /* dirty_page_list is thread-local, no need for a lock: */ while (!list_empty(dirty_page_list)) { if (kthread_should_stop()) - return; + return 0; page = list_first_entry(dirty_page_list, struct sgx_epc_page, list); @@ -92,12 +96,14 @@ static void __sgx_sanitize_pages(struct list_head *dirty_page_list) } else { /* The page is not yet clean - move to the dirty list. */ list_move_tail(&page->list, &dirty); + left_dirty++; } cond_resched(); } list_splice(&dirty, dirty_page_list); + return left_dirty; } static bool sgx_reclaimer_age(struct sgx_epc_page *epc_page) @@ -388,6 +394,8 @@ void sgx_reclaim_direct(void) static int ksgxd(void *p) { + unsigned long left_dirty; + set_freezable(); /* @@ -395,10 +403,7 @@ static int ksgxd(void *p) * required for SECS pages, whose child pages blocked EREMOVE. */ __sgx_sanitize_pages(&sgx_dirty_page_list); - __sgx_sanitize_pages(&sgx_dirty_page_list); - - /* sanity check: */ - WARN_ON(!list_empty(&sgx_dirty_page_list)); + WARN_ON(__sgx_sanitize_pages(&sgx_dirty_page_list)); while (!kthread_should_stop()) { if (try_to_freeze()) -- 2.37.2