Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1361800lqa; Mon, 29 Apr 2024 06:38:25 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCULBYCL0nXl6VfcpezcI+BzFBcKkWfX+q4DKOGUomzXlKeuFGlZlEFgnNOIBiVPX4h92sECHjxa+HVxvZha8KAF30F3pgY8IwAMuqE71w== X-Google-Smtp-Source: AGHT+IEW74RaKHEOeACkCudgrjX14aO6c8Y/2/iMebhCbFRTJYzol+rawOenwWzSFuksMKo30WPa X-Received: by 2002:a05:6a21:3a87:b0:1ae:42f1:7e52 with SMTP id zv7-20020a056a213a8700b001ae42f17e52mr13250416pzb.6.1714397905540; Mon, 29 Apr 2024 06:38:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714397905; cv=pass; d=google.com; s=arc-20160816; b=Tqf2dUVeLiSts1VjhFNcZcSsvzOQH1oUiG2JuSUcY/J9YPdx3phkQV0z3kEcF/sh+y 6tualvIzXvWxCGDNVjpaoQugAzsMvZVd8d4zhpU0YmXeYc3HmMWNIureEIzQP5eZhU/Y 9wgLtxnghqx8EwWVMSPbfUhH1iPPW2+gOReMnZsaA1LTdKziSR9eMtaazhlwZNWogj+2 E7IdtYejZHPIDdKl4e3uKy0VwGIqJ6XX4KIi+ugmzuO+X281bbnNRGFBScTpGx25fJJu HwWO13+lrEK5S6DzFjgObiUPrgojhUYKoZaaf74iaCk2xlXZ7H2rtOJdcZKvR3rDtSeI GIkA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:references:to:from:subject:cc:message-id:date :content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:dkim-signature; bh=kEgbluDrJV3wLX+Kk05bq7QSc66aPfRgtly0nMgRFiI=; fh=g1TrcpaPK87nd02DtNu8uT/zLlEqvHgQjAc/nJ/PDGs=; b=yd3jgPBzWwqz/Vb4Hc3QQasuX0F+tFOjuP+qAwGOWyWMOKvniZiqrvlLCr8ziRb3YZ rYWKuQbOSOPrp25OG0T6E/6XShLeKxr2mQ0C7o/d6iyDS9c7coIZ8ivhWxyxKrFILCnf oI5R68PMcJ5k5li3ILBxbh8c1J+B5WXK003mRrR51l5H2/hgy8RinxVhju+qGmFNTuXx PffWJj6RUYjcJfZAHPOFyWZVa7wVlM5m1//whxJRaCCGfAw/5ftHsJPaYTp5aJCW1Nod KfZMNQE9U/JzkWiYJdvydHTRWRSdZg08/w6gthtkh6GQsBnL49AI8V/SFh2I1A5R2uC+ WRvA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=nGFGarQH; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-162323-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-162323-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id j9-20020aa78dc9000000b006e54717f674si19700306pfr.245.2024.04.29.06.38.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Apr 2024 06:38:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-162323-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=nGFGarQH; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-162323-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-162323-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id AA372B29561 for ; Mon, 29 Apr 2024 13:07:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3BC5B74BE8; Mon, 29 Apr 2024 13:04:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="nGFGarQH" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A8CF56B67; Mon, 29 Apr 2024 13:04:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714395869; cv=none; b=isIhaus5YHC/+a26aZDI5YBWo8ljdNFfRXMDprCu84L6x2NduAnHWV6blkBo7LKmOm62/W8JwqnZt1B4v4mxRHTFFvQQUz//oStosc9UBo0R9AXjUjRco++Itug9U+K4m1MFE4yIjFCfVgWLHVsrmneEWNfBnbHkUccZl9hy228= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714395869; c=relaxed/simple; bh=c3fItunN+3aoIUR27+cFPV/Tb+UIdZgpLt7R+jz4LQc=; h=Mime-Version:Content-Type:Date:Message-Id:Cc:Subject:From:To: References:In-Reply-To; b=n1etK9XxR8ARLf85oN6t4m/5jdAW3ONTBJ5eZxP5lXZtVZgyRu4sR5BSV74sI0fLiG6k7UJuwfW2nM2zdk+NBwvU3oxQKmKcAmJThLJJyVwr7AoDNTkSPJ6Th5crUtVymdiClOSNFqA1ONSMhUnj2TgHk2rMqwnwTpEURQrHeeg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=nGFGarQH; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id C5968C113CD; Mon, 29 Apr 2024 13:04:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1714395868; bh=c3fItunN+3aoIUR27+cFPV/Tb+UIdZgpLt7R+jz4LQc=; h=Date:Cc:Subject:From:To:References:In-Reply-To:From; b=nGFGarQHE06bJM5HUluRj30QKjfMHY5CU8aJSq7mseFjgcJJA5sqsufS+pZPif+Q6 V6Cz46udjj3aQcg1N2u2pP1GIpzE7rHz3mfLoC9JzCUnIIsr+cQmoLyLoI20RafjqJ SGBwFbxhalG9RTgPC8/KknAn51uoIPc177tZ56TVorHRLikl17dKB8TUFdO5667/oL oIyDsGAVlD3P8EgQ2NXbGkc/Lt0k4372TadpKdNdLsjmCjN0iZmF8wO+S/vOellXht +zV+SLRiHsUNJNfLIbAWMMt0GbzxWjFTq9lqRGvv9nyrA+fEc3byeGFsUs+mP03wHc XllrdtaYXPGFA== Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Mon, 29 Apr 2024 16:04:24 +0300 Message-Id: Cc: , , , =?utf-8?q?Marcelina_Ko=C5=9Bcielnicka?= Subject: Re: [PATCH 1/2] x86/sgx: Resolve EAUG race where losing thread returns SIGBUS From: "Jarkko Sakkinen" To: "Dmitrii Kuvaiskii" , , , , , , X-Mailer: aerc 0.17.0 References: <20240429104330.3636113-1-dmitrii.kuvaiskii@intel.com> <20240429104330.3636113-2-dmitrii.kuvaiskii@intel.com> In-Reply-To: <20240429104330.3636113-2-dmitrii.kuvaiskii@intel.com> On Mon Apr 29, 2024 at 1:43 PM EEST, Dmitrii Kuvaiskii wrote: > Two enclave threads may try to access the same non-present enclave page > simultaneously (e.g., if the SGX runtime supports lazy allocation). The > threads will end up in sgx_encl_eaug_page(), racing to acquire the > enclave lock. The winning thread will perform EAUG, set up the page > table entry, and insert the page into encl->page_array. The losing > thread will then get -EBUSY on xa_insert(&encl->page_array) and proceed > to error handling path. And that path removes page. Not sure I got gist of this tbh. > This error handling path contains two bugs: (1) SIGBUS is sent to > userspace even though the enclave page is correctly installed by another > thread, and (2) sgx_encl_free_epc_page() is called that performs EREMOVE > even though the enclave page was never intended to be removed. The first > bug is less severe because it impacts only the user space; the second > bug is more severe because it also impacts the OS state by ripping the > page (added by the winning thread) from the enclave. > > Fix these two bugs (1) by returning VM_FAULT_NOPAGE to the generic Linux > fault handler so that no signal is sent to userspace, and (2) by > replacing sgx_encl_free_epc_page() with sgx_free_epc_page() so that no > EREMOVE is performed. What is the collateral damage caused by ENCLS[EREMOVE]? > > Fixes: 5a90d2c3f5ef ("x86/sgx: Support adding of pages to an initialized = enclave") > Cc: stable@vger.kernel.org > Reported-by: Marcelina Ko=C5=9Bcielnicka > Suggested-by: Reinette Chatre > Signed-off-by: Dmitrii Kuvaiskii > --- > arch/x86/kernel/cpu/sgx/encl.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/enc= l.c > index 279148e72459..41f14b1a3025 100644 > --- a/arch/x86/kernel/cpu/sgx/encl.c > +++ b/arch/x86/kernel/cpu/sgx/encl.c > @@ -382,8 +382,11 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_= struct *vma, > * If ret =3D=3D -EBUSY then page was created in another flow while > * running without encl->lock > */ > - if (ret) > + if (ret) { > + if (ret =3D=3D -EBUSY) > + vmret =3D VM_FAULT_NOPAGE; > goto err_out_shrink; > + } > =20 > pginfo.secs =3D (unsigned long)sgx_get_epc_virt_addr(encl->secs.epc_pag= e); > pginfo.addr =3D encl_page->desc & PAGE_MASK; > @@ -419,7 +422,7 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_s= truct *vma, > err_out_shrink: > sgx_encl_shrink(encl, va_page); > err_out_epc: > - sgx_encl_free_epc_page(epc_page); > + sgx_free_epc_page(epc_page); This ignores check for the page being reclaimer tracked, i.e. it does changes that have been ignored in the commit message. > err_out_unlock: > mutex_unlock(&encl->lock); > kfree(encl_page); BR, Jarkko