Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp867815lqo; Fri, 17 May 2024 04:15:15 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVXiTB7pqdKUKG4JNUGATynpam1QvYv2VuZLmNrDbhF72QokXrDa8/RvnCRJEzQra4Sq8bTTtcsCvVN/LnPPUEdnGWf+ErOhQqFD7Yiug== X-Google-Smtp-Source: AGHT+IGYhuasfyqZkij1nCz/xKQJkaQiSf8bebk7i+6mrG0aAF21YhJnzrPGe8WCCR/bBWErLrgi X-Received: by 2002:a05:620a:5711:b0:792:c151:d027 with SMTP id af79cd13be357-792c75f4bd9mr2223353885a.47.1715944515372; Fri, 17 May 2024 04:15:15 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715944515; cv=pass; d=google.com; s=arc-20160816; b=JAFkE4cDMuL0UwYhRYqTOnQz4st6TfkpTYSwEsNq4OXwdf0gLtP4FQonF9UrMG295P tIIxe5Fdd1V+KMPSTiW1GdBXRaOAW3oKNT+e9PW9eMFrwoLk6KWGi9Y5miaU4S+eaOw3 NSnXouM/r7VLpA6KjSTSvL9+iWgxceezpZiAB9opNvq1dd3iN4EqmDjLUcnDdugsxyVh BLVIAdD16kwLcfUJEQIe0QH+pnBQntcmr8slwQLzdQ3JrzMTC94zcrqxb+ZwI9RllpD6 5nNPdhe59xKrZJpEByznbe2AvyH7ZFtN4ExO99vJM31M5ICHO0rw1nY2jnfGejlGSvJd jMyw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:organization:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=rGc1XlZHPsAEOWu4qTTNkyZIRrRbEXSijsYK8jkwlPc=; fh=TwsDylpBhWYkpo5RTOpuZ3+eE0fujUvInGQBpzi6rqc=; b=F2KgYW3uZYckoZYU3D7ewghWmGwEw8P761OfqJWlq2Qbexghd2Bco8raie5oFattts JgNQL8rIpsSghAN0YzouaoHvowMmZN5jnQKZnLjg7VJW9SVkRCs6ug/xTynjnqMBtFSZ S0fQppByZJ8PfkP7yWbisoQCJDoYUg5tzxn9ObARGVskA2oL13NVef4dpnoUAGPRZx+m 6vdLzhKHrPF6I8Fd1NdVwCd7Wj4EpEi7cDD+rrmW8UjSeLjXUxglIPrf7/MfagIpiear qlpOhh2pq2DMMFfCNP/PcnjaM/ymxRrZuSMVGr1oKexRwKooV5SfhwxrAFS1V1KGZR/f 4FeQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=H5dZnPZ9; arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com); spf=pass (google.com: domain of linux-kernel+bounces-182033-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182033-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id af79cd13be357-792bf277a9dsi1801846885a.91.2024.05.17.04.15.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 04:15:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-182033-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=H5dZnPZ9; arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com); spf=pass (google.com: domain of linux-kernel+bounces-182033-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182033-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 117891C20BD3 for ; Fri, 17 May 2024 11:15:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E67D93F8F0; Fri, 17 May 2024 11:14:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="H5dZnPZ9" Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5792E3C489; Fri, 17 May 2024 11:14:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.10 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715944497; cv=none; b=jbtLQhLw1NFX5sZvuq4FWo9QUSr5uzHeg/B4AIbII/xMj1gtgm53VfzmZImGSWTjkXcbV8XbgZPr3drOg4bPhEtgzzDKhNzpCkHYseoGBEkvg/0bLXYrvUbZ5o/oEFYFXzL5szbXQa6jbsbHJVNiYQwAW9xG1DcG1aYIArBzRVA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715944497; c=relaxed/simple; bh=IPVHLXpO3BrKI/CM9d1gqnp5/8wq3scbDt0L3OmEGCc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=Jyh1gGlTGKW41m/oS9rnQCRpactIWI1Sco/Q/T9vi8GS5PmyYATPxoYbp9hhwQTJ7ZdUwEKZ7j4mA3kFnyXSDRWIYtFKptAURFG5X1M4nO3iimYflC/Ql7w47ZqQg6uurEAFLI2E0sVcLbZDHoLJRqTzfAGbUO2+HIGlIUAKPTM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=H5dZnPZ9; arc=none smtp.client-ip=192.198.163.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1715944495; x=1747480495; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=IPVHLXpO3BrKI/CM9d1gqnp5/8wq3scbDt0L3OmEGCc=; b=H5dZnPZ9rT626v44OmNzp6byKWAMRnjFKiyaegbrp9YENzjBaVtcbIaf fHuetilKt+NIH7Yf6gjYXv2djfLxQ5eqPKGLe96fRyvwzNm/pXasLbhtR alCLozRXFcllY+uYGhtFfqbFYwfA8IRljH3tJIef+JOMXYNvQJlx7JeLJ E0BM53V3hMFTQqOoKERUAKR04HrlKgKtmyNBLR3EWXCMxoN163Y1U8Yig ZaOBDRvguhKtGFjW9JbENyMVcfVPW+l3IC1bUlP0rDyFai96gSl06vlOS RujcVu2y7TDwF5IG3hWOVqQp4+y7EJbvl58kK5A5WNT/5i0wOltejF0Z3 A==; X-CSE-ConnectionGUID: dPFaK5FsTYqt6BTBrK7adA== X-CSE-MsgGUID: LcD7kwLDRq6h4Sq2C6AwHw== X-IronPort-AV: E=McAfee;i="6600,9927,11074"; a="23529050" X-IronPort-AV: E=Sophos;i="6.08,167,1712646000"; d="scan'208";a="23529050" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2024 04:14:53 -0700 X-CSE-ConnectionGUID: pNdjN9jlR6ybx6Y7KweJbw== X-CSE-MsgGUID: QK9YnTUsT/qnjDVMUEA58A== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,167,1712646000"; d="scan'208";a="36276850" Received: from mehlow-prequal01.jf.intel.com ([10.54.102.156]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2024 04:14:52 -0700 From: Dmitrii Kuvaiskii To: dave.hansen@linux.intel.com, jarkko@kernel.org, kai.huang@intel.com, haitao.huang@linux.intel.com, reinette.chatre@intel.com, linux-sgx@vger.kernel.org, linux-kernel@vger.kernel.org Cc: mona.vij@intel.com, kailun.qin@intel.com, stable@vger.kernel.org, =?UTF-8?q?Marcelina=20Ko=C5=9Bcielnicka?= Subject: [PATCH v3 1/2] x86/sgx: Resolve EAUG race where losing thread returns SIGBUS Date: Fri, 17 May 2024 04:06:30 -0700 Message-Id: <20240517110631.3441817-2-dmitrii.kuvaiskii@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240517110631.3441817-1-dmitrii.kuvaiskii@intel.com> References: <20240517110631.3441817-1-dmitrii.kuvaiskii@intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Organization: Intel Deutschland GmbH - Registered Address: Am Campeon 10, 85579 Neubiberg, Germany Content-Transfer-Encoding: 8bit Imagine an mmap()'d file. Two threads touch the same address at the same time and fault. Both allocate a physical page and race to install a PTE for that page. Only one will win the race. The loser frees its page, but still continues handling the fault as a success and returns VM_FAULT_NOPAGE from the fault handler. The same race can happen with SGX. But there's a bug: the loser in the SGX steers into a failure path. The loser EREMOVE's the winner's EPC page, then returns SIGBUS, likely killing the app. Fix the SGX loser's behavior. Change the return code to VM_FAULT_NOPAGE to avoid SIGBUS and call sgx_free_epc_page() which avoids EREMOVE'ing the winner's page and only frees the page that the loser allocated. The race can be illustrated as follows: /* /* * Fault on CPU1 * Fault on CPU2 * on enclave page X * on enclave page X */ */ sgx_vma_fault() { sgx_vma_fault() { xa_load(&encl->page_array) xa_load(&encl->page_array) == NULL --> == NULL --> sgx_encl_eaug_page() { sgx_encl_eaug_page() { ... ... /* /* * alloc encl_page * alloc encl_page */ */ mutex_lock(&encl->lock); /* * alloc EPC page */ epc_page = sgx_alloc_epc_page(...); /* * add page to enclave's xarray */ xa_insert(&encl->page_array, ...); /* * add page to enclave via EAUG * (page is in pending state) */ /* * add PTE entry */ vmf_insert_pfn(...); mutex_unlock(&encl->lock); return VM_FAULT_NOPAGE; } } /* * All good up to here: enclave page * successfully added to enclave, * ready for EACCEPT from user space */ mutex_lock(&encl->lock); /* * alloc EPC page */ epc_page = sgx_alloc_epc_page(...); /* * add page to enclave's xarray, * this fails with -EBUSY as this * page was already added by CPU2 */ xa_insert(&encl->page_array, ...); err_out_shrink: sgx_encl_free_epc_page(epc_page) { /* * remove page via EREMOVE * * *BUG*: page added by CPU2 is * yanked from enclave while it * remains accessible from OS * perspective (PTE installed) */ /* * free EPC page */ sgx_free_epc_page(epc_page); } mutex_unlock(&encl->lock); /* * *BUG*: SIGBUS is returned * for a valid enclave page */ return VM_FAULT_SIGBUS; } } Fixes: 5a90d2c3f5ef ("x86/sgx: Support adding of pages to an initialized enclave") Cc: stable@vger.kernel.org Reported-by: Marcelina Koƛcielnicka Suggested-by: Reinette Chatre Signed-off-by: Dmitrii Kuvaiskii Reviewed-by: Haitao Huang Reviewed-by: Jarkko Sakkinen Reviewed-by: Reinette Chatre --- arch/x86/kernel/cpu/sgx/encl.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c index 279148e72459..41f14b1a3025 100644 --- a/arch/x86/kernel/cpu/sgx/encl.c +++ b/arch/x86/kernel/cpu/sgx/encl.c @@ -382,8 +382,11 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, * If ret == -EBUSY then page was created in another flow while * running without encl->lock */ - if (ret) + if (ret) { + if (ret == -EBUSY) + vmret = VM_FAULT_NOPAGE; goto err_out_shrink; + } pginfo.secs = (unsigned long)sgx_get_epc_virt_addr(encl->secs.epc_page); pginfo.addr = encl_page->desc & PAGE_MASK; @@ -419,7 +422,7 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, err_out_shrink: sgx_encl_shrink(encl, va_page); err_out_epc: - sgx_encl_free_epc_page(epc_page); + sgx_free_epc_page(epc_page); err_out_unlock: mutex_unlock(&encl->lock); kfree(encl_page); -- 2.34.1