[PATCH] x86/sgx: Drop racy follow_pfn check

[PATCH] x86/sgx: Drop racy follow_pfn check

[Daniel Vetter]

PTE insertion is fundamentally racy, and this check doesn't do
anything useful. Quoting Sean:

"Yeah, it can be whacked.  The original, never-upstreamed code asserted that the
resolved PFN matched the PFN being installed by the fault handler as a sanity
check on the SGX driver's EPC management.  The WARN assertion got dropped for
whatever reason, leaving that useless chunk."

Jason stumbled over this as a new user of follow_pfn, and I'm trying
to get rid of unsafe callers of that function so it can be locked down
further.

This is independent prep work for the referenced patch series.

References: https://lore.kernel.org/dri-devel/20201127164131.2244124-1-daniel.vetter@ffwll.ch/
Reported-by: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Sean Christopherson <seanjc@google.com>
Fixes: 947c6e11fa43 ("x86/sgx: Add ptrace() support for the SGX driver")
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: linux-sgx@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
---
 arch/x86/kernel/cpu/sgx/encl.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
index ee50a5010277..20a2dd5ba2b4 100644
--- a/arch/x86/kernel/cpu/sgx/encl.c
+++ b/arch/x86/kernel/cpu/sgx/encl.c
@@ -141,7 +141,6 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
 	struct sgx_encl_page *entry;
 	unsigned long phys_addr;
 	struct sgx_encl *encl;
-	unsigned long pfn;
 	vm_fault_t ret;
 
 	encl = vma->vm_private_data;
@@ -168,13 +167,6 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
 
 	phys_addr = sgx_get_epc_phys_addr(entry->epc_page);
 
-	/* Check if another thread got here first to insert the PTE. */
-	if (!follow_pfn(vma, addr, &pfn)) {
-		mutex_unlock(&encl->lock);
-
-		return VM_FAULT_NOPAGE;
-	}
-
 	ret = vmf_insert_pfn(vma, addr, PFN_DOWN(phys_addr));
 	if (ret != VM_FAULT_NOPAGE) {
 		mutex_unlock(&encl->lock);
-- 
2.30.0

Re: [PATCH] x86/sgx: Drop racy follow_pfn check

[Jarkko Sakkinen]

On Thu, Feb 04, 2021 at 07:45:19PM +0100, Daniel Vetter wrote:
> PTE insertion is fundamentally racy, and this check doesn't do
> anything useful. Quoting Sean:
> 
> "Yeah, it can be whacked.  The original, never-upstreamed code asserted that the
> resolved PFN matched the PFN being installed by the fault handler as a sanity
> check on the SGX driver's EPC management.  The WARN assertion got dropped for
> whatever reason, leaving that useless chunk."

Love the "whatever reason" part :-)

Shame, I was *going to* rip this off maybe around iteration v40. I have
no idea why I did not. Even backtraced years old email threads from lore.
Probably just forgot to remove it.

So, yeah, I fully agree removing it.

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

> Jason stumbled over this as a new user of follow_pfn, and I'm trying
> to get rid of unsafe callers of that function so it can be locked down
> further.
> 
> This is independent prep work for the referenced patch series.

Apologies, consider it my bad...

/Jarkko

> 
> References: https://lore.kernel.org/dri-devel/20201127164131.2244124-1-daniel.vetter@ffwll.ch/
> Reported-by: Jason Gunthorpe <jgg@ziepe.ca>
> Cc: Jason Gunthorpe <jgg@ziepe.ca>
> Cc: Sean Christopherson <seanjc@google.com>
> Fixes: 947c6e11fa43 ("x86/sgx: Add ptrace() support for the SGX driver")
> Cc: Jarkko Sakkinen <jarkko@kernel.org>
> Cc: Borislav Petkov <bp@suse.de>
> Cc: linux-sgx@vger.kernel.org
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
>  arch/x86/kernel/cpu/sgx/encl.c | 8 --------
>  1 file changed, 8 deletions(-)
> 
> diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
> index ee50a5010277..20a2dd5ba2b4 100644
> --- a/arch/x86/kernel/cpu/sgx/encl.c
> +++ b/arch/x86/kernel/cpu/sgx/encl.c
> @@ -141,7 +141,6 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
>  	struct sgx_encl_page *entry;
>  	unsigned long phys_addr;
>  	struct sgx_encl *encl;
> -	unsigned long pfn;
>  	vm_fault_t ret;
>  
>  	encl = vma->vm_private_data;
> @@ -168,13 +167,6 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
>  
>  	phys_addr = sgx_get_epc_phys_addr(entry->epc_page);
>  
> -	/* Check if another thread got here first to insert the PTE. */
> -	if (!follow_pfn(vma, addr, &pfn)) {
> -		mutex_unlock(&encl->lock);
> -
> -		return VM_FAULT_NOPAGE;
> -	}
> -
>  	ret = vmf_insert_pfn(vma, addr, PFN_DOWN(phys_addr));
>  	if (ret != VM_FAULT_NOPAGE) {
>  		mutex_unlock(&encl->lock);
> -- 
> 2.30.0
> 
> 

Re: [PATCH] x86/sgx: Drop racy follow_pfn check

[Jarkko Sakkinen]

On Thu, Feb 04, 2021 at 07:45:19PM +0100, Daniel Vetter wrote:
> References: https://lore.kernel.org/dri-devel/20201127164131.2244124-1-daniel.vetter@ffwll.ch/

What is the difference between this and "Link:" anyway?

/Jarkko

Re: [PATCH] x86/sgx: Drop racy follow_pfn check

[Daniel Vetter]

On Fri, Feb 5, 2021 at 3:26 AM Jarkko Sakkinen <jarkko@kernel.org> wrote:
>
> On Thu, Feb 04, 2021 at 07:45:19PM +0100, Daniel Vetter wrote:
> > References: https://lore.kernel.org/dri-devel/20201127164131.2244124-1-daniel.vetter@ffwll.ch/
>
> What is the difference between this and "Link:" anyway?

Afaik References: is for other reading (bug reports, discussions,
other patch series), Link: is for patch submission itself (which I
think some subsystem do an entire chain of, on each revision). My
scripts aren't good enough that they add the Link: before submitting,
I add them when I apply patches (since most patches I get don't have
them anyway).

btw since the final patch to remove follow_pfn won't be ready for 5.12
merge window (kvm and vfio have some work to do) I think it's best if
you just queue this up in your tree?

Thanks, Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

[tip: x86/sgx] x86/sgx: Drop racy follow_pfn() check

[tip-bot2 for Daniel Vetter]

The following commit has been merged into the x86/sgx branch of tip:

Commit-ID:     dc9b7be557ca94301ea5c06c0d72307e642ffb18
Gitweb:        https://git.kernel.org/tip/dc9b7be557ca94301ea5c06c0d72307e642ffb18
Author:        Daniel Vetter <daniel.vetter@ffwll.ch>
AuthorDate:    Thu, 04 Feb 2021 19:45:19 +01:00
Committer:     Borislav Petkov <bp@suse.de>
CommitterDate: Fri, 05 Feb 2021 10:45:11 +01:00

x86/sgx: Drop racy follow_pfn() check

PTE insertion is fundamentally racy, and this check doesn't do anything
useful. Quoting Sean:

  "Yeah, it can be whacked. The original, never-upstreamed code asserted
  that the resolved PFN matched the PFN being installed by the fault
  handler as a sanity check on the SGX driver's EPC management. The
  WARN assertion got dropped for whatever reason, leaving that useless
  chunk."

Jason stumbled over this as a new user of follow_pfn(), and I'm trying
to get rid of unsafe callers of that function so it can be locked down
further.

This is independent prep work for the referenced patch series:

  https://lore.kernel.org/dri-devel/20201127164131.2244124-1-daniel.vetter@ffwll.ch/

Fixes: 947c6e11fa43 ("x86/sgx: Add ptrace() support for the SGX driver")
Reported-by: Jason Gunthorpe <jgg@ziepe.ca>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Link: https://lkml.kernel.org/r/20210204184519.2809313-1-daniel.vetter@ffwll.ch
---
 arch/x86/kernel/cpu/sgx/encl.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
index ee50a50..20a2dd5 100644
--- a/arch/x86/kernel/cpu/sgx/encl.c
+++ b/arch/x86/kernel/cpu/sgx/encl.c
@@ -141,7 +141,6 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
 	struct sgx_encl_page *entry;
 	unsigned long phys_addr;
 	struct sgx_encl *encl;
-	unsigned long pfn;
 	vm_fault_t ret;
 
 	encl = vma->vm_private_data;
@@ -168,13 +167,6 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
 
 	phys_addr = sgx_get_epc_phys_addr(entry->epc_page);
 
-	/* Check if another thread got here first to insert the PTE. */
-	if (!follow_pfn(vma, addr, &pfn)) {
-		mutex_unlock(&encl->lock);
-
-		return VM_FAULT_NOPAGE;
-	}
-
 	ret = vmf_insert_pfn(vma, addr, PFN_DOWN(phys_addr));
 	if (ret != VM_FAULT_NOPAGE) {
 		mutex_unlock(&encl->lock);

Re: [PATCH] x86/sgx: Drop racy follow_pfn check

[Jarkko Sakkinen]

On Fri, Feb 05, 2021 at 08:43:24AM +0100, Daniel Vetter wrote:
> On Fri, Feb 5, 2021 at 3:26 AM Jarkko Sakkinen <jarkko@kernel.org> wrote:
> >
> > On Thu, Feb 04, 2021 at 07:45:19PM +0100, Daniel Vetter wrote:
> > > References: https://lore.kernel.org/dri-devel/20201127164131.2244124-1-daniel.vetter@ffwll.ch/
> >
> > What is the difference between this and "Link:" anyway?
> 
> Afaik References: is for other reading (bug reports, discussions,
> other patch series), Link: is for patch submission itself (which I
> think some subsystem do an entire chain of, on each revision). My
> scripts aren't good enough that they add the Link: before submitting,
> I add them when I apply patches (since most patches I get don't have
> them anyway).
> 
> btw since the final patch to remove follow_pfn won't be ready for 5.12
> merge window (kvm and vfio have some work to do) I think it's best if
> you just queue this up in your tree?

Boris has queued this to tip x86/sgx.

> Thanks, Daniel
> -- 
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch
> 

/Jarkko