Re: [PATCH] x86/sgx: Drop racy follow_pfn check

From: Jarkko Sakkinen <jarkko@kernel.org>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Jason Gunthorpe <jgg@ziepe.ca>,
	Sean Christopherson <seanjc@google.com>,
	Borislav Petkov <bp@suse.de>,
	linux-sgx@vger.kernel.org,
	Daniel Vetter <daniel.vetter@intel.com>
Subject: Re: [PATCH] x86/sgx: Drop racy follow_pfn check
Date: Fri, 5 Feb 2021 04:26:05 +0200	[thread overview]
Message-ID: <YBysvZ3NcmsT4IHK@kernel.org> (raw)
In-Reply-To: <20210204184519.2809313-1-daniel.vetter@ffwll.ch>

On Thu, Feb 04, 2021 at 07:45:19PM +0100, Daniel Vetter wrote:
> PTE insertion is fundamentally racy, and this check doesn't do
> anything useful. Quoting Sean:
> 
> "Yeah, it can be whacked.  The original, never-upstreamed code asserted that the
> resolved PFN matched the PFN being installed by the fault handler as a sanity
> check on the SGX driver's EPC management.  The WARN assertion got dropped for
> whatever reason, leaving that useless chunk."

Love the "whatever reason" part :-)

Shame, I was *going to* rip this off maybe around iteration v40. I have
no idea why I did not. Even backtraced years old email threads from lore.
Probably just forgot to remove it.

So, yeah, I fully agree removing it.

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

> Jason stumbled over this as a new user of follow_pfn, and I'm trying
> to get rid of unsafe callers of that function so it can be locked down
> further.
> 
> This is independent prep work for the referenced patch series.

Apologies, consider it my bad...

/Jarkko

> 
> References: https://lore.kernel.org/dri-devel/20201127164131.2244124-1-daniel.vetter@ffwll.ch/
> Reported-by: Jason Gunthorpe <jgg@ziepe.ca>
> Cc: Jason Gunthorpe <jgg@ziepe.ca>
> Cc: Sean Christopherson <seanjc@google.com>
> Fixes: 947c6e11fa43 ("x86/sgx: Add ptrace() support for the SGX driver")
> Cc: Jarkko Sakkinen <jarkko@kernel.org>
> Cc: Borislav Petkov <bp@suse.de>
> Cc: linux-sgx@vger.kernel.org
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
>  arch/x86/kernel/cpu/sgx/encl.c | 8 --------
>  1 file changed, 8 deletions(-)
> 
> diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
> index ee50a5010277..20a2dd5ba2b4 100644
> --- a/arch/x86/kernel/cpu/sgx/encl.c
> +++ b/arch/x86/kernel/cpu/sgx/encl.c
> @@ -141,7 +141,6 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
>  	struct sgx_encl_page *entry;
>  	unsigned long phys_addr;
>  	struct sgx_encl *encl;
> -	unsigned long pfn;
>  	vm_fault_t ret;
>  
>  	encl = vma->vm_private_data;
> @@ -168,13 +167,6 @@ static vm_fault_t sgx_vma_fault(struct vm_fault *vmf)
>  
>  	phys_addr = sgx_get_epc_phys_addr(entry->epc_page);
>  
> -	/* Check if another thread got here first to insert the PTE. */
> -	if (!follow_pfn(vma, addr, &pfn)) {
> -		mutex_unlock(&encl->lock);
> -
> -		return VM_FAULT_NOPAGE;
> -	}
> -
>  	ret = vmf_insert_pfn(vma, addr, PFN_DOWN(phys_addr));
>  	if (ret != VM_FAULT_NOPAGE) {
>  		mutex_unlock(&encl->lock);
> -- 
> 2.30.0
> 
> 