linux-sgx.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v3 0/5] x86/sgx: Fix lock ordering bug w/ EADD
@ 2019-08-30  0:17 Sean Christopherson
  2019-08-30  0:17 ` [PATCH v3 1/5] x86/sgx: Convert encl->flags from an unsigned int to an atomic Sean Christopherson
                   ` (5 more replies)
  0 siblings, 6 replies; 8+ messages in thread
From: Sean Christopherson @ 2019-08-30  0:17 UTC (permalink / raw)
  To: Jarkko Sakkinen; +Cc: linux-sgx

As discovered by Jarkko, taking mm->mmap_sem around EADD can lead to
deadlock as attempting to acquire mmap_sem while holding encl->lock
violates SGX's lock ordering.

Resolving the issue simply by reversing the lock ordering gets ugly due
to the behavior of sgx_encl_grow(), which has a path that drops encl->lock
in order to do EPC page reclaim, i.e. moving mm->mmap_sem up would require
it to be dropped and reacquired as well.

Luckily, the entire flow can be simplified by preventing userspace from
invoking concurrent ioctls on a single enclave.  Requiring ioctls to be
serialized means encl->lock doesn't need to be held to grow/shrink the
enclave, since only ioctls can grow/shrink the enclave.  This also
eliminates theoretical cases that sgx_encl_grow() has to handle, e.g. the
enclave being initialized while it's waiting on reclaim, since the
protection provided by serializing ioctls isn't dropped to do reclaim.


v3:
  - Move list_add() for VA page out of sgx_encl_grow() so that it's
    called while holding encl->lock in the EADD flow. [Jarkko]

v2:
  - Make encl->flags an atomic, reuse for "in ioctl" detection. [Jarkko]
  - Drop smp_{r,w}mb() patch as it is superceded by atomic flags. [Jarkko]
  - Tack on two interdependent bug fixes found when auditing encl->flags.
  - Rebase to Jarkko's latest master.

Sean Christopherson (5):
  x86/sgx: Convert encl->flags from an unsigned int to an atomic
  x86/sgx: Reject concurrent ioctls on single enclave
  x86/sgx: Take encl->lock inside of mm->mmap_sem for EADD
  x86/sgx: Reject all ioctls on dead enclaves
  x86/sgx: Destroy the enclave if EEXTEND fails

 arch/x86/kernel/cpu/sgx/driver.c  |   3 +-
 arch/x86/kernel/cpu/sgx/encl.c    |  18 ++--
 arch/x86/kernel/cpu/sgx/encl.h    |   3 +-
 arch/x86/kernel/cpu/sgx/ioctl.c   | 171 ++++++++++++++++--------------
 arch/x86/kernel/cpu/sgx/reclaim.c |  10 +-
 5 files changed, 113 insertions(+), 92 deletions(-)

-- 
2.22.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2019-08-30 16:16 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-30  0:17 [PATCH v3 0/5] x86/sgx: Fix lock ordering bug w/ EADD Sean Christopherson
2019-08-30  0:17 ` [PATCH v3 1/5] x86/sgx: Convert encl->flags from an unsigned int to an atomic Sean Christopherson
2019-08-30  0:17 ` [PATCH v3 2/5] x86/sgx: Reject concurrent ioctls on single enclave Sean Christopherson
2019-08-30 15:40   ` Jarkko Sakkinen
2019-08-30  0:17 ` [PATCH v3 3/5] x86/sgx: Take encl->lock inside of mm->mmap_sem for EADD Sean Christopherson
2019-08-30  0:17 ` [PATCH v3 4/5] x86/sgx: Reject all ioctls on dead enclaves Sean Christopherson
2019-08-30  0:17 ` [PATCH v3 5/5] x86/sgx: Destroy the enclave if EEXTEND fails Sean Christopherson
2019-08-30 16:16 ` [PATCH v3 0/5] x86/sgx: Fix lock ordering bug w/ EADD Jarkko Sakkinen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).