From: Sean Christopherson <seanjc@google.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Tony Luck <tony.luck@intel.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
x86@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 4/7] x86/sgx: Add SGX infrastructure to recover from poison
Date: Wed, 28 Jul 2021 23:00:07 +0000 [thread overview]
Message-ID: <YQHhd0qKZqMCWqks@google.com> (raw)
In-Reply-To: <3534daf5-fae5-a85c-e198-c0b73e44ece4@intel.com>
On Wed, Jul 28, 2021, Dave Hansen wrote:
> On 7/28/21 1:46 PM, Tony Luck wrote:
> > +int sgx_memory_failure(unsigned long pfn, int flags)
> > +{
> ...
> > + page->flags |= SGX_EPC_PAGE_POISON;
>
> Is this safe outside of any locks?
It's safe outside of sgx_reclaimer_lock iff this can guarantee nothing else can
reach the page. I'm pretty sure that doesn't hold true here.
> I see the reclaimer doing things like:
>
> epc_page->flags &= ~SGX_EPC_PAGE_RECLAIMER_TRACKED;
>
> I'd worry that this code and other non-atomic epc_page->flags
> manipulation could trample on each other.
>
> This might need to some some atomic bit manipulation *and* convert all
> the other epc_page->flags users.
I don't think atomics would be sufficient as that would open all sorts of possible
races. E.g. this new code in __sgx_sanitize_pages()
page = list_first_entry(dirty_page_list, struct sgx_epc_page, list);
+ if (page->flags & SGX_EPC_PAGE_POISON) {
+ list_del(&page->list);
+ continue;
+ }
+
***HERE***
ret = __eremove(sgx_get_epc_virt_addr(page));
could attempt EREMOVE on a freshly POISONed page. That appears to be "benign"
since ENCLS is wrapped with_ASM_EXTABLE_FAULT, but it feels wrong to add a check
that we know can race.
And similar races for allocation/free could hand out a poisoned page or add one
to the free list.
@@ -585,6 +600,10 @@ struct sgx_epc_page *sgx_alloc_epc_page(void *owner, bool reclaim)
for ( ; ; ) {
page = __sgx_alloc_epc_page();
+
+ if (page->flags & SGX_EPC_PAGE_POISON)
+ continue;
*** HERE ***
+
@@ -630,7 +651,8 @@ void sgx_free_epc_page(struct sgx_epc_page *page)
spin_lock(&node->lock);
page->owner = NULL;
- list_add_tail(&page->list, &node->free_page_list);
+ if (!(page->flags & SGX_EPC_PAGE_POISON))
*** HERE ***
+ list_add_tail(&page->list, &node->free_page_list);
Setting POISON and hoping we eventually notice doesn't sound robust. Maybe some
of these races are unavoidable due to the nature of #MC delivery, but I would hope
the kernel can at least avoid handing out a poisoned page to a different enclave.
next prev parent reply other threads:[~2021-07-28 23:00 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-08 18:14 [PATCH 0/4] Basic recovery for machine checks inside SGX Tony Luck
2021-07-08 18:14 ` [PATCH 1/4] x86/sgx: Track phase and type of SGX EPC pages Tony Luck
2021-07-09 18:08 ` Jarkko Sakkinen
2021-07-09 18:09 ` Jarkko Sakkinen
2021-07-14 20:42 ` Reinette Chatre
2021-07-14 20:59 ` Luck, Tony
2021-07-14 21:21 ` Reinette Chatre
2021-07-14 23:08 ` Sean Christopherson
2021-07-14 23:39 ` Luck, Tony
2021-07-15 15:33 ` Sean Christopherson
2021-07-08 18:14 ` [PATCH 2/4] x86/sgx: Add basic infrastructure to recover from errors in SGX memory Tony Luck
2021-07-08 18:14 ` [PATCH 3/4] x86/sgx: Hook sgx_memory_failure() into mainline code Tony Luck
2021-07-08 18:14 ` [PATCH 4/4] x86/sgx: Add hook to error injection address validation Tony Luck
2021-07-19 18:20 ` [PATCH v2 0/6] Basic recovery for machine checks inside SGX Tony Luck
2021-07-19 18:20 ` [PATCH v2 1/6] x86/sgx: Provide indication of life-cycle of EPC pages Tony Luck
2021-07-19 18:28 ` Dave Hansen
2021-07-27 2:04 ` Sakkinen, Jarkko
2021-07-19 18:20 ` [PATCH v2 2/6] x86/sgx: Add infrastructure to identify SGX " Tony Luck
2021-07-19 18:20 ` [PATCH v2 3/6] x86/sgx: Initial poison handling for dirty and free pages Tony Luck
2021-07-27 2:08 ` Sakkinen, Jarkko
2021-07-19 18:20 ` [PATCH v2 4/6] x86/sgx: Add SGX infrastructure to recover from poison Tony Luck
2021-07-19 18:20 ` [PATCH v2 5/6] x86/sgx: Hook sgx_memory_failure() into mainline code Tony Luck
2021-07-19 18:20 ` [PATCH v2 6/6] x86/sgx: Add hook to error injection address validation Tony Luck
2021-07-27 1:54 ` [PATCH v2 0/6] Basic recovery for machine checks inside SGX Sakkinen, Jarkko
2021-07-28 20:46 ` [PATCH v3 0/7] " Tony Luck
2021-07-28 20:46 ` [PATCH v3 1/7] x86/sgx: Provide indication of life-cycle of EPC pages Tony Luck
2021-07-28 22:12 ` Dave Hansen
2021-07-28 22:57 ` Luck, Tony
2021-07-28 23:12 ` Dave Hansen
2021-07-28 23:32 ` Sean Christopherson
2021-07-28 23:48 ` Luck, Tony
2021-07-29 0:07 ` Sean Christopherson
2021-07-29 0:42 ` Luck, Tony
2021-07-30 0:34 ` Jarkko Sakkinen
2021-07-30 0:33 ` Jarkko Sakkinen
2021-07-28 20:46 ` [PATCH v3 2/7] x86/sgx: Add infrastructure to identify SGX " Tony Luck
2021-07-28 22:19 ` Dave Hansen
2021-07-30 0:38 ` Jarkko Sakkinen
2021-07-30 16:46 ` Sean Christopherson
2021-07-30 16:50 ` Dave Hansen
2021-07-30 18:44 ` Luck, Tony
2021-07-30 20:35 ` Dave Hansen
2021-07-30 23:35 ` Luck, Tony
2021-08-03 21:34 ` Matthew Wilcox
2021-08-03 23:49 ` Luck, Tony
2021-08-02 8:52 ` Jarkko Sakkinen
2021-08-02 8:51 ` Jarkko Sakkinen
2021-08-02 8:48 ` Jarkko Sakkinen
2021-07-28 20:46 ` [PATCH v3 3/7] x86/sgx: Initial poison handling for dirty and free pages Tony Luck
2021-07-30 0:42 ` Jarkko Sakkinen
2021-07-28 20:46 ` [PATCH v3 4/7] x86/sgx: Add SGX infrastructure to recover from poison Tony Luck
2021-07-28 22:29 ` Dave Hansen
2021-07-28 23:00 ` Sean Christopherson [this message]
2021-07-28 20:46 ` [PATCH v3 5/7] x86/sgx: Hook sgx_memory_failure() into mainline code Tony Luck
2021-07-28 20:46 ` [PATCH v3 6/7] x86/sgx: Add hook to error injection address validation Tony Luck
2021-07-28 20:46 ` [PATCH v3 7/7] x86/sgx: Add documentation for SGX memory errors Tony Luck
2021-08-27 19:55 ` [PATCH v4 0/6] Basic recovery for machine checks inside SGX Tony Luck
2021-08-27 19:55 ` [PATCH v4 1/6] x86/sgx: Provide indication of life-cycle of EPC pages Tony Luck
2021-09-01 3:55 ` Jarkko Sakkinen
2021-08-27 19:55 ` [PATCH v4 2/6] x86/sgx: Add infrastructure to identify SGX " Tony Luck
2021-09-01 4:30 ` Jarkko Sakkinen
2021-08-27 19:55 ` [PATCH v4 3/6] x86/sgx: Initial poison handling for dirty and free pages Tony Luck
2021-08-27 19:55 ` [PATCH v4 4/6] x86/sgx: Add SGX infrastructure to recover from poison Tony Luck
2021-08-27 19:55 ` [PATCH v4 5/6] x86/sgx: Hook sgx_memory_failure() into mainline code Tony Luck
2021-09-03 6:12 ` Jarkko Sakkinen
2021-09-03 6:56 ` Jarkko Sakkinen
2021-09-06 18:51 ` Luck, Tony
2021-09-07 14:07 ` Jarkko Sakkinen
2021-09-07 14:13 ` Dave Hansen
2021-09-07 15:07 ` Luck, Tony
2021-09-07 15:03 ` Luck, Tony
2021-09-07 15:08 ` Jarkko Sakkinen
2021-09-07 17:46 ` Luck, Tony
2021-09-08 0:59 ` Luck, Tony
2021-09-08 16:49 ` Dave Hansen
2021-09-08 2:29 ` Jarkko Sakkinen
2021-08-27 19:55 ` [PATCH v4 6/6] x86/sgx: Add hook to error injection address validation Tony Luck
2021-08-27 20:28 ` [PATCH v4 0/6] Basic recovery for machine checks inside SGX Borislav Petkov
2021-08-27 20:43 ` Sean Christopherson
2021-09-01 2:06 ` Jarkko Sakkinen
2021-09-01 14:48 ` Luck, Tony
2021-09-17 21:38 ` [PATCH v5 0/7] " Tony Luck
2021-09-17 21:38 ` [PATCH v5 1/7] x86/sgx: Provide indication of life-cycle of EPC pages Tony Luck
2021-09-21 21:28 ` Jarkko Sakkinen
2021-09-21 21:34 ` Luck, Tony
2021-09-22 5:17 ` Jarkko Sakkinen
2021-09-21 22:15 ` Dave Hansen
2021-09-22 5:27 ` Jarkko Sakkinen
2021-09-17 21:38 ` [PATCH v5 2/7] x86/sgx: Add infrastructure to identify SGX " Tony Luck
2021-09-21 20:23 ` Dave Hansen
2021-09-21 20:50 ` Luck, Tony
2021-09-21 22:32 ` Dave Hansen
2021-09-21 23:48 ` Luck, Tony
2021-09-21 23:50 ` Dave Hansen
2021-09-17 21:38 ` [PATCH v5 3/7] x86/sgx: Initial poison handling for dirty and free pages Tony Luck
2021-09-17 21:38 ` [PATCH v5 4/7] x86/sgx: Add SGX infrastructure to recover from poison Tony Luck
2021-09-17 21:38 ` [PATCH v5 5/7] x86/sgx: Hook arch_memory_failure() into mainline code Tony Luck
2021-09-17 21:38 ` [PATCH v5 6/7] x86/sgx: Add hook to error injection address validation Tony Luck
2021-09-17 21:38 ` [PATCH v5 7/7] x86/sgx: Add check for SGX pages to ghes_do_memory_failure() Tony Luck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YQHhd0qKZqMCWqks@google.com \
--to=seanjc@google.com \
--cc=dave.hansen@intel.com \
--cc=jarkko@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).