lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250211150150.519006-1-andrew.zaborowski@intel.com>
Date: Tue, 11 Feb 2025 16:01:50 +0100
From: Andrew Zaborowski <andrew.zaborowski@...el.com>
To: x86@...nel.org,
	linux-sgx@...r.kernel.org,
	linux-kernel@...r.kernel.org
Cc: Dave Hansen <dave.hansen@...ux.intel.com>,
	Tony Luck <tony.luck@...el.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Borislav Petkov <bp@...en8.de>,
	Ingo Molnar <mingo@...hat.com>,
	"H . Peter Anvin" <hpa@...or.com>,
	balrogg@...il.com
Subject: [PATCH] x86: sgx: Don't track poisoned pages for reclaiming

Pages used by an enclave only get page->poison set in
arch_memory_failure() but stay on sgx_active_page_list.
page->poison is not checked in the reclaimer logic meaning that a page could be
reclaimed and go through ETRACK, EBLOCK and EWB.  This can lead to the
firmware receiving and MCE in one of those operations and going into
"unbreakable shutdown" and triggering a kernel panic on remaining cores.

Remove the affected page from sgx_active_page_list but don't add it
immediately to &node->sgx_poison_page_list to keep most of the current
semantics.  It'll be added to &node->sgx_poison_page_list later in
sgx_encl_release()->sgx_free_epc_page()

Tested with CONFIG_PROVE_LOCKING as suggested by Tony Luck.

Signed-off-by: Andrew Zaborowski <andrew.zaborowski@...el.com>
---
 arch/x86/kernel/cpu/sgx/main.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
index 671c26513..7076464d4 100644
--- a/arch/x86/kernel/cpu/sgx/main.c
+++ b/arch/x86/kernel/cpu/sgx/main.c
@@ -719,6 +719,8 @@ int arch_memory_failure(unsigned long pfn, int flags)
 		goto out;
 	}
 
+	sgx_unmark_page_reclaimable(page);
+
 	/*
 	 * TBD: Add additional plumbing to enable pre-emptive
 	 * action for asynchronous poison notification. Until
-- 
2.43.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ