2ade0d6093
This has been shown in tests:
[ +0.000008] WARNING: CPU: 3 PID: 7620 at kernel/rcu/srcutree.c:374 cleanup_srcu_struct+0xed/0x100
This is essentially a use-after free, although SRCU notices it as
an SRCU cleanup in an invalid context.
== Background ==
SGX has a data structure (struct sgx_encl_mm) which keeps per-mm SGX
metadata. This is separate from struct sgx_encl because, in theory,
an enclave can be mapped from more than one mm. sgx_encl_mm includes
a pointer back to the sgx_encl.
This means that sgx_encl must have a longer lifetime than all of the
sgx_encl_mm's that point to it. That's usually the case: sgx_encl_mm
is freed only after the mmu_notifier is unregistered in sgx_release().
However, there's a race. If the process is exiting,
sgx_mmu_notifier_release() can be called in parallel with sgx_release()
instead of being called *by* it. The mmu_notifier path keeps encl_mm
alive past when sgx_encl can be freed. This inverts the lifetime rules
and means that sgx_mmu_notifier_release() can access a freed sgx_encl.
== Fix ==
Increase encl->refcount when encl_mm->encl is established. Release
this reference when encl_mm is freed. This ensures that encl outlives
encl_mm.
[ bp: Massage commit message. ]
Fixes:
|
||
|---|---|---|
| .. | ||
| mce | ||
| microcode | ||
| mtrr | ||
| resctrl | ||
| sgx | ||
| .gitignore | ||
| Makefile | ||
| acrn.c | ||
| amd.c | ||
| aperfmperf.c | ||
| bugs.c | ||
| cacheinfo.c | ||
| centaur.c | ||
| common.c | ||
| cpu.h | ||
| cpuid-deps.c | ||
| cyrix.c | ||
| feat_ctl.c | ||
| hygon.c | ||
| hypervisor.c | ||
| intel.c | ||
| intel_epb.c | ||
| intel_pconfig.c | ||
| match.c | ||
| mkcapflags.sh | ||
| mshyperv.c | ||
| perfctr-watchdog.c | ||
| powerflags.c | ||
| proc.c | ||
| rdrand.c | ||
| scattered.c | ||
| topology.c | ||
| transmeta.c | ||
| tsx.c | ||
| umc.c | ||
| umwait.c | ||
| vmware.c | ||
| zhaoxin.c | ||