Re: [PATCH] x86/sgx: Avoid using iterator after loop in sgx_mmu_notifier_release()

Jarkko Sakkinen <jarkko@xxxxxxxxxx> · Wed, 8 Feb 2023 04:02:02 +0200

On Mon, Feb 06, 2023 at 09:10:53AM -0800, Dave Hansen wrote:
> On 2/6/23 02:39, Jakob Koschel wrote:
> > If &encl_mm->encl->mm_list does not contain the searched 'encl_mm',
> > 'tmp' will not point to a valid sgx_encl_mm struct.
> > 
> > Since the code within the guarded block is just called when the element
> > is found, it can simply be moved into the list iterator.
> > Within the list iterator 'tmp' is guaranteed to point to a valid
> > element.
> > 
> > Signed-off-by: Jakob Koschel <jkl820.git@xxxxxxxxx>
> > ---
> > Linus proposed to avoid any use of the list iterator variable after the
> > loop, in the attempt to move the list iterator variable declaration into
> > the marcro to avoid any potential misuse after the loop.
> > Using it in a pointer comparision after the loop is undefined behavior
> > and should be omitted if possible [1].
> 
> I think there's a big difference between "undefined behavior" and
> "someone wants to flip a switch to *make* this undefined behavior".  My
> understanding is that this patch avoids behavior which _is_ defined today.
> 
> Is there some effort to change this behavior across the tree that I missed?
> 
> In any case, this patch also kinda breaks the rule that you're supposed
> to make the common path through the code at the lowest nesting level.
> It makes the common case look like some kind of error handling.  Would
> something like the attached patch work?

> diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c
> index 68f8b18d2278..e1bd2a5790a7 100644
> --- a/arch/x86/kernel/cpu/sgx/encl.c
> +++ b/arch/x86/kernel/cpu/sgx/encl.c
> @@ -755,6 +755,7 @@ static void sgx_mmu_notifier_release(struct mmu_notifier *mn,
>  {
>  	struct sgx_encl_mm *encl_mm = container_of(mn, struct sgx_encl_mm, mmu_notifier);
>  	struct sgx_encl_mm *tmp = NULL;
> +	bool mm_found = false;

Maybe just "found" ? (nit)

>  
>  	/*
>  	 * The enclave itself can remove encl_mm.  Note, objects can't be moved
> @@ -764,12 +765,13 @@ static void sgx_mmu_notifier_release(struct mmu_notifier *mn,
>  	list_for_each_entry(tmp, &encl_mm->encl->mm_list, list) {
>  		if (tmp == encl_mm) {
>  			list_del_rcu(&encl_mm->list);
> +			mm_found = true;
>  			break;
>  		}
>  	}
>  	spin_unlock(&encl_mm->encl->mm_lock);
>  
> -	if (tmp == encl_mm) {
> +	if (mm_found) {
>  		synchronize_srcu(&encl_mm->encl->srcu);
>  		mmu_notifier_put(mn);
>  	}

BR, Jarkko