On Tue, Dec 12, 2017 at 01:46:48PM -0800, Sean Christopherson wrote: > So it looks like you avoid the described case by moving B to the head of > the list in sgx_eldu. The bug I am seeing is still straightforward to > theorize: > > 1. Three VA pages. List = A->B->C > 2. Fill A and B, use one entry in C. List = C->B->A > 3. ELDU, freeing a slot in B. List = B->C->A > 4. EWB, consuming the last slot in B. List = B->C->A > 5. ELDU, freeing a slot in A. List = A->B->C > 6. EWB, consuming the last slot in A. List = A->B->C > 7. ELDU, but both A and B are full > 8. Explode I see. It is easy to fix by moving back to of the list immediately after last allocation. Thanks for pointing this out. /Jarkko