Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1749218ybl; Sat, 11 Jan 2020 02:03:15 -0800 (PST) X-Google-Smtp-Source: APXvYqyuFBZ1omuoqk127R9s5bha/DO2ocXqoab1idp+0HQnETzOvF3p14lz75tRVSPnoWI+9VrU X-Received: by 2002:a05:6830:1689:: with SMTP id k9mr6481145otr.311.1578736995685; Sat, 11 Jan 2020 02:03:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578736995; cv=none; d=google.com; s=arc-20160816; b=JiatKa2cRZsunhfGYIguCDR9Uh6BG+k0KdP4n8aCvcsGrcaxAzoGe4AquMHJHQjaEg HEv0w7hrGdu+wEFNBLRH+4h65CcKBmbeaA/Y3A8cEeCpbAgmytNgvgbuYXOwqCNoJJxw C0WKzwVIYLF7n/3EmIvU7/+3/Kh/OFN2aMxm3ONd2avdU8BJv56xOzGq9FBFRqiKlI6A AMyCTC2CFZEPXBzjY6wGTebZYFf5jTxXW7QUdtIDrWxcQrFTCidcMMRpyM9MfM6fVNax hGBD1vzCcedtb0txdOegK47HIWS8DIoT2aAnWHREpn1hWr6BAiWAvYIHcK8tfS0fyBUn GhGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=EwBBtdN0KR+As0GemhSMnaIDZBSei5bLF52ioNgvlLQ=; b=cP46xl1dukLKpyJyS1iAK7XT6L4pQy0Up7zc1gWzPPr7uIig0svF1Mfa457CpcHiKg VvmaMnuE5FnTYsb3oAP4j4152D8RIHpP1a/A3sS6ZO9/esakzrS7tIM4xRsmuRIOvMPt 8hV/2iphiWCmtORoML7svEipwHsWRLqYoogrUTMEG7MafsZCxsYJCfjThtX6YLkkStOM dnbag0BzW+2XaCFijdgDrA3wyuFvvAlev973OOFLeX9xEEgq5eYJkyKAHsCJCJPV3zx9 tKFk3pvnHTJXaAkbF5uot2YqFswTBUfGRu471P3mAXRYtcfPGCXKVqoV03qPAU/t11fO mXDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=15RJp5JF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v26si3478855otj.0.2020.01.11.02.03.04; Sat, 11 Jan 2020 02:03:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=15RJp5JF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728966AbgAKKCR (ORCPT + 99 others); Sat, 11 Jan 2020 05:02:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:60500 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728888AbgAKKCQ (ORCPT ); Sat, 11 Jan 2020 05:02:16 -0500 Received: from localhost (unknown [62.119.166.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 00A8320842; Sat, 11 Jan 2020 10:02:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578736935; bh=1fnI6aUTDTUR6gujDAhqQrt0aJB0YLNvLt5D3fwF7xo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=15RJp5JFqhqamehM8WAg0y7cNsOiwUg6IrTyYRRbZrFqMD1G3374lY9T/cHooTWHS WhWv8von4/R9G3BSq8y2hkAbdS3gqTUCE2hlx7MwGVWScO9ZvcTlBjXC6GTccCDvj1 O7OfGgDBiCjkLI5ygHayqysTA5auEIAx96RyMMUk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Will Deacon , Catalin Marinas , Linus Torvalds Subject: [PATCH 4.9 33/91] arm64: Revert support for execute-only user mappings Date: Sat, 11 Jan 2020 10:49:26 +0100 Message-Id: <20200111094857.366585437@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200111094844.748507863@linuxfoundation.org> References: <20200111094844.748507863@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Catalin Marinas commit 24cecc37746393432d994c0dbc251fb9ac7c5d72 upstream. The ARMv8 64-bit architecture supports execute-only user permissions by clearing the PTE_USER and PTE_UXN bits, practically making it a mostly privileged mapping but from which user running at EL0 can still execute. The downside, however, is that the kernel at EL1 inadvertently reading such mapping would not trip over the PAN (privileged access never) protection. Revert the relevant bits from commit cab15ce604e5 ("arm64: Introduce execute-only page access permissions") so that PROT_EXEC implies PROT_READ (and therefore PTE_USER) until the architecture gains proper support for execute-only user mappings. Fixes: cab15ce604e5 ("arm64: Introduce execute-only page access permissions") Cc: # 4.9.x- Acked-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- arch/arm64/include/asm/pgtable-prot.h | 5 ++--- arch/arm64/include/asm/pgtable.h | 10 +++------- arch/arm64/mm/fault.c | 2 +- mm/mmap.c | 6 ------ 4 files changed, 6 insertions(+), 17 deletions(-) --- a/arch/arm64/include/asm/pgtable-prot.h +++ b/arch/arm64/include/asm/pgtable-prot.h @@ -77,13 +77,12 @@ #define PAGE_COPY_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN) #define PAGE_READONLY __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_UXN) #define PAGE_READONLY_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN) -#define PAGE_EXECONLY __pgprot(_PAGE_DEFAULT | PTE_NG | PTE_PXN) #define __P000 PAGE_NONE #define __P001 PAGE_READONLY #define __P010 PAGE_COPY #define __P011 PAGE_COPY -#define __P100 PAGE_EXECONLY +#define __P100 PAGE_READONLY_EXEC #define __P101 PAGE_READONLY_EXEC #define __P110 PAGE_COPY_EXEC #define __P111 PAGE_COPY_EXEC @@ -92,7 +91,7 @@ #define __S001 PAGE_READONLY #define __S010 PAGE_SHARED #define __S011 PAGE_SHARED -#define __S100 PAGE_EXECONLY +#define __S100 PAGE_READONLY_EXEC #define __S101 PAGE_READONLY_EXEC #define __S110 PAGE_SHARED_EXEC #define __S111 PAGE_SHARED_EXEC --- a/arch/arm64/include/asm/pgtable.h +++ b/arch/arm64/include/asm/pgtable.h @@ -83,12 +83,8 @@ extern unsigned long empty_zero_page[PAG #define pte_dirty(pte) (pte_sw_dirty(pte) || pte_hw_dirty(pte)) #define pte_valid(pte) (!!(pte_val(pte) & PTE_VALID)) -/* - * Execute-only user mappings do not have the PTE_USER bit set. All valid - * kernel mappings have the PTE_UXN bit set. - */ #define pte_valid_not_user(pte) \ - ((pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == (PTE_VALID | PTE_UXN)) + ((pte_val(pte) & (PTE_VALID | PTE_USER)) == PTE_VALID) #define pte_valid_young(pte) \ ((pte_val(pte) & (PTE_VALID | PTE_AF)) == (PTE_VALID | PTE_AF)) #define pte_valid_user(pte) \ @@ -104,8 +100,8 @@ extern unsigned long empty_zero_page[PAG /* * p??_access_permitted() is true for valid user mappings (subject to the - * write permission check) other than user execute-only which do not have the - * PTE_USER bit set. PROT_NONE mappings do not have the PTE_VALID bit set. + * write permission check). PROT_NONE mappings do not have the PTE_VALID bit + * set. */ #define pte_access_permitted(pte, write) \ (pte_valid_user(pte) && (!(write) || pte_write(pte))) --- a/arch/arm64/mm/fault.c +++ b/arch/arm64/mm/fault.c @@ -319,7 +319,7 @@ static int __kprobes do_page_fault(unsig struct task_struct *tsk; struct mm_struct *mm; int fault, sig, code; - unsigned long vm_flags = VM_READ | VM_WRITE; + unsigned long vm_flags = VM_READ | VM_WRITE | VM_EXEC; unsigned int mm_flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE; if (notify_page_fault(regs, esr)) --- a/mm/mmap.c +++ b/mm/mmap.c @@ -87,12 +87,6 @@ static void unmap_region(struct mm_struc * MAP_PRIVATE r: (no) no r: (yes) yes r: (no) yes r: (no) yes * w: (no) no w: (no) no w: (copy) copy w: (no) no * x: (no) no x: (no) yes x: (no) yes x: (yes) yes - * - * On arm64, PROT_EXEC has the following behaviour for both MAP_SHARED and - * MAP_PRIVATE: - * r: (no) no - * w: (no) no - * x: (yes) yes */ pgprot_t protection_map[16] = { __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,