Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3607927pxp; Tue, 15 Mar 2022 02:20:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwTOBY/OxeOmX9oabdgP1J/IpLedkZLrEhIBWTS0AxZ1WcuKriIlIiVyh+qttkDDG4ilBM+ X-Received: by 2002:a50:fd0f:0:b0:416:e62:ccec with SMTP id i15-20020a50fd0f000000b004160e62ccecmr24370211eds.300.1647336026854; Tue, 15 Mar 2022 02:20:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647336026; cv=none; d=google.com; s=arc-20160816; b=KlBItUBaqodeJMCdT82vpToPwix7gdpG7Q91jMOk4HVrzhnN+teYVsOlCcVi0UjWsZ xvR0DTxooarHq0mIFa3tBL6MZaCDHjcMH3pGqQjISuI8XtC2geqddq91NSs4w84rzCfN mjDsAmy/+WlpkD8WL2xekY723E5HNYovkKSAEPAZSpAf9CwMcW5759gZALHcwXRrJZSR ArdkH4ycRGNF6ECy8o5eGKq9uRG839AyV6HFnIpm+9FXIunxKomWSfD7SNadpinatvaD HHrle0UjWqmi5IxJhqmybHzq1JV077jVCRX3SswPi7qd3Bhb8mM/tKpS7FlmiKjJh/Tf c3DA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KwZLqXoTyi8KR9vqt/UYahj2JwjgxpbzZrKefW4iNpg=; b=lZ8k4Mrqr73X0K3Wf7jZ0YYL4jq0h71kUyJhl6AMfXOicDzBmI48WZZc04ZIsSlAQq IGxdTtyXHlS2dqA5QXJZnDHNmmKLk62V02/z+GDg0pwmlph7IsQ9f2tVNL3jerRfovzk PcxoHqbbWDRiuAKrlbb66/KVlP17RkPLNwLfyn9j+D0jcHTGXCvgXq7YZqgbTUgqTyOD hNBbVJbRAcwi8QPVY3JfVs5OeuTI2P06do2glnyNuxmu2wduDEgb8kFJQWWakLYL9zwC nueUbehuU7mjR8X4U+d9SXAaJtpTQjBRdMyjtdCU7LPt+rE6mDgUpMPW88JcU0Yqo1hx omfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="PIrb2/9X"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m1-20020a17090607c100b006b14bfcccccsi9886523ejc.292.2022.03.15.02.20.01; Tue, 15 Mar 2022 02:20:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="PIrb2/9X"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245481AbiCNMdF (ORCPT + 99 others); Mon, 14 Mar 2022 08:33:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243889AbiCNMVV (ORCPT ); Mon, 14 Mar 2022 08:21:21 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 781A53882; Mon, 14 Mar 2022 05:17:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0A17160919; Mon, 14 Mar 2022 12:17:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1D4ABC340E9; Mon, 14 Mar 2022 12:17:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647260257; bh=7xLY8E0iecjq7U2PTSjAQrPQepZTvnSyMfmnWw0JgT8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PIrb2/9XgEO8UsOgvYhkch1MfIeBzNFu5yRNEqgEbe5COR0vdQ6inmrcH6KO3bgnk STRrgJ5m69Y+IuPdzVhWFOlEbKUNHkETFjFXx4PP9hNatI1eqwmfNnbI0gmjVuuSdU Kwg5kidnUGaAgimGEfc+ln9mJ9QRvAz1PDs176GU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Catalin Marinas , Will Deacon , Vladimir Murzin Subject: [PATCH 5.16 098/121] arm64: Ensure execute-only permissions are not allowed without EPAN Date: Mon, 14 Mar 2022 12:54:41 +0100 Message-Id: <20220314112746.848735404@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220314112744.120491875@linuxfoundation.org> References: <20220314112744.120491875@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Catalin Marinas commit 6e2edd6371a497a6350bb735534c9bda2a31f43d upstream. Commit 18107f8a2df6 ("arm64: Support execute-only permissions with Enhanced PAN") re-introduced execute-only permissions when EPAN is available. When EPAN is not available, arch_filter_pgprot() is supposed to change a PAGE_EXECONLY permission into PAGE_READONLY_EXEC. However, if BTI or MTE are present, such check does not detect the execute-only pgprot in the presence of PTE_GP (BTI) or MT_NORMAL_TAGGED (MTE), allowing the user to request PROT_EXEC with PROT_BTI or PROT_MTE. Remove the arch_filter_pgprot() function, change the default VM_EXEC permissions to PAGE_READONLY_EXEC and update the protection_map[] array at core_initcall() if EPAN is detected. Signed-off-by: Catalin Marinas Fixes: 18107f8a2df6 ("arm64: Support execute-only permissions with Enhanced PAN") Cc: # 5.13.x Acked-by: Will Deacon Reviewed-by: Vladimir Murzin Tested-by: Vladimir Murzin Signed-off-by: Greg Kroah-Hartman --- arch/arm64/Kconfig | 3 --- arch/arm64/include/asm/pgtable-prot.h | 4 ++-- arch/arm64/include/asm/pgtable.h | 11 ----------- arch/arm64/mm/mmap.c | 17 +++++++++++++++++ 4 files changed, 19 insertions(+), 16 deletions(-) --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1264,9 +1264,6 @@ config HW_PERF_EVENTS def_bool y depends on ARM_PMU -config ARCH_HAS_FILTER_PGPROT - def_bool y - # Supported by clang >= 7.0 config CC_HAVE_SHADOW_CALL_STACK def_bool $(cc-option, -fsanitize=shadow-call-stack -ffixed-x18) --- a/arch/arm64/include/asm/pgtable-prot.h +++ b/arch/arm64/include/asm/pgtable-prot.h @@ -92,7 +92,7 @@ extern bool arm64_use_ng_mappings; #define __P001 PAGE_READONLY #define __P010 PAGE_READONLY #define __P011 PAGE_READONLY -#define __P100 PAGE_EXECONLY +#define __P100 PAGE_READONLY_EXEC /* PAGE_EXECONLY if Enhanced PAN */ #define __P101 PAGE_READONLY_EXEC #define __P110 PAGE_READONLY_EXEC #define __P111 PAGE_READONLY_EXEC @@ -101,7 +101,7 @@ extern bool arm64_use_ng_mappings; #define __S001 PAGE_READONLY #define __S010 PAGE_SHARED #define __S011 PAGE_SHARED -#define __S100 PAGE_EXECONLY +#define __S100 PAGE_READONLY_EXEC /* PAGE_EXECONLY if Enhanced PAN */ #define __S101 PAGE_READONLY_EXEC #define __S110 PAGE_SHARED_EXEC #define __S111 PAGE_SHARED_EXEC --- a/arch/arm64/include/asm/pgtable.h +++ b/arch/arm64/include/asm/pgtable.h @@ -1017,17 +1017,6 @@ static inline bool arch_wants_old_prefau } #define arch_wants_old_prefaulted_pte arch_wants_old_prefaulted_pte -static inline pgprot_t arch_filter_pgprot(pgprot_t prot) -{ - if (cpus_have_const_cap(ARM64_HAS_EPAN)) - return prot; - - if (pgprot_val(prot) != pgprot_val(PAGE_EXECONLY)) - return prot; - - return PAGE_READONLY_EXEC; -} - static inline bool pud_sect_supported(void) { return PAGE_SIZE == SZ_4K; --- a/arch/arm64/mm/mmap.c +++ b/arch/arm64/mm/mmap.c @@ -7,8 +7,10 @@ #include #include +#include #include +#include #include /* @@ -38,3 +40,18 @@ int valid_mmap_phys_addr_range(unsigned { return !(((pfn << PAGE_SHIFT) + size) & ~PHYS_MASK); } + +static int __init adjust_protection_map(void) +{ + /* + * With Enhanced PAN we can honour the execute-only permissions as + * there is no PAN override with such mappings. + */ + if (cpus_have_const_cap(ARM64_HAS_EPAN)) { + protection_map[VM_EXEC] = PAGE_EXECONLY; + protection_map[VM_EXEC | VM_SHARED] = PAGE_EXECONLY; + } + + return 0; +} +arch_initcall(adjust_protection_map);