arm64: idmap: Use "awx" flags for .idmap.text .pushsection directives

Commit 439e70e27a51 upstream.

The identity map is mapped as both writeable and executable by the
SWAPPER_MM_MMUFLAGS and this is relied upon by the kpti code to manage
a synchronisation flag. Update the .pushsection flags to reflect the
actual mapping attributes.

Reported-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 1449a173a2ee0db4fef6669c1bdc71a5561cb267)

CVE-2017-5753
CVE-2017-5715
CVE-2017-5754

Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/arch/arm64/kernel/cpu-reset.S b/arch/arm64/kernel/cpu-reset.S
index 2a752cb2a0f35a82f2a60e744d160af9b5f6c6a1..8021b46c97431da9488003675db95f7aa24c671d 100644 (file)
--- a/arch/arm64/kernel/cpu-reset.S
+++ b/arch/arm64/kernel/cpu-reset.S
@@ -16,7 +16,7 @@
 #include <asm/virt.h>
 
 .text
-.pushsection    .idmap.text, "ax"
+.pushsection    .idmap.text, "awx"
 
 /*
  * __cpu_soft_restart(el2_switch, entry, arg0, arg1, arg2) - Helper for

diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
index 6657ae4f3c7a39cf141827359d67f72f1baecd51..261f3f88364c018630cc28e109e4faa156d966e3 100644 (file)
--- a/arch/arm64/kernel/head.S
+++ b/arch/arm64/kernel/head.S
@@ -371,7 +371,7 @@ ENDPROC(__primary_switched)
  * end early head section, begin head code that is also used for
  * hotplug and needs to have the same protections as the text region
  */
-       .section ".idmap.text","ax"
+       .section ".idmap.text","awx"
 
 ENTRY(kimage_vaddr)
        .quad           _text - TEXT_OFFSET

diff --git a/arch/arm64/kernel/sleep.S b/arch/arm64/kernel/sleep.S
index df67652e46f0de3fcfcfa18dbf5d69c7a97815a1..5a4fbcc744d2c88d642ab2277c0471f9d73533b8 100644 (file)
--- a/arch/arm64/kernel/sleep.S
+++ b/arch/arm64/kernel/sleep.S
@@ -95,7 +95,7 @@ ENTRY(__cpu_suspend_enter)
        ret
 ENDPROC(__cpu_suspend_enter)
 
-       .pushsection ".idmap.text", "ax"
+       .pushsection ".idmap.text", "awx"
 ENTRY(cpu_resume)
        bl      el2_setup               // if in EL2 drop to EL1 cleanly
        bl      __cpu_setup

diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S
index 68eabe878dad1cb632985d59468438300929b07e..c25e58bc29100542eb8aac896328a97b5368fc44 100644 (file)
--- a/arch/arm64/mm/proc.S
+++ b/arch/arm64/mm/proc.S
@@ -86,7 +86,7 @@ ENDPROC(cpu_do_suspend)
  *
  * x0: Address of context pointer
  */
-       .pushsection ".idmap.text", "ax"
+       .pushsection ".idmap.text", "awx"
 ENTRY(cpu_do_resume)
        ldp     x2, x3, [x0]
        ldp     x4, x5, [x0, #16]
@@ -152,7 +152,7 @@ ENTRY(cpu_do_switch_mm)
        ret
 ENDPROC(cpu_do_switch_mm)
 
-       .pushsection ".idmap.text", "ax"
+       .pushsection ".idmap.text", "awx"
 
 .macro __idmap_cpu_set_reserved_ttbr1, tmp1, tmp2
        adrp    \tmp1, empty_zero_page
@@ -185,7 +185,7 @@ ENDPROC(idmap_cpu_replace_ttbr1)
        .popsection
 
 #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
-       .pushsection ".idmap.text", "ax"
+       .pushsection ".idmap.text", "awx"
 
        .macro  __idmap_kpti_get_pgtable_ent, type
        dc      cvac, cur_\()\type\()p          // Ensure any existing dirty
@@ -373,7 +373,7 @@ ENDPROC(idmap_kpti_install_ng_mappings)
  *     Initialise the processor for turning the MMU on.  Return in x0 the
  *     value of the SCTLR_EL1 register.
  */
-       .pushsection ".idmap.text", "ax"
+       .pushsection ".idmap.text", "awx"
 ENTRY(__cpu_setup)
        tlbi    vmalle1                         // Invalidate local TLB
        dsb     nsh