From patchwork Wed Apr 25 14:13:31 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeffrey Hugo <jhugo@codeaurora.org>
X-Patchwork-Id: 10363305
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	77835601D3 for <patchwork-linux-arm@patchwork.kernel.org>;
	Wed, 25 Apr 2018 14:15:38 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 681E228451
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Wed, 25 Apr 2018 14:15:38 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5CE7928563; Wed, 25 Apr 2018 14:15:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,MAILING_LIST_MULTI autolearn=ham version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
	[198.137.202.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id ADC1128451
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Wed, 25 Apr 2018 14:15:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=NeyDGnMQIDtSTwcjQ5+xf6qnTKOS2sQzn6PxxwZhA4U=;
	b=YG2
	PsrbkaUEHcVqXvjb6fQ+Z+trdyqdaINBT9psG6DSJUva0qIi2ZRqU3s3BDaDFrDf0xfexk8p0n9GP
	jDQZt7hyUYOUqHw5w7Ez74nwP4KFaOZIQwex4ZaaWUl3SnfZhIHsIStg2tT6PTP/8u4Qp3nsYab61
	CJb9ngBlyjqJ0hz5A+DI4Kf4Eaa+I6rxR8ZscTHUO00yKE1zzyIcqYSuw1pg5QZL/xHV8uvuc5aCY
	FSllv7uG/s2VJCcsrRHW7D498PNE1O3CfMApq8irJ7W5tOtlCjKKBzoDKA6NkUlc+OnmGGH3GW2rH
	+XCZRZd6kvVgvxVKvMFCURTpW3Hc41Q==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1fBLCg-0006PI-9J; Wed, 25 Apr 2018 14:15:26 +0000
Received: from smtp.codeaurora.org ([198.145.29.96])
	by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat
	Linux)) id 1fBLBb-0005Ii-Un
	for linux-arm-kernel@lists.infradead.org;
	Wed, 25 Apr 2018 14:14:26 +0000
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
	id 51DB960500; Wed, 25 Apr 2018 14:14:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1524665649;
	bh=eA13do16I3/2/wMRpNE48dVW9GkAWjULcC0/hSffHGc=;
	h=From:To:Cc:Subject:Date:From;
	b=EZzryHcaecnuYv/9Vun+r+BkN6lGU+Yizbrn9qHT+SNeI2vLFtaIbIz6q0aUPcHX6
	LmdIU4QXgHlrab3/6RQwgY2t+vPtyyhqS6ue90a6Lnu+EBs8Nqw6bTdSnciSZzZ6rA
	jP1b3c/kZgsSngfSjLCEv6o23/ZmmZ5yyQz62AAM=
Received: from jhugo-perf-lnx.qualcomm.com (i-global254.qualcomm.com
	[199.106.103.254])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: jhugo@smtp.codeaurora.org)
	by smtp.codeaurora.org (Postfix) with ESMTPSA id D92F660500;
	Wed, 25 Apr 2018 14:14:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1524665648;
	bh=eA13do16I3/2/wMRpNE48dVW9GkAWjULcC0/hSffHGc=;
	h=From:To:Cc:Subject:Date:From;
	b=hVa7qTzsLAam+QWFxgOjvR7uPCgyIxd5twcSwH1S9nqAENNvu0pWAOn2QL0TeONFh
	c10jpZnk3Uj2BrLvkDmO2hbX+mmRaI8VCrRXqz2s5nMk8Tz3zn9DilLVKuChFZ+Gxr
	+JR6q8Hgr8m8gNWPTvf4KHEECQY2RssqldX9syhw=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org D92F660500
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	spf=none smtp.mailfrom=jhugo@codeaurora.org
From: Jeffrey Hugo <jhugo@codeaurora.org>
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] arm64: mm: Fix false positives in W+X checking
Date: Wed, 25 Apr 2018 08:13:31 -0600
Message-Id: <1524665611-14040-1-git-send-email-jhugo@codeaurora.org>
X-Mailer: git-send-email 1.9.1
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20180425_071420_094129_E9DCDDFB 
X-CRM114-Status: GOOD (  11.95  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: Mark Rutland <mark.rutland@arm.com>, Kees Cook <keescook@chromium.org>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Jeffrey Hugo <jhugo@codeaurora.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Timur Tabi <timur@codeaurora.org>, Will Deacon <will.deacon@arm.com>,
	Jan Glauber <jan.glauber@caviumnetworks.com>,
	Laura Abbott <labbott@redhat.com>
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

load_module() creates W+X mappings via __vmalloc_node_range() (from
layout_and_allocate()->move_module()->module_alloc()) by using
PAGE_KERNEL_EXEC.  These mappings are later cleaned up via
"call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module().

This is a problem because call_rcu_sched() queues work, which can be run
after debug_checkwx() is run, resulting in a race condition.  If hit, the
race results in a nasty splat about insecure W+X mappings, which results
in a poor user experience as these are not the mappings that
debug_checkwx() is intended to catch.

Address the race by flushing the queued work before running
debug_checkwx().

Reported-by: Timur Tabi <timur@codeaurora.org>
Reported-by: Jan Glauber <jan.glauber@caviumnetworks.com>
Fixes: 1404d6f13e47 ("arm64: dump: Add checking for writable and exectuable pages")
Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
---
 arch/arm64/mm/mmu.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index 2dbb2c9..40d45fd 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -503,6 +503,12 @@ void mark_rodata_ro(void)
 	update_mapping_prot(__pa_symbol(__start_rodata), (unsigned long)__start_rodata,
 			    section_size, PAGE_KERNEL_RO);
 
+	/*
+	 * load_module() results in W+X mappings, which are cleaned up with
+	 * call_rcu_sched().  Let's make sure that queued work is flushed so
+	 * that we don't hit false positives.
+	 */
+	rcu_barrier_sched();
 	debug_checkwx();
 }