From patchwork Thu Sep  7 17:36:07 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tycho Andersen <tycho@docker.com>
X-Patchwork-Id: 9942601
Return-Path: 
 <kernel-hardening-return-9745-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	95D23600CB for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  7 Sep 2017 17:39:04 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 876BB285B5
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  7 Sep 2017 17:39:04 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7C47E285C2; Thu,  7 Sep 2017 17:39:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 6FADF285B5
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  7 Sep 2017 17:39:03 +0000 (UTC)
Received: (qmail 21709 invoked by uid 550); 7 Sep 2017 17:37:32 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 20399 invoked from network); 7 Sep 2017 17:37:25 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=docker.com; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=3nnY2Iq2EOkFzrFJEaPyqRcXerIW0G9kMQoCFIg70Gg=;
	b=gNiAbUxSnWc91yPbwDa5ORDaofw/2/2yFWYnawm68Yq/UjRgh3CUo5fGbB4h9Wuup3
	xoDRAG7bAfFUvQV3MJ+Y8dIVj8VfEE1b68F9kq+ptP3nEaPyRhnKn6nb+vM9FjedFbZX
	CxL+ku4qvddHsbfUpfTUZMj11NzpLjbZUsd3g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=3nnY2Iq2EOkFzrFJEaPyqRcXerIW0G9kMQoCFIg70Gg=;
	b=Mgr6p6+Nm1fO0xty46EpQLhikt+ZQjhngIzGI+nDayOEQyzFOOoa32Rfcr7T5aTxu+
	+Uc4XEb5B/UjfO0faFFEUrJPJ9gkCbdv4geK0lrMujC68ysv7O7GAmTkICKrd/ijDQ0o
	13T9g4uqNbhBRXZ1kSyjCfN9I6vRbo21n8uiS3Qh+JgdSAJtQ5anscKR6t23jA/jS5AJ
	80JmGbOwRKQt6eFCFVSbuq3MEqn/t//Egmux1ru3ZrkRe0Z1JEBxVxoYHdjBQElSQrHo
	O28UWNK/YILn0iFp6qSA6UB9DauVNY6a6YdNpq/MBhW3ZJAyhBOxx5ZoU2ql32jpIOhH
	jaeA==
X-Gm-Message-State: AHPjjUiQEyUqN4tEO/ZxfFBFHE6h/Yj5JwNTjgUiizVt191oqUxYmIAS
	G32DPsusddkMXtj+
X-Google-Smtp-Source: 
 AOwi7QDOujI+vxj5RJCHod2W762NilLTGjvzzVwhPguEgYvBuuEdK5lyR6ExQWfI5SRc/Aw9VG0t9A==
X-Received: by 10.36.189.12 with SMTP id x12mr102275ite.108.1504805833609;
	Thu, 07 Sep 2017 10:37:13 -0700 (PDT)
From: Tycho Andersen <tycho@docker.com>
To: linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org, kernel-hardening@lists.openwall.com,
	Marco Benatto <marco.antonio.780@gmail.com>,
	Juerg Haefliger <juerg.haefliger@canonical.com>,
	Tycho Andersen <tycho@docker.com>, linux-arm-kernel@lists.infradead.org
Date: Thu,  7 Sep 2017 11:36:07 -0600
Message-Id: <20170907173609.22696-10-tycho@docker.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20170907173609.22696-1-tycho@docker.com>
References: <20170907173609.22696-1-tycho@docker.com>
Subject: [kernel-hardening] [PATCH v6 09/11] arm64/mm: disable
	section/contiguous mappings if XPFO is enabled
X-Virus-Scanned: ClamAV using ClamSMTP

XPFO doesn't support section/contiguous mappings yet, so let's disable it
if XPFO is turned on.

Thanks to Laura Abbot for the simplification from v5, and Mark Rutland for
pointing out we need NO_CONT_MAPPINGS too.

CC: linux-arm-kernel@lists.infradead.org
Signed-off-by: Tycho Andersen <tycho@docker.com>
---
 arch/arm64/mm/mmu.c  | 2 +-
 include/linux/xpfo.h | 4 ++++
 mm/xpfo.c            | 6 ++++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index f1eb15e0e864..34bb95303cce 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -420,7 +420,7 @@ static void __init map_mem(pgd_t *pgd)
 	struct memblock_region *reg;
 	int flags = 0;
 
-	if (debug_pagealloc_enabled())
+	if (debug_pagealloc_enabled() || xpfo_enabled())
 		flags = NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS;
 
 	/*
diff --git a/include/linux/xpfo.h b/include/linux/xpfo.h
index d37a06c9d62c..1693af1a0293 100644
--- a/include/linux/xpfo.h
+++ b/include/linux/xpfo.h
@@ -43,6 +43,8 @@ void xpfo_temp_map(const void *addr, size_t size, void **mapping,
 void xpfo_temp_unmap(const void *addr, size_t size, void **mapping,
 		     size_t mapping_len);
 
+bool xpfo_enabled(void);
+
 #else /* !CONFIG_XPFO */
 
 static inline void xpfo_kmap(void *kaddr, struct page *page) { }
@@ -65,6 +67,8 @@ static inline void xpfo_temp_unmap(const void *addr, size_t size,
 }
 
 
+static inline bool xpfo_enabled(void) { return false; }
+
 #endif /* CONFIG_XPFO */
 
 #endif /* _LINUX_XPFO_H */
diff --git a/mm/xpfo.c b/mm/xpfo.c
index f79075bf7d65..25fba05d01bd 100644
--- a/mm/xpfo.c
+++ b/mm/xpfo.c
@@ -70,6 +70,12 @@ struct page_ext_operations page_xpfo_ops = {
 	.init = init_xpfo,
 };
 
+bool __init xpfo_enabled(void)
+{
+	return !xpfo_disabled;
+}
+EXPORT_SYMBOL(xpfo_enabled);
+
 static inline struct xpfo *lookup_xpfo(struct page *page)
 {
 	struct page_ext *page_ext = lookup_page_ext(page);