Patch "arm64: mm: Map entry trampoline into trampoline and kernel page tables" has been added to the 4.9-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    arm64: mm: Map entry trampoline into trampoline and kernel page tables

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     arm64-mm-map-entry-trampoline-into-trampoline-and-kernel-page-tables.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Thu Apr  5 21:39:27 CEST 2018
From: Mark Rutland <mark.rutland@arm.com>
Date: Tue,  3 Apr 2018 12:09:05 +0100
Subject: arm64: mm: Map entry trampoline into trampoline and kernel page tables
To: stable@vger.kernel.org
Cc: mark.brown@linaro.org, ard.biesheuvel@linaro.org, marc.zyngier@arm.com, will.deacon@arm.com
Message-ID: <20180403110923.43575-10-mark.rutland@arm.com>

From: Will Deacon <will.deacon@arm.com>

commit 51a0048beb44 upstream.

The exception entry trampoline needs to be mapped at the same virtual
address in both the trampoline page table (which maps nothing else)
and also the kernel page table, so that we can swizzle TTBR1_EL1 on
exceptions from and return to EL0.

This patch maps the trampoline at a fixed virtual address in the fixmap
area of the kernel virtual address space, which allows the kernel proper
to be randomized with respect to the trampoline when KASLR is enabled.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org>
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Will Deacon <will.deacon@arm.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/fixmap.h  |    5 +++++
 arch/arm64/include/asm/pgtable.h |    1 +
 arch/arm64/kernel/asm-offsets.c  |    6 +++++-
 arch/arm64/mm/mmu.c              |   23 +++++++++++++++++++++++
 4 files changed, 34 insertions(+), 1 deletion(-)

--- a/arch/arm64/include/asm/fixmap.h
+++ b/arch/arm64/include/asm/fixmap.h
@@ -51,6 +51,11 @@ enum fixed_addresses {
 
 	FIX_EARLYCON_MEM_BASE,
 	FIX_TEXT_POKE0,
+
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+	FIX_ENTRY_TRAMP_TEXT,
+#define TRAMP_VALIAS		(__fix_to_virt(FIX_ENTRY_TRAMP_TEXT))
+#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
 	__end_of_permanent_fixed_addresses,
 
 	/*
--- a/arch/arm64/include/asm/pgtable.h
+++ b/arch/arm64/include/asm/pgtable.h
@@ -692,6 +692,7 @@ static inline void pmdp_set_wrprotect(st
 
 extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
 extern pgd_t idmap_pg_dir[PTRS_PER_PGD];
+extern pgd_t tramp_pg_dir[PTRS_PER_PGD];
 
 /*
  * Encode and decode a swap entry:
--- a/arch/arm64/kernel/asm-offsets.c
+++ b/arch/arm64/kernel/asm-offsets.c
@@ -24,6 +24,7 @@
 #include <linux/kvm_host.h>
 #include <linux/suspend.h>
 #include <asm/cpufeature.h>
+#include <asm/fixmap.h>
 #include <asm/thread_info.h>
 #include <asm/memory.h>
 #include <asm/smp_plat.h>
@@ -144,11 +145,14 @@ int main(void)
   DEFINE(ARM_SMCCC_RES_X2_OFFS,		offsetof(struct arm_smccc_res, a2));
   DEFINE(ARM_SMCCC_QUIRK_ID_OFFS,	offsetof(struct arm_smccc_quirk, id));
   DEFINE(ARM_SMCCC_QUIRK_STATE_OFFS,	offsetof(struct arm_smccc_quirk, state));
-
   BLANK();
   DEFINE(HIBERN_PBE_ORIG,	offsetof(struct pbe, orig_address));
   DEFINE(HIBERN_PBE_ADDR,	offsetof(struct pbe, address));
   DEFINE(HIBERN_PBE_NEXT,	offsetof(struct pbe, next));
   DEFINE(ARM64_FTR_SYSVAL,	offsetof(struct arm64_ftr_reg, sys_val));
+  BLANK();
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+  DEFINE(TRAMP_VALIAS,		TRAMP_VALIAS);
+#endif
   return 0;
 }
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -419,6 +419,29 @@ static void __init map_kernel_segment(pg
 	vm_area_add_early(vma);
 }
 
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+static int __init map_entry_trampoline(void)
+{
+	extern char __entry_tramp_text_start[];
+
+	pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC;
+	phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start);
+
+	/* The trampoline is always mapped and can therefore be global */
+	pgprot_val(prot) &= ~PTE_NG;
+
+	/* Map only the text into the trampoline page table */
+	memset(tramp_pg_dir, 0, PGD_SIZE);
+	__create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE,
+			     prot, pgd_pgtable_alloc, 0);
+
+	/* ...as well as the kernel page table */
+	__set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot);
+	return 0;
+}
+core_initcall(map_entry_trampoline);
+#endif
+
 /*
  * Create fine-grained mappings for the kernel.
  */


Patches currently in stable-queue which might be from mark.rutland@arm.com are

queue-4.9/arm64-mm-add-arm64_kernel_unmapped_at_el0-helper.patch
queue-4.9/arm64-entry-reword-comment-about-post_ttbr_update_workaround.patch
queue-4.9/arm64-kaslr-put-kernel-vectors-address-in-separate-data-page.patch
queue-4.9/arm64-turn-on-kpti-only-on-cpus-that-need-it.patch
queue-4.9/arm64-force-kpti-to-be-disabled-on-cavium-thunderx.patch
queue-4.9/arm64-mm-allocate-asids-in-pairs.patch
queue-4.9/arm64-tls-avoid-unconditional-zeroing-of-tpidrro_el0-for-native-tasks.patch
queue-4.9/arm64-use-ret-instruction-for-exiting-the-trampoline.patch
queue-4.9/arm64-entry-explicitly-pass-exception-level-to-kernel_ventry-macro.patch
queue-4.9/arm64-kpti-make-use-of-ng-dependent-on-arm64_kernel_unmapped_at_el0.patch
queue-4.9/arm64-mm-use-non-global-mappings-for-kernel-space.patch
queue-4.9/arm64-capabilities-handle-duplicate-entries-for-a-capability.patch
queue-4.9/arm64-entry-hook-up-entry-trampoline-to-exception-vectors.patch
queue-4.9/arm64-mm-invalidate-both-kernel-and-user-asids-when-performing-tlbi.patch
queue-4.9/arm64-mm-map-entry-trampoline-into-trampoline-and-kernel-page-tables.patch
queue-4.9/module-extend-rodata-off-boot-cmdline-parameter-to-module-mappings.patch
queue-4.9/arm64-kconfig-reword-unmap_kernel_at_el0-kconfig-entry.patch
queue-4.9/arm64-mm-move-asid-from-ttbr0-to-ttbr1.patch
queue-4.9/arm64-allow-checking-of-a-cpu-local-erratum.patch
queue-4.9/arm64-take-into-account-id_aa64pfr0_el1.csv3.patch
queue-4.9/arm64-kconfig-add-config_unmap_kernel_at_el0.patch
queue-4.9/arm64-idmap-use-awx-flags-for-.idmap.text-.pushsection-directives.patch
queue-4.9/arm64-factor-out-entry-stack-manipulation.patch
queue-4.9/arm64-entry-add-exception-trampoline-page-for-exceptions-from-el0.patch
queue-4.9/arm64-kpti-add-enable-callback-to-remap-swapper-using-ng-mappings.patch
queue-4.9/arm64-entry-add-fake-cpu-feature-for-unmapping-the-kernel-at-el0.patch
queue-4.9/arm64-cputype-add-midr-values-for-cavium-thunderx2-cpus.patch