From owner-svn-src-head@freebsd.org  Thu Nov  1 22:23:17 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 59EE610DB29D;
 Thu,  1 Nov 2018 22:23:17 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 0B48B8F78E;
 Thu,  1 Nov 2018 22:23:17 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E079121E7F;
 Thu,  1 Nov 2018 22:23:16 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wA1MNGrV038655;
 Thu, 1 Nov 2018 22:23:16 GMT (envelope-from jhb@FreeBSD.org)
Received: (from jhb@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id wA1MNGHF038652;
 Thu, 1 Nov 2018 22:23:16 GMT (envelope-from jhb@FreeBSD.org)
Message-Id: <201811012223.wA1MNGHF038652@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org
 using -f
From: John Baldwin <jhb@FreeBSD.org>
Date: Thu, 1 Nov 2018 22:23:16 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r340030 - in head/sys/riscv: include riscv
X-SVN-Group: head
X-SVN-Commit-Author: jhb
X-SVN-Commit-Paths: in head/sys/riscv: include riscv
X-SVN-Commit-Revision: 340030
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 22:23:17 -0000

Author: jhb
Date: Thu Nov  1 22:23:15 2018
New Revision: 340030
URL: https://svnweb.freebsd.org/changeset/base/340030

Log:
  Restrict setting PTE execute permissions on RISC-V.
  
  Previously, RISC-V was enabling execute permissions in PTEs for any
  readable page.  Now, execute permissions are only enabled if they were
  explicitly specified (e.g. via PROT_EXEC to mmap).  The one exception
  is that the initial kernel mapping in locore still maps all of the
  kernel RWX.
  
  While here, change the fault type passed to vm_fault and
  pmap_fault_fixup to only include a single VM_PROT_* value representing
  the faulting access to match other architectures rather than passing a
  bitmask.
  
  Reviewed by:	markj
  Sponsored by:	DARPA
  Differential Revision:	https://reviews.freebsd.org/D17783

Modified:
  head/sys/riscv/include/pte.h
  head/sys/riscv/riscv/locore.S
  head/sys/riscv/riscv/pmap.c
  head/sys/riscv/riscv/trap.c

Modified: head/sys/riscv/include/pte.h
==============================================================================
--- head/sys/riscv/include/pte.h	Thu Nov  1 22:17:51 2018	(r340029)
+++ head/sys/riscv/include/pte.h	Thu Nov  1 22:23:15 2018	(r340030)
@@ -78,7 +78,7 @@ typedef	uint64_t	pn_t;			/* page number */
 #define	PTE_V		(1 << 0) /* Valid */
 #define	PTE_RWX		(PTE_R | PTE_W | PTE_X)
 #define	PTE_RX		(PTE_R | PTE_X)
-#define	PTE_KERN	(PTE_V | PTE_RWX | PTE_A | PTE_D)
+#define	PTE_KERN	(PTE_V | PTE_R | PTE_W | PTE_A | PTE_D)
 
 #define	PTE_PPN0_S	10
 #define	PTE_PPN1_S	19

Modified: head/sys/riscv/riscv/locore.S
==============================================================================
--- head/sys/riscv/riscv/locore.S	Thu Nov  1 22:17:51 2018	(r340029)
+++ head/sys/riscv/riscv/locore.S	Thu Nov  1 22:23:15 2018	(r340030)
@@ -94,7 +94,7 @@ _start:
 	add	t3, t4, t2
 	li	t5, 0
 2:
-	li	t0, (PTE_KERN)
+	li	t0, (PTE_KERN | PTE_X)
 	slli	t2, t4, PTE_PPN1_S	/* << PTE_PPN1_S */
 	or	t5, t0, t2
 	sd	t5, (s1)		/* Store PTE entry to position */

Modified: head/sys/riscv/riscv/pmap.c
==============================================================================
--- head/sys/riscv/riscv/pmap.c	Thu Nov  1 22:17:51 2018	(r340029)
+++ head/sys/riscv/riscv/pmap.c	Thu Nov  1 22:23:15 2018	(r340030)
@@ -2010,7 +2010,7 @@ pmap_protect(pmap_t pmap, vm_offset_t sva, vm_offset_t
 }
 
 int
-pmap_fault_fixup(pmap_t pmap, vm_offset_t va, vm_prot_t prot)
+pmap_fault_fixup(pmap_t pmap, vm_offset_t va, vm_prot_t ftype)
 {
 	pt_entry_t orig_l3;
 	pt_entry_t new_l3;
@@ -2027,12 +2027,13 @@ pmap_fault_fixup(pmap_t pmap, vm_offset_t va, vm_prot_
 
 	orig_l3 = pmap_load(l3);
 	if ((orig_l3 & PTE_V) == 0 ||
-	    ((prot & VM_PROT_WRITE) != 0 && (orig_l3 & PTE_W) == 0) ||
-	    ((prot & VM_PROT_READ) != 0 && (orig_l3 & PTE_R) == 0))
+	    (ftype == VM_PROT_WRITE && (orig_l3 & PTE_W) == 0) ||
+	    (ftype == VM_PROT_EXECUTE && (orig_l3 & PTE_X) == 0) ||
+	    (ftype == VM_PROT_READ && (orig_l3 & PTE_R) == 0))
 		goto done;
 
 	new_l3 = orig_l3 | PTE_A;
-	if ((prot & VM_PROT_WRITE) != 0)
+	if (ftype == VM_PROT_WRITE)
 		new_l3 |= PTE_D;
 
 	if (orig_l3 != new_l3) {
@@ -2088,7 +2089,9 @@ pmap_enter(pmap_t pmap, vm_offset_t va, vm_page_t m, v
 	pa = VM_PAGE_TO_PHYS(m);
 	pn = (pa / PAGE_SIZE);
 
-	new_l3 = PTE_V | PTE_R | PTE_X | PTE_A;
+	new_l3 = PTE_V | PTE_R | PTE_A;
+	if (prot & VM_PROT_EXECUTE)
+		new_l3 |= PTE_X;
 	if (flags & VM_PROT_WRITE)
 		new_l3 |= PTE_D;
 	if (prot & VM_PROT_WRITE)
@@ -2464,7 +2467,9 @@ pmap_enter_quick_locked(pmap_t pmap, vm_offset_t va, v
 	pa = VM_PAGE_TO_PHYS(m);
 	pn = (pa / PAGE_SIZE);
 
-	entry = (PTE_V | PTE_R | PTE_X);
+	entry = PTE_V | PTE_R;
+	if (prot & VM_PROT_EXECUTE)
+		entry |= PTE_X;
 	entry |= (pn << PTE_PPN0_S);
 
 	/*

Modified: head/sys/riscv/riscv/trap.c
==============================================================================
--- head/sys/riscv/riscv/trap.c	Thu Nov  1 22:17:51 2018	(r340029)
+++ head/sys/riscv/riscv/trap.c	Thu Nov  1 22:23:15 2018	(r340030)
@@ -207,9 +207,11 @@ data_abort(struct trapframe *frame, int lower)
 
 	if ((frame->tf_scause == EXCP_FAULT_STORE) ||
 	    (frame->tf_scause == EXCP_STORE_PAGE_FAULT)) {
-		ftype = (VM_PROT_READ | VM_PROT_WRITE);
+		ftype = VM_PROT_WRITE;
+	} else if (frame->tf_scause == EXCP_INST_PAGE_FAULT) {
+		ftype = VM_PROT_EXECUTE;
 	} else {
-		ftype = (VM_PROT_READ);
+		ftype = VM_PROT_READ;
 	}
 
 	if (pmap_fault_fixup(map->pmap, va, ftype))