From a2481d09aa76bf50da6d9ce0b5607920988fccac Mon Sep 17 00:00:00 2001
From: Sascha Hauer <s.hauer@pengutronix.de>
Date: Thu, 26 Mar 2020 09:03:03 +0100
Subject: arm64: Set PXN/UXN attributes for uncached mem

The attributes should be set to avoid speculative access to memory-mapped
peripherals.

The patch has been tested with:

noinline unsigned long nox(void)
{
	return get_pc();
}

static void xn_test(void)
{
	void *adr = (void *)SOME_SRAM_ADDRESS;
	unsigned long ret;
	unsigned long (*fn)(void) = adr;

	memcpy(adr, nox, 0x1000);

	sync_caches_for_execution();

	ret = fn();
	printf("pc: 0x%08lx\n", ret);
}

Without this patch nox() gets executed in SRAM, with it runs into a
abort as expected.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 arch/arm/cpu/mmu-early_64.c |  3 ++-
 arch/arm/cpu/mmu_64.c       |  4 ++--
 arch/arm/cpu/mmu_64.h       | 17 +++++++++++++++++
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/arch/arm/cpu/mmu-early_64.c b/arch/arm/cpu/mmu-early_64.c
index 94e372637a..a7598f28aa 100644
--- a/arch/arm/cpu/mmu-early_64.c
+++ b/arch/arm/cpu/mmu-early_64.c
@@ -67,7 +67,8 @@ void mmu_early_enable(unsigned long membase, unsigned long memsize,
 
 	el = current_el();
 	set_ttbr_tcr_mair(el, ttb, calc_tcr(el, EARLY_BITS_PER_VA), MEMORY_ATTRIBUTES);
-	create_sections((void *)ttb, 0, 0, 1UL << (EARLY_BITS_PER_VA - 1), UNCACHED_MEM);
+	create_sections((void *)ttb, 0, 0, 1UL << (EARLY_BITS_PER_VA - 1),
+			attrs_uncached_mem());
 	create_sections((void *)ttb, membase, membase, memsize, CACHED_MEM);
 	tlb_invalidate();
 	isb();
diff --git a/arch/arm/cpu/mmu_64.c b/arch/arm/cpu/mmu_64.c
index 8181658952..14d955cd96 100644
--- a/arch/arm/cpu/mmu_64.c
+++ b/arch/arm/cpu/mmu_64.c
@@ -165,7 +165,7 @@ int arch_remap_range(void *_start, size_t size, unsigned flags)
 		attrs = CACHED_MEM;
 		break;
 	case MAP_UNCACHED:
-		attrs = UNCACHED_MEM;
+		attrs = attrs_uncached_mem();
 		break;
 	default:
 		return -EINVAL;
@@ -201,7 +201,7 @@ void __mmu_init(bool mmu_on)
 	pr_debug("ttb: 0x%p\n", ttb);
 
 	/* create a flat mapping */
-	create_sections(0, 0, 1UL << (BITS_PER_VA - 1), UNCACHED_MEM);
+	create_sections(0, 0, 1UL << (BITS_PER_VA - 1), attrs_uncached_mem());
 
 	/* Map sdram cached. */
 	for_each_memory_bank(bank)
diff --git a/arch/arm/cpu/mmu_64.h b/arch/arm/cpu/mmu_64.h
index a2a5477569..9bbb62fc6b 100644
--- a/arch/arm/cpu/mmu_64.h
+++ b/arch/arm/cpu/mmu_64.h
@@ -8,6 +8,23 @@
 			 PTE_BLOCK_OUTER_SHARE | \
 			 PTE_BLOCK_AF)
 
+static inline unsigned long attrs_uncached_mem(void)
+{
+	unsigned long attrs = UNCACHED_MEM;
+
+	switch (current_el()) {
+	case 3:
+	case 2:
+		attrs |= PTE_BLOCK_UXN;
+		break;
+	default:
+		attrs |= PTE_BLOCK_UXN | PTE_BLOCK_PXN;
+		break;
+	}
+
+	return attrs;
+}
+
 /*
  * Do it the simple way for now and invalidate the entire tlb
  */
-- 
cgit v1.2.3