[kernel][vm][arm64] Disallow executable + uncached mappings

This doesn't seem sensible and the related executable-gated code assumes
cached (which was tickled in a recent bug where MMIO was wrongly marked
as executable).

Change-Id: Ia90361c14b448e4adca8cb7ab3e50c906600e182
Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/1279924
Fuchsia-Auto-Submit: Joshua Seaton <[email protected]>
Commit-Queue: Auto-Submit <auto-submit-builder@fuchsia-internal-service-accts.iam.gserviceaccount.com>
Reviewed-by: Adrian Danis <[email protected]>

Author: joshuaseaton

zircon/kernel/arch/arm64/mmu.cc

@@ -1455,6 +1455,9 @@ zx_status_t ArmArchVmAspace::MapContiguous(vaddr_t vaddr, paddr_t paddr, size_t
   if (!(mmu_flags & ARCH_MMU_FLAG_PERM_READ)) {
     return ZX_ERR_INVALID_ARGS;
   }
+  if ((mmu_flags & ARCH_MMU_FLAG_PERM_EXECUTE) && arch_mmu_flags_uncached(mmu_flags)) {
+    return ZX_ERR_INVALID_ARGS;
+  }
 
   // paddr and vaddr must be aligned.
   DEBUG_ASSERT(IS_PAGE_ALIGNED(vaddr));
@@ -1543,6 +1546,9 @@ zx_status_t ArmArchVmAspace::Map(vaddr_t vaddr, paddr_t* phys, size_t count, uin
   if (!(mmu_flags & ARCH_MMU_FLAG_PERM_READ)) {
     return ZX_ERR_INVALID_ARGS;
   }
+  if ((mmu_flags & ARCH_MMU_FLAG_PERM_EXECUTE) && arch_mmu_flags_uncached(mmu_flags)) {
+    return ZX_ERR_INVALID_ARGS;
+  }
 
   // vaddr must be aligned.
   DEBUG_ASSERT(IS_PAGE_ALIGNED(vaddr));
@@ -1664,6 +1670,9 @@ zx_status_t ArmArchVmAspace::Protect(vaddr_t vaddr, size_t count, uint mmu_flags
   if (!(mmu_flags & ARCH_MMU_FLAG_PERM_READ)) {
     return ZX_ERR_INVALID_ARGS;
   }
+  if ((mmu_flags & ARCH_MMU_FLAG_PERM_EXECUTE) && arch_mmu_flags_uncached(mmu_flags)) {
+    return ZX_ERR_INVALID_ARGS;
+  }
 
   // The stage 2 data and instructions aborts do not contain sufficient information for us to
   // resolve permission faults, and these kinds of faults generate a hard error. As such we cannot

zircon/kernel/vm/include/vm/arch_vm_aspace.h

@@ -34,6 +34,10 @@ const uint ARCH_MMU_FLAG_INVALID = (1u << 7);  // Indicates that flags are not s
 const uint ARCH_ASPACE_FLAG_KERNEL = (1u << 0);
 const uint ARCH_ASPACE_FLAG_GUEST = (1u << 1);
 
+constexpr bool arch_mmu_flags_uncached(uint mmu_flags) {
+  return (mmu_flags & (ARCH_MMU_FLAG_UNCACHED | ARCH_MMU_FLAG_UNCACHED_DEVICE)) != 0;
+}
+
 // per arch base class api to encapsulate the mmu routines on an aspace
 //
 // Beyond construction/destruction lifetimes users of this object must ensure that none of the

zircon/kernel/vm/vm.cc

@@ -65,7 +65,7 @@ constexpr uint32_t ToVmarFlags(PhysMapping::Permissions perms) {
 }
 
 constexpr uint ToArchMmuFlags(PhysMapping::Permissions perms) {
-  uint flags = 0;
+  uint flags = ARCH_MMU_FLAG_CACHED;
   if (perms.readable()) {
     flags |= ARCH_MMU_FLAG_PERM_READ;
   }