Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3292379imm;
        Fri, 19 Oct 2018 08:15:57 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60aEBr91ChFgD3AGpP8cIj3prEz9WnzLAuN8V8gMrWmhQFZf7ccdgcstGovC4zFv6xYShcc
X-Received: by 2002:a63:c508:: with SMTP id f8-v6mr33145444pgd.412.1539962157020;
        Fri, 19 Oct 2018 08:15:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539962156; cv=none;
        d=google.com; s=arc-20160816;
        b=Se4Nzt0hqr+nw93waWT1ECLb8vuRtwTo9f0NV04xIQv9h2IoCcG+fq4EzfRbhXLEAC
         Je1x2uuFP4jAlbcLfMu1nzfa+qtI3xao8zKZa3NAV73OPYgZAEO0KUhczTMQ6jt7ABd5
         HAQdfTUpD2u0pidAjaZlAE5A6TbCmrbfRxAB+302sMQl+bep1adiFrBLRgtHIwes6CDe
         bmGO1tm4SoFoYkr4kJ62eHiJEQlBtrr9FbomUYL2qEKe2pyITBHCJqCuEfOkk7IFHQY/
         U83xRr+/Z1HxErwIIhxSiY5Q0ICimtrz0OSsWHEX8VvYArQvP5de5jf/px6nhs6J0xHX
         C9lw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:date:cc:to:subject:from:message-id;
        bh=dM0+a0zwvlgqUmeoZcB6HrfmOkZLHS742m3F9Ark+go=;
        b=TB5lEkmDBrG8YF6xwnvoUv5BOFoBX4Gur1JKspciaw8RafuGimXYq2hq82+dHpvTb3
         k0MBVn/tqbnXs+U806o4nZjS8JJh6V9XejXH4/1jdW3IEw0qI2es+JAxS1aJ5LBXFqW2
         p7otxdeHtIUyQgzncz6/xntv8D+kXGaNOOSzGfld6xR+UVILB2bVBnYNSfuE/UxSL/g8
         9QlDtwGhqzAAsjBjmHDDS1i4znmUrdIQGpl/McyIz+a6bbciPOZp/8kmQ+lPgHPCibZM
         QzMBpz6TusiOKeV3u5f3mI9BqEjDfog30/Rdjwmk9ZY7JsVL/YODaMyYwypsSZKZzFnC
         JB6g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id bc11-v6si24626966plb.120.2018.10.19.08.15.41;
        Fri, 19 Oct 2018 08:15:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727129AbeJSXV2 (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Fri, 19 Oct 2018 19:21:28 -0400
Received: from pegase1.c-s.fr ([93.17.236.30]:11991 "EHLO pegase1.c-s.fr"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726663AbeJSXV2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Oct 2018 19:21:28 -0400
Received: from localhost (mailhub1-int [192.168.12.234])
        by localhost (Postfix) with ESMTP id 42c8bg0gMsz9ttS0;
        Fri, 19 Oct 2018 17:14:55 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at c-s.fr
Received: from pegase1.c-s.fr ([192.168.12.234])
        by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024)
        with ESMTP id 5yksk3zlssSd; Fri, 19 Oct 2018 17:14:55 +0200 (CEST)
Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192])
        by pegase1.c-s.fr (Postfix) with ESMTP id 42c8bf6rrWz9ttRV;
        Fri, 19 Oct 2018 17:14:54 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
        by messagerie.si.c-s.fr (Postfix) with ESMTP id D382B8B93C;
        Fri, 19 Oct 2018 17:14:54 +0200 (CEST)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from messagerie.si.c-s.fr ([127.0.0.1])
        by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023)
        with ESMTP id PDDxes12-UzN; Fri, 19 Oct 2018 17:14:54 +0200 (CEST)
Received: from pc13168vm.idsi0.si.c-s.fr (po15451.idsi0.si.c-s.fr [172.25.231.2])
        by messagerie.si.c-s.fr (Postfix) with ESMTP id 9A7118B935;
        Fri, 19 Oct 2018 17:14:54 +0200 (CEST)
Received: by pc13168vm.idsi0.si.c-s.fr (Postfix, from userid 0)
        id 5FF53674CC; Fri, 19 Oct 2018 15:14:54 +0000 (UTC)
Message-Id: <336eb81e62d6c683a69d312f533899dcb6bcf770.1539959864.git.christophe.leroy@c-s.fr>
From:   Christophe Leroy <christophe.leroy@c-s.fr>
Subject: [RFC PATCH] mm: add probe_user_read() and probe_user_address()
To:     Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Michael Ellerman <mpe@ellerman.id.au>
Cc:     linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
        linux-mm@kvack.org
Date:   Fri, 19 Oct 2018 15:14:54 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In the powerpc, there are several places implementing safe
access to user data. This is sometimes implemented using
probe_kerne_address() with additional access_ok() verification,
sometimes with get_user() enclosed in a pagefault_disable()/enable()
pair, etc... :
    show_user_instructions()
    bad_stack_expansion()
    p9_hmi_special_emu()
    fsl_pci_mcheck_exception()
    read_user_stack_64()
    read_user_stack_32() on PPC64
    read_user_stack_32() on PPC32
    power_pmu_bhrb_to()

In the same spirit as probe_kernel_read() and probe_kernel_address(),
this patch adds probe_user_read() and probe_user_address().

probe_user_read() does the same as probe_kernel_read() but
first checks that it is really a user address.

probe_user_address() is a shortcut to probe_user_read()

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
---
 include/linux/uaccess.h | 10 ++++++++++
 mm/maccess.c            | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index efe79c1cdd47..fb00e3f847d7 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -266,6 +266,16 @@ extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count);
 #define probe_kernel_address(addr, retval)		\
 	probe_kernel_read(&retval, addr, sizeof(retval))
 
+/**
+ * probe_user_address(): safely attempt to read from a user location
+ * @addr: address to read from
+ * @retval: read into this variable
+ *
+ * Returns 0 on success, or -EFAULT.
+ */
+#define probe_user_address(addr, retval)		\
+	probe_user_read(&(retval), addr, sizeof(retval))
+
 #ifndef user_access_begin
 #define user_access_begin() do { } while (0)
 #define user_access_end() do { } while (0)
diff --git a/mm/maccess.c b/mm/maccess.c
index ec00be51a24f..85d4a88a6917 100644
--- a/mm/maccess.c
+++ b/mm/maccess.c
@@ -67,6 +67,39 @@ long __probe_kernel_write(void *dst, const void *src, size_t size)
 EXPORT_SYMBOL_GPL(probe_kernel_write);
 
 /**
+ * probe_user_read(): safely attempt to read from a user location
+ * @dst: pointer to the buffer that shall take the data
+ * @src: address to read from
+ * @size: size of the data chunk
+ *
+ * Safely read from address @src to the buffer at @dst.  If a kernel fault
+ * happens, handle that and return -EFAULT.
+ *
+ * We ensure that the copy_from_user is executed in atomic context so that
+ * do_page_fault() doesn't attempt to take mmap_sem.  This makes
+ * probe_user_read() suitable for use within regions where the caller
+ * already holds mmap_sem, or other locks which nest inside mmap_sem.
+ */
+
+long __weak probe_user_read(void *dst, const void *src, size_t size)
+	__attribute__((alias("__probe_user_read")));
+
+long __probe_user_read(void *dst, const void __user *src, size_t size)
+{
+	long ret;
+
+	if (!access_ok(VERIFY_READ, src, size))
+		return -EFAULT;
+
+	pagefault_disable();
+	ret = __copy_from_user_inatomic(dst, src, size);
+	pagefault_enable();
+
+	return ret ? -EFAULT : 0;
+}
+EXPORT_SYMBOL_GPL(probe_user_read);
+
+/**
  * strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
  * @dst:   Destination address, in kernel space.  This buffer must be at
  *         least @count bytes long.
-- 
2.13.3