Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp7198217imu;
        Mon, 3 Dec 2018 09:08:08 -0800 (PST)
X-Google-Smtp-Source: AFSGD/V4hfenEEpf7QqZeugpxVIkKJXbMZPLvFX158KXRFr7aXquYSkK7aR8l0QGFJIOWN/A5izr
X-Received: by 2002:a17:902:a6:: with SMTP id a35mr16631772pla.201.1543856888410;
        Mon, 03 Dec 2018 09:08:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543856888; cv=none;
        d=google.com; s=arc-20160816;
        b=yqoYGu/VOl1cAaM9mJoIBkXhRtwatHGHyiKpnHbuKJuT7suzQBN8gpPfqXMHpV2+Zz
         /C+ItZr2X8Li6mhGsp/RvyUdA9AtNuztypiTn3xUl8KR4TkKsdTrWCzjoWBQ7f/8C6Gb
         wKmxrvW3W6yjQUBra96wCyfUXDRxpUQCwrslnvr2DXGQvEBcvsYbUB4GiWIK+LpD5Yod
         0Mi17f4TureSgC5zAaVaG5TBXL6tivz1Tf637HTv+ovNtWKtRBqtowm+ncHUBmyMCU2m
         O2vXA+hOelao++3kGRXh94yoTXvuDBbQW4FCd3vfB4tuZneKlgAYcyRZYvxBLCnYBWt9
         V8Uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:date:cc:to:subject:from:message-id;
        bh=f6E/TiWEYMLxyLhMFHwh9hK9B/RVSByGvDVXegjlwLM=;
        b=t+rmggmnOaJBrDM+BKyA2umWzlao5TUzV2HNaj3lbmvdBnceD4amXdcldZabtAqx0g
         5Sck0pWAQIX9igL9b/yFuUXOoLpqjgki51ScIT9uwBO5vHddTqoblngv3yEsGRwXNQZr
         M/01WnooEqcYX1mdITeqatVyA5AvA2dLkQoKwHd4S4eN2E2INMrrBqOt2Tui3fi1zZlT
         1C4GXZ6u0Ucy4Fzkkt4jDRY7ruZHZCkrcdThnlS7orfYa+0qANY1OG6RB42n/YHDk+tx
         hTKYUBKRB/+1xknPEnJOp0RWW9Yac61lP4i5YrMttKy5TMq/0QfNL1+jlwUyJ5/FhYPO
         +ucw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h16si12716841pgh.283.2018.12.03.09.07.40;
        Mon, 03 Dec 2018 09:08:08 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726845AbeLCRGt (ORCPT <rfc822;vladislav.valtchev@gmail.com>
        + 99 others); Mon, 3 Dec 2018 12:06:49 -0500
Received: from pegase1.c-s.fr ([93.17.236.30]:26461 "EHLO pegase1.c-s.fr"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726637AbeLCRGt (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 3 Dec 2018 12:06:49 -0500
Received: from localhost (mailhub1-int [192.168.12.234])
        by localhost (Postfix) with ESMTP id 437rxr4Hkpz9tyyG;
        Mon,  3 Dec 2018 18:06:40 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at c-s.fr
Received: from pegase1.c-s.fr ([192.168.12.234])
        by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024)
        with ESMTP id SWiAnz58A0pf; Mon,  3 Dec 2018 18:06:40 +0100 (CET)
Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192])
        by pegase1.c-s.fr (Postfix) with ESMTP id 437rxr3f1rz9tyyF;
        Mon,  3 Dec 2018 18:06:40 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
        by messagerie.si.c-s.fr (Postfix) with ESMTP id C54FA8B7B8;
        Mon,  3 Dec 2018 18:06:43 +0100 (CET)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from messagerie.si.c-s.fr ([127.0.0.1])
        by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023)
        with ESMTP id kV2y1tG9fbml; Mon,  3 Dec 2018 18:06:43 +0100 (CET)
Received: from po14163vm.idsi0.si.c-s.fr (unknown [192.168.232.3])
        by messagerie.si.c-s.fr (Postfix) with ESMTP id 6704A8B79E;
        Mon,  3 Dec 2018 18:06:43 +0100 (CET)
Received: by po14163vm.idsi0.si.c-s.fr (Postfix, from userid 0)
        id 0508F6BEF5; Mon,  3 Dec 2018 17:06:42 +0000 (UTC)
Message-Id: <dd9ef91add7fcf5a9e369dde322b1822e90eb218.1543811917.git.christophe.leroy@c-s.fr>
From:   Christophe Leroy <christophe.leroy@c-s.fr>
Subject: [PATCH 1/2] mm: add probe_user_read() and probe_user_address()
To:     Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Benjamin Herrenschmidt <benh@kernel.crashing.org>,
        Paul Mackerras <paulus@samba.org>,
        Michael Ellerman <mpe@ellerman.id.au>
Cc:     linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
        linux-mm@kvack.org
Date:   Mon,  3 Dec 2018 17:06:42 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In the powerpc, there are several places implementing safe
access to user data. This is sometimes implemented using
probe_kernel_address() with additional access_ok() verification,
sometimes with get_user() enclosed in a pagefault_disable()/enable()
pair, etc... :
    show_user_instructions()
    bad_stack_expansion()
    p9_hmi_special_emu()
    fsl_pci_mcheck_exception()
    read_user_stack_64()
    read_user_stack_32() on PPC64
    read_user_stack_32() on PPC32
    power_pmu_bhrb_to()

In the same spirit as probe_kernel_read() and probe_kernel_address(),
this patch adds probe_user_read() and probe_user_address().

probe_user_read() does the same as probe_kernel_read() but
first checks that it is really a user address.

probe_user_address() is a shortcut to probe_user_read()

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
---
 Changes since RFC: Made a static inline function instead of weak function as recommended by Kees.

 include/linux/uaccess.h | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index efe79c1cdd47..83ea8aefca75 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -266,6 +266,48 @@ extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count);
 #define probe_kernel_address(addr, retval)		\
 	probe_kernel_read(&retval, addr, sizeof(retval))
 
+/**
+ * probe_user_read(): safely attempt to read from a user location
+ * @dst: pointer to the buffer that shall take the data
+ * @src: address to read from
+ * @size: size of the data chunk
+ *
+ * Safely read from address @src to the buffer at @dst.  If a kernel fault
+ * happens, handle that and return -EFAULT.
+ *
+ * We ensure that the copy_from_user is executed in atomic context so that
+ * do_page_fault() doesn't attempt to take mmap_sem.  This makes
+ * probe_user_read() suitable for use within regions where the caller
+ * already holds mmap_sem, or other locks which nest inside mmap_sem.
+ */
+
+#ifndef probe_user_read
+static __always_inline long probe_user_read(void *dst, const void __user *src,
+					    size_t size)
+{
+	long ret;
+
+	if (!access_ok(VERIFY_READ, src, size))
+		return -EFAULT;
+
+	pagefault_disable();
+	ret = __copy_from_user_inatomic(dst, src, size);
+	pagefault_enable();
+
+	return ret ? -EFAULT : 0;
+}
+#endif
+
+/**
+ * probe_user_address(): safely attempt to read from a user location
+ * @addr: address to read from
+ * @retval: read into this variable
+ *
+ * Returns 0 on success, or -EFAULT.
+ */
+#define probe_user_address(addr, retval)		\
+	probe_user_read(&(retval), addr, sizeof(retval))
+
 #ifndef user_access_begin
 #define user_access_begin() do { } while (0)
 #define user_access_end() do { } while (0)
-- 
2.13.3