Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4438764imu;
        Mon, 7 Jan 2019 23:39:11 -0800 (PST)
X-Google-Smtp-Source: ALg8bN4qXYGBmDpy1I3MyTKB9TKn7zhltfw+KsKruKBHODWUVtbkv0A2fbpDFS/lXxZVWo0ktt/7
X-Received: by 2002:a63:62c4:: with SMTP id w187mr560732pgb.230.1546933151738;
        Mon, 07 Jan 2019 23:39:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546933151; cv=none;
        d=google.com; s=arc-20160816;
        b=F9rereQsUsjeBNf/kAOWltY3fm0FX3hM3WPsQOPwjpCQJlm6DqNXrDrZpPqixviMZu
         awGH+zaM3XQyHQy00wfCFQ5aKd8SdPZR8htdRYa4HB3CRk+HCypG/HKi08HJMw9+vwcY
         nkTRXVRcmaCd/fWtBbrYk7B7aGWtEvYM2DzBqs/QcgmgaDyd0hbGIsgoee0ro8wLkj2a
         I8Ck4D5CBhIbr7NbVgsoCDofrfm2OW13510oYjlYthbonoxvT/acTG8DPq5EC6aXOke/
         d97a8LS7RXFUsPW9EJuDJqZCv9y+u7vKGSZOP23uBFcUQFE6DQSCtYTZewazO21Mcb6U
         jKwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:date:cc:to:subject:from:message-id;
        bh=71fVuhWxbUQR+uEcikj7pdTuIQXdysyQ5jD1rDdN6uw=;
        b=pKrJK32B14T6uddeQ/uMlegPbYn0cV9x7AK84ojusaLZIyJF78SaJwfk/9UoHMTEmV
         HyESP8fxXrOPQEUbiLtB3U7dCjyGeXH5SPM+8ET97Pb4SPEES3qaCu+xH6G91nXRbtBv
         3ukoJCxI7GwoJdnrtMpmgYLx6g5hjNuesCYabaBe8C7TjAgKuYGehO4Amp4vg4K3MLbz
         f+ya6nTxINuwYICVKWvdjSn0M1KEU8bDTcXI9/Fax0RA6dRRQxhUcFWTPWgGNAPcWy9u
         UjcsuSx7VtQfB4uTULxh0GNnCt2D8NP6XAVcBRm3dAjVpjAwIJ+rjDJgA0P4Mky1o2Qx
         4SKg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v21si8752376plo.417.2019.01.07.23.38.54;
        Mon, 07 Jan 2019 23:39:11 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727710AbfAHHhs (ORCPT <rfc822;parkch98@gmail.com> + 99 others);
        Tue, 8 Jan 2019 02:37:48 -0500
Received: from pegase1.c-s.fr ([93.17.236.30]:11671 "EHLO pegase1.c-s.fr"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727368AbfAHHhs (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Jan 2019 02:37:48 -0500
Received: from localhost (mailhub1-int [192.168.12.234])
        by localhost (Postfix) with ESMTP id 43Ykcn4BkMz9txMg;
        Tue,  8 Jan 2019 08:37:45 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at c-s.fr
Received: from pegase1.c-s.fr ([192.168.12.234])
        by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024)
        with ESMTP id kvvQgho76Xec; Tue,  8 Jan 2019 08:37:45 +0100 (CET)
Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192])
        by pegase1.c-s.fr (Postfix) with ESMTP id 43Ykcn3f97z9txMf;
        Tue,  8 Jan 2019 08:37:45 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
        by messagerie.si.c-s.fr (Postfix) with ESMTP id 688678B794;
        Tue,  8 Jan 2019 08:37:46 +0100 (CET)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from messagerie.si.c-s.fr ([127.0.0.1])
        by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023)
        with ESMTP id SbDgLRF0y1hn; Tue,  8 Jan 2019 08:37:46 +0100 (CET)
Received: from po16846vm.idsi0.si.c-s.fr (unknown [192.168.4.90])
        by messagerie.si.c-s.fr (Postfix) with ESMTP id 3311B8B754;
        Tue,  8 Jan 2019 08:37:46 +0100 (CET)
Received: by localhost.localdomain (Postfix, from userid 0)
        id 5FE5F69A7C; Tue,  8 Jan 2019 07:37:44 +0000 (UTC)
Message-Id: <0b0db24e18063076e9d9f4e376994af83da05456.1546932949.git.christophe.leroy@c-s.fr>
From:   Christophe Leroy <christophe.leroy@c-s.fr>
Subject: [PATCH v2 1/2] mm: add probe_user_read()
To:     Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Benjamin Herrenschmidt <benh@kernel.crashing.org>,
        Paul Mackerras <paulus@samba.org>,
        Michael Ellerman <mpe@ellerman.id.au>,
        Mike Rapoport <rppt@linux.ibm.com>
Cc:     linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
        linux-mm@kvack.org
Date:   Tue,  8 Jan 2019 07:37:44 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In powerpc code, there are several places implementing safe
access to user data. This is sometimes implemented using
probe_kernel_address() with additional access_ok() verification,
sometimes with get_user() enclosed in a pagefault_disable()/enable()
pair, etc. :
    show_user_instructions()
    bad_stack_expansion()
    p9_hmi_special_emu()
    fsl_pci_mcheck_exception()
    read_user_stack_64()
    read_user_stack_32() on PPC64
    read_user_stack_32() on PPC32
    power_pmu_bhrb_to()

In the same spirit as probe_kernel_read(), this patch adds
probe_user_read().

probe_user_read() does the same as probe_kernel_read() but
first checks that it is really a user address.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
---
 v2: Added "Returns:" comment and removed probe_user_address()

 Changes since RFC: Made a static inline function instead of weak function as recommended by Kees.

 include/linux/uaccess.h | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index 37b226e8df13..07f4f0ed69bc 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -263,6 +263,40 @@ extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count);
 #define probe_kernel_address(addr, retval)		\
 	probe_kernel_read(&retval, addr, sizeof(retval))
 
+/**
+ * probe_user_read(): safely attempt to read from a user location
+ * @dst: pointer to the buffer that shall take the data
+ * @src: address to read from
+ * @size: size of the data chunk
+ *
+ * Returns: 0 on success, -EFAULT on error.
+ *
+ * Safely read from address @src to the buffer at @dst.  If a kernel fault
+ * happens, handle that and return -EFAULT.
+ *
+ * We ensure that the copy_from_user is executed in atomic context so that
+ * do_page_fault() doesn't attempt to take mmap_sem.  This makes
+ * probe_user_read() suitable for use within regions where the caller
+ * already holds mmap_sem, or other locks which nest inside mmap_sem.
+ */
+
+#ifndef probe_user_read
+static __always_inline long probe_user_read(void *dst, const void __user *src,
+					    size_t size)
+{
+	long ret;
+
+	if (!access_ok(src, size))
+		return -EFAULT;
+
+	pagefault_disable();
+	ret = __copy_from_user_inatomic(dst, src, size);
+	pagefault_enable();
+
+	return ret ? -EFAULT : 0;
+}
+#endif
+
 #ifndef user_access_begin
 #define user_access_begin(ptr,len) access_ok(ptr, len)
 #define user_access_end() do { } while (0)
-- 
2.13.3