From patchwork Tue Jan  8 07:37:44 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christophe Leroy <christophe.leroy@c-s.fr>
X-Patchwork-Id: 10751517
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D5D88746
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  8 Jan 2019 07:37:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BE4CD28B6A
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  8 Jan 2019 07:37:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id AF20428B6D; Tue,  8 Jan 2019 07:37:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 224C228B6A
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  8 Jan 2019 07:37:50 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 412C08E0057; Tue,  8 Jan 2019 02:37:49 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 3980D8E0038; Tue,  8 Jan 2019 02:37:49 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 260518E0057; Tue,  8 Jan 2019 02:37:49 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com
 [209.85.208.70])
	by kanga.kvack.org (Postfix) with ESMTP id BF28E8E0038
	for <linux-mm@kvack.org>; Tue,  8 Jan 2019 02:37:48 -0500 (EST)
Received: by mail-ed1-f70.google.com with SMTP id c3so1277448eda.3
        for <linux-mm@kvack.org>; Mon, 07 Jan 2019 23:37:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:message-id
         :from:subject:to:cc:date;
        bh=71fVuhWxbUQR+uEcikj7pdTuIQXdysyQ5jD1rDdN6uw=;
        b=HUi2uCPpGE7yVOP+BM2aO15gFmlloAOPi0J69q8N+pR3dHJjgucX9mTPefE88oZZeB
         DPXwgfgnKrua6EWexgXyJaTtMEa8vIW/UPIZVaz1SAJoTKl9yYpBklqtvMaUwdBzPfZP
         s7MAI7qjXEvsyxi7oOSPbsAJfRBD03ApPoaPcxXUqfeWsLeVNyQORVJqSI/k9cOk5N/Y
         f/Vq3yU9+oazZdGxwZcnROCmw0cttgtqQQNYwXuI8c4LuPEr+CxooQisNMHZbiJDkV4d
         zRWhmk+8XuoRBtId3uPNgJG7ZyJZQ5oliftrWSMxqpTxJxqXig4uWWA3LOLm1Q+x/RZV
         rnpQ==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of christophe.leroy@c-s.fr designates
 93.17.236.30 as permitted sender) smtp.mailfrom=christophe.leroy@c-s.fr
X-Gm-Message-State: AJcUukfmUZ1efI4zbLmOzkjDIr+fztTOwy6sFup0du9/oQ5hrJcEJlED
	fq5YnTQbj5TTo5o+4GINq6dsCivROn61hnLAqyw/TpOWB7g/gI1HILIC1pI2P4UTE9xY7e/xddj
	kFYkQXOWLs15wMPVjMwpl3yjXE1gr3njJgcMRU3TKsKMXQoAGqaJe5/SzuTRZDP/Mbg==
X-Received: by 2002:a17:906:d0c6:: with SMTP id
 bq6-v6mr865744ejb.99.1546933068252;
        Mon, 07 Jan 2019 23:37:48 -0800 (PST)
X-Google-Smtp-Source: 
 ALg8bN6RjjBCLM8jRd+mp0O7xaOcj3j52pfHiQTWuZX5x0/Z9LRUb1y5+ThzqfwvSt4GO8dgIUYk
X-Received: by 2002:a17:906:d0c6:: with SMTP id
 bq6-v6mr865704ejb.99.1546933067244;
        Mon, 07 Jan 2019 23:37:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546933067; cv=none;
        d=google.com; s=arc-20160816;
        b=pIdCJkByKdG5EqIu0k6Y5rlmM3H7xzgglMVCe0KxRH/PaqNh2TTGbvlwiZubiVDPEV
         lzAJ8X1lTMqNq37ghs5GFX15y3IK68ZnJ0eG0p6j0y92StrSGNS7vhpFY+4o68BZmbAp
         nbPmwc6xYMQHdQFizf6GOCrcJ+LhFibg0tF75lY05Jwa0o8A1qswdsdefKv5Deufo8TG
         ECYcWxtpECkE3uF8Dfkt30cdaFcj+7gfkOdYwHYYC+goOrR1h3wChbD5HVBsHfHHanTF
         rTJ7UpKM6btjXCgmTnqtWJtJ0d7MIR1F9p/b6VhLgZHscXLUAOReF/gvz34DMaR/S3jk
         GKjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=date:cc:to:subject:from:message-id;
        bh=71fVuhWxbUQR+uEcikj7pdTuIQXdysyQ5jD1rDdN6uw=;
        b=PZn+c42ayHixjyLmwZ0nwnRoj9RnM42DUf7C3HX8pE6M8hWR8F20Dp3cci8f/pXVgr
         oLXI2XCHvZ4S+7zYqmuI9AvedlTSKUcdqJycj/OqQMUYyHd5ZpHAoiqUrM8YtLXg46Dr
         jPFd9jRko2/2d7RGhqXyLFDG4sjB9Jz3F+nTquFHi64uPqvxECXoGXdJr+pMe1T3D0C+
         DxNlNYnbVpeuf+A6ZCu/jLDZoKJ67I3oRsGgUjVHrbPYi9T+gmKZmeBIuVCYMYOitIzd
         65Is2A1vHP9SRLZcmGKtwkPsaaOnuhwk0URKq8T3UqVLfdf3BUy5iW01z/SBYmPfZafu
         VKmQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of christophe.leroy@c-s.fr designates
 93.17.236.30 as permitted sender) smtp.mailfrom=christophe.leroy@c-s.fr
Received: from pegase1.c-s.fr (pegase1.c-s.fr. [93.17.236.30])
        by mx.google.com with ESMTPS id
 gi9-v6si4786273ejb.236.2019.01.07.23.37.46
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 07 Jan 2019 23:37:47 -0800 (PST)
Received-SPF: pass (google.com: domain of christophe.leroy@c-s.fr designates
 93.17.236.30 as permitted sender) client-ip=93.17.236.30;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of christophe.leroy@c-s.fr designates
 93.17.236.30 as permitted sender) smtp.mailfrom=christophe.leroy@c-s.fr
Received: from localhost (mailhub1-int [192.168.12.234])
	by localhost (Postfix) with ESMTP id 43Ykcn4BkMz9txMg;
	Tue,  8 Jan 2019 08:37:45 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at c-s.fr
Received: from pegase1.c-s.fr ([192.168.12.234])
	by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024)
	with ESMTP id kvvQgho76Xec; Tue,  8 Jan 2019 08:37:45 +0100 (CET)
Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192])
	by pegase1.c-s.fr (Postfix) with ESMTP id 43Ykcn3f97z9txMf;
	Tue,  8 Jan 2019 08:37:45 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by messagerie.si.c-s.fr (Postfix) with ESMTP id 688678B794;
	Tue,  8 Jan 2019 08:37:46 +0100 (CET)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from messagerie.si.c-s.fr ([127.0.0.1])
	by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023)
	with ESMTP id SbDgLRF0y1hn; Tue,  8 Jan 2019 08:37:46 +0100 (CET)
Received: from po16846vm.idsi0.si.c-s.fr (unknown [192.168.4.90])
	by messagerie.si.c-s.fr (Postfix) with ESMTP id 3311B8B754;
	Tue,  8 Jan 2019 08:37:46 +0100 (CET)
Received: by localhost.localdomain (Postfix, from userid 0)
	id 5FE5F69A7C; Tue,  8 Jan 2019 07:37:44 +0000 (UTC)
Message-Id: 
 <0b0db24e18063076e9d9f4e376994af83da05456.1546932949.git.christophe.leroy@c-s.fr>
From: Christophe Leroy <christophe.leroy@c-s.fr>
Subject: [PATCH v2 1/2] mm: add probe_user_read()
To: Kees Cook <keescook@chromium.org>,
 Andrew Morton <akpm@linux-foundation.org>,
 Benjamin Herrenschmidt <benh@kernel.crashing.org>,
 Paul Mackerras <paulus@samba.org>, Michael Ellerman <mpe@ellerman.id.au>,
 Mike Rapoport <rppt@linux.ibm.com>
Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
 linux-mm@kvack.org
Date: Tue,  8 Jan 2019 07:37:44 +0000 (UTC)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

In powerpc code, there are several places implementing safe
access to user data. This is sometimes implemented using
probe_kernel_address() with additional access_ok() verification,
sometimes with get_user() enclosed in a pagefault_disable()/enable()
pair, etc. :
    show_user_instructions()
    bad_stack_expansion()
    p9_hmi_special_emu()
    fsl_pci_mcheck_exception()
    read_user_stack_64()
    read_user_stack_32() on PPC64
    read_user_stack_32() on PPC32
    power_pmu_bhrb_to()

In the same spirit as probe_kernel_read(), this patch adds
probe_user_read().

probe_user_read() does the same as probe_kernel_read() but
first checks that it is really a user address.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
---
 v2: Added "Returns:" comment and removed probe_user_address()

 Changes since RFC: Made a static inline function instead of weak function as recommended by Kees.

 include/linux/uaccess.h | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index 37b226e8df13..07f4f0ed69bc 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -263,6 +263,40 @@ extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count);
 #define probe_kernel_address(addr, retval)		\
 	probe_kernel_read(&retval, addr, sizeof(retval))
 
+/**
+ * probe_user_read(): safely attempt to read from a user location
+ * @dst: pointer to the buffer that shall take the data
+ * @src: address to read from
+ * @size: size of the data chunk
+ *
+ * Returns: 0 on success, -EFAULT on error.
+ *
+ * Safely read from address @src to the buffer at @dst.  If a kernel fault
+ * happens, handle that and return -EFAULT.
+ *
+ * We ensure that the copy_from_user is executed in atomic context so that
+ * do_page_fault() doesn't attempt to take mmap_sem.  This makes
+ * probe_user_read() suitable for use within regions where the caller
+ * already holds mmap_sem, or other locks which nest inside mmap_sem.
+ */
+
+#ifndef probe_user_read
+static __always_inline long probe_user_read(void *dst, const void __user *src,
+					    size_t size)
+{
+	long ret;
+
+	if (!access_ok(src, size))
+		return -EFAULT;
+
+	pagefault_disable();
+	ret = __copy_from_user_inatomic(dst, src, size);
+	pagefault_enable();
+
+	return ret ? -EFAULT : 0;
+}
+#endif
+
 #ifndef user_access_begin
 #define user_access_begin(ptr,len) access_ok(ptr, len)
 #define user_access_end() do { } while (0)