28 files changed, 555 insertions, 22 deletions
diff --git a/arch/Kconfig b/arch/Kconfig
index bd8056b5b246..e9c9334507dd 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -461,6 +461,15 @@ config CC_STACKPROTECTOR_STRONG
 endchoice
+config HAVE_ARCH_WITHIN_STACK_FRAMES
+        bool
+        help
+          An architecture should select this if it can walk the kernel stack
+          frames to determine if an object is part of either the arguments
+          or local variables (i.e. that it excludes saved return addresses,
+          and similar) by implementing an inline arch_within_stack_frames(),
+          which is used by CONFIG_HARDENED_USERCOPY.
 config HAVE_CONTEXT_TRACKING
        bool
        help
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 2d601d769a1c..a9c4e48bb7ec 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -35,6 +35,7 @@ config ARM
        select HARDIRQS_SW_RESEND
        select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
        select HAVE_ARCH_BITREVERSE if (CPU_32v7M || CPU_32v7) && !CPU_32v6
+        select HAVE_ARCH_HARDENED_USERCOPY
        select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL && !CPU_ENDIAN_BE32 && MMU
        select HAVE_ARCH_KGDB if !CPU_ENDIAN_BE32 && MMU
        select HAVE_ARCH_MMAP_RND_BITS if MMU
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index 62a6f65029e6..a93c0f99acf7 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -480,7 +480,10 @@ arm_copy_from_user(void *to, const void __user *from, unsigned long n);
 static inline unsigned long __must_check
 __copy_from_user(void *to, const void __user *from, unsigned long n)
 {
-        unsigned int __ua_flags = uaccess_save_and_enable();
+        unsigned int __ua_flags;
+        check_object_size(to, n, false);
+        __ua_flags = uaccess_save_and_enable();
        n = arm_copy_from_user(to, from, n);
        uaccess_restore(__ua_flags);
        return n;
@@ -495,11 +498,15 @@ static inline unsigned long __must_check
 __copy_to_user(void __user *to, const void *from, unsigned long n)
 {
 #ifndef CONFIG_UACCESS_WITH_MEMCPY
-        unsigned int __ua_flags = uaccess_save_and_enable();
+        unsigned int __ua_flags;
+        check_object_size(from, n, true);
+        __ua_flags = uaccess_save_and_enable();
        n = arm_copy_to_user(to, from, n);
        uaccess_restore(__ua_flags);
        return n;
 #else
+        check_object_size(from, n, true);
        return arm_copy_to_user(to, from, n);
 #endif
 }
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 69c8787bec7d..bc3f00f586f1 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -54,6 +54,7 @@ config ARM64
        select HAVE_ALIGNED_STRUCT_PAGE if SLUB
        select HAVE_ARCH_AUDITSYSCALL
        select HAVE_ARCH_BITREVERSE
+        select HAVE_ARCH_HARDENED_USERCOPY
        select HAVE_ARCH_HUGE_VMAP
        select HAVE_ARCH_JUMP_LABEL
        select HAVE_ARCH_KASAN if SPARSEMEM_VMEMMAP && !(ARM64_16K_PAGES && ARM64_VA_BITS_48)
diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index 5e834d10b291..c47257c91b77 100644
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -265,22 +265,25 @@ extern unsigned long __must_check __clear_user(void __user *addr, unsigned long
 static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
 {
        kasan_check_write(to, n);
-        return  __arch_copy_from_user(to, from, n);
+        check_object_size(to, n, false);
+        return __arch_copy_from_user(to, from, n);
 }
 static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
 {
        kasan_check_read(from, n);
-        return  __arch_copy_to_user(to, from, n);
+        check_object_size(from, n, true);
+        return __arch_copy_to_user(to, from, n);
 }
 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
 {
        kasan_check_write(to, n);
-        if (access_ok(VERIFY_READ, from, n))
+        if (access_ok(VERIFY_READ, from, n)) {
+                check_object_size(to, n, false);
                n = __arch_copy_from_user(to, from, n);
-        else /* security hole - plug it */
+        } else /* security hole - plug it */
                memset(to, 0, n);
        return n;
 }
@@ -289,8 +292,10 @@ static inline unsigned long __must_check copy_to_user(void __user *to, const voi
 {
        kasan_check_read(from, n);
-        if (access_ok(VERIFY_WRITE, to, n))
+        if (access_ok(VERIFY_WRITE, to, n)) {
+                check_object_size(from, n, true);
                n = __arch_copy_to_user(to, from, n);
+        }
        return n;
 }
diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
index 6a15083cc366..18ca6a9ce566 100644
--- a/arch/ia64/Kconfig
+++ b/arch/ia64/Kconfig
@@ -52,6 +52,7 @@ config IA64
        select MODULES_USE_ELF_RELA
        select ARCH_USE_CMPXCHG_LOCKREF
        select HAVE_ARCH_AUDITSYSCALL
+        select HAVE_ARCH_HARDENED_USERCOPY
        default y
        help
          The Itanium Processor Family is Intel's 64-bit successor to
diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
index 2189d5ddc1ee..465c70982f40 100644
--- a/arch/ia64/include/asm/uaccess.h
+++ b/arch/ia64/include/asm/uaccess.h
@@ -241,12 +241,18 @@ extern unsigned long __must_check __copy_user (void __user *to, const void __use
 static inline unsigned long
 __copy_to_user (void __user *to, const void *from, unsigned long count)
 {
+        if (!__builtin_constant_p(count))
+                check_object_size(from, count, true);
        return __copy_user(to, (__force void __user *) from, count);
 }
 static inline unsigned long
 __copy_from_user (void *to, const void __user *from, unsigned long count)
 {
+        if (!__builtin_constant_p(count))
+                check_object_size(to, count, false);
        return __copy_user((__force void __user *) to, from, count);
 }
@@ -258,8 +264,11 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
        const void *__cu_from = (from);                                                 \
        long __cu_len = (n);                                                            \
                                                                                        \
-        if (__access_ok(__cu_to, __cu_len, get_fs()))                                   \
+        if (__access_ok(__cu_to, __cu_len, get_fs())) {                                 \
-                __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len);   \
+                if (!__builtin_constant_p(n))                                           \
+                        check_object_size(__cu_from, __cu_len, true);                   \
+                __cu_len = __copy_user(__cu_to, (__force void __user *)  __cu_from, __cu_len);  \
+        }                                                                               \
        __cu_len;                                                                       \
 })
@@ -270,8 +279,11 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
        long __cu_len = (n);                                                            \
                                                                                        \
        __chk_user_ptr(__cu_from);                                                      \
-        if (__access_ok(__cu_from, __cu_len, get_fs()))                                 \
+        if (__access_ok(__cu_from, __cu_len, get_fs())) {                               \
+                if (!__builtin_constant_p(n))                                           \
+                        check_object_size(__cu_to, __cu_len, false);                    \
                __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len);   \
+        }                                                                               \
        __cu_len;                                                                       \
 })
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index ec4047e170a0..927d2ab2ce08 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -166,6 +166,7 @@ config PPC
        select HAVE_LIVEPATCH if HAVE_DYNAMIC_FTRACE_WITH_REGS
        select GENERIC_CPU_AUTOPROBE
        select HAVE_VIRT_CPU_ACCOUNTING
+        select HAVE_ARCH_HARDENED_USERCOPY
 config GENERIC_CSUM
        def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index b7c20f0b8fbe..c1dc6c14deb8 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -310,10 +310,15 @@ static inline unsigned long copy_from_user(void *to,
 {
        unsigned long over;
-        if (access_ok(VERIFY_READ, from, n))
+        if (access_ok(VERIFY_READ, from, n)) {
+                if (!__builtin_constant_p(n))
+                        check_object_size(to, n, false);
                return __copy_tofrom_user((__force void __user *)to, from, n);
+        }
        if ((unsigned long)from < TASK_SIZE) {
                over = (unsigned long)from + n - TASK_SIZE;
+                if (!__builtin_constant_p(n - over))
+                        check_object_size(to, n - over, false);
                return __copy_tofrom_user((__force void __user *)to, from,
                                n - over) + over;
        }
@@ -325,10 +330,15 @@ static inline unsigned long copy_to_user(void __user *to,
 {
        unsigned long over;
-        if (access_ok(VERIFY_WRITE, to, n))
+        if (access_ok(VERIFY_WRITE, to, n)) {
+                if (!__builtin_constant_p(n))
+                        check_object_size(from, n, true);
                return __copy_tofrom_user(to, (__force void __user *)from, n);
+        }
        if ((unsigned long)to < TASK_SIZE) {
                over = (unsigned long)to + n - TASK_SIZE;
+                if (!__builtin_constant_p(n))
+                        check_object_size(from, n - over, true);
                return __copy_tofrom_user(to, (__force void __user *)from,
                                n - over) + over;
        }
@@ -372,6 +382,10 @@ static inline unsigned long __copy_from_user_inatomic(void *to,
                if (ret == 0)
                        return 0;
        }
+        if (!__builtin_constant_p(n))
+                check_object_size(to, n, false);
        return __copy_tofrom_user((__force void __user *)to, from, n);
 }
@@ -398,6 +412,9 @@ static inline unsigned long __copy_to_user_inatomic(void __user *to,
                if (ret == 0)
                        return 0;
        }
+        if (!__builtin_constant_p(n))
+                check_object_size(from, n, true);
        return __copy_tofrom_user(to, (__force const void __user *)from, n);
 }
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 9e607bf2d640..0e348781327b 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -123,6 +123,7 @@ config S390
        select HAVE_ALIGNED_STRUCT_PAGE if SLUB
        select HAVE_ARCH_AUDITSYSCALL
        select HAVE_ARCH_EARLY_PFN_TO_NID
+        select HAVE_ARCH_HARDENED_USERCOPY
        select HAVE_ARCH_JUMP_LABEL
        select CPU_NO_EFFICIENT_FFS if !HAVE_MARCH_Z9_109_FEATURES
        select HAVE_ARCH_SECCOMP_FILTER
diff --git a/arch/s390/lib/uaccess.c b/arch/s390/lib/uaccess.c
index d96596128e9f..f481fcde067b 100644
--- a/arch/s390/lib/uaccess.c
+++ b/arch/s390/lib/uaccess.c
@@ -104,6 +104,7 @@ static inline unsigned long copy_from_user_mvcp(void *x, const void __user *ptr,
 unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
 {
+        check_object_size(to, n, false);
        if (static_branch_likely(&have_mvcos))
                return copy_from_user_mvcos(to, from, n);
        return copy_from_user_mvcp(to, from, n);
@@ -177,6 +178,7 @@ static inline unsigned long copy_to_user_mvcs(void __user *ptr, const void *x,
 unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
 {
+        check_object_size(from, n, true);
        if (static_branch_likely(&have_mvcos))
                return copy_to_user_mvcos(to, from, n);
        return copy_to_user_mvcs(to, from, n);
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index 546293d9e6c5..59b09600dd32 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -43,6 +43,7 @@ config SPARC
        select OLD_SIGSUSPEND
        select ARCH_HAS_SG_CHAIN
        select CPU_NO_EFFICIENT_FFS
+        select HAVE_ARCH_HARDENED_USERCOPY
 config SPARC32
        def_bool !64BIT
diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
index 57aca2792d29..341a5a133f48 100644
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -248,22 +248,28 @@ unsigned long __copy_user(void __user *to, const void __user *from, unsigned lon
 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
 {
-        if (n && __access_ok((unsigned long) to, n))
+        if (n && __access_ok((unsigned long) to, n)) {
+                if (!__builtin_constant_p(n))
+                        check_object_size(from, n, true);
                return __copy_user(to, (__force void __user *) from, n);
-        else
+        } else
                return n;
 }
 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
 {
+        if (!__builtin_constant_p(n))
+                check_object_size(from, n, true);
        return __copy_user(to, (__force void __user *) from, n);
 }
 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
 {
-        if (n && __access_ok((unsigned long) from, n))
+        if (n && __access_ok((unsigned long) from, n)) {
+                if (!__builtin_constant_p(n))
+                        check_object_size(to, n, false);
                return __copy_user((__force void __user *) to, from, n);
-        else
+        } else
                return n;
 }
diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h
index e9a51d64974d..8bda94fab8e8 100644
--- a/arch/sparc/include/asm/uaccess_64.h
+++ b/arch/sparc/include/asm/uaccess_64.h
@@ -210,8 +210,12 @@ unsigned long copy_from_user_fixup(void *to, const void __user *from,
 static inline unsigned long __must_check
 copy_from_user(void *to, const void __user *from, unsigned long size)
 {
-        unsigned long ret = ___copy_from_user(to, from, size);
+        unsigned long ret;
+        if (!__builtin_constant_p(size))
+                check_object_size(to, size, false);
+        ret = ___copy_from_user(to, from, size);
        if (unlikely(ret))
                ret = copy_from_user_fixup(to, from, size);
@@ -227,8 +231,11 @@ unsigned long copy_to_user_fixup(void __user *to, const void *from,
 static inline unsigned long __must_check
 copy_to_user(void __user *to, const void *from, unsigned long size)
 {
-        unsigned long ret = ___copy_to_user(to, from, size);
+        unsigned long ret;
+        if (!__builtin_constant_p(size))
+                check_object_size(from, size, true);
+        ret = ___copy_to_user(to, from, size);
        if (unlikely(ret))
                ret = copy_to_user_fixup(to, from, size);
        return ret;
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 5c6e7471b732..c580d8c33562 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -80,6 +80,7 @@ config X86
        select HAVE_ALIGNED_STRUCT_PAGE         if SLUB
        select HAVE_AOUT                        if X86_32
        select HAVE_ARCH_AUDITSYSCALL
+        select HAVE_ARCH_HARDENED_USERCOPY
        select HAVE_ARCH_HUGE_VMAP              if X86_64 || X86_PAE
        select HAVE_ARCH_JUMP_LABEL
        select HAVE_ARCH_KASAN                  if X86_64 && SPARSEMEM_VMEMMAP
@@ -91,6 +92,7 @@ config X86
        select HAVE_ARCH_SOFT_DIRTY             if X86_64
        select HAVE_ARCH_TRACEHOOK
        select HAVE_ARCH_TRANSPARENT_HUGEPAGE
+        select HAVE_ARCH_WITHIN_STACK_FRAMES
        select HAVE_EBPF_JIT                    if X86_64
        select HAVE_CC_STACKPROTECTOR
        select HAVE_CMPXCHG_DOUBLE
diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
index 84b59846154a..8b7c8d8e0852 100644
--- a/arch/x86/include/asm/thread_info.h
+++ b/arch/x86/include/asm/thread_info.h
@@ -176,6 +176,50 @@ static inline unsigned long current_stack_pointer(void)
        return sp;
 }
+/*
+ * Walks up the stack frames to make sure that the specified object is
+ * entirely contained by a single stack frame.
+ *
+ * Returns:
+ *               1 if within a frame
+ *              -1 if placed across a frame boundary (or outside stack)
+ *               0 unable to determine (no frame pointers, etc)
+ */
+static inline int arch_within_stack_frames(const void * const stack,
+                                           const void * const stackend,
+                                           const void *obj, unsigned long len)
+{
+#if defined(CONFIG_FRAME_POINTER)
+        const void *frame = NULL;
+        const void *oldframe;
+        oldframe = __builtin_frame_address(1);
+        if (oldframe)
+                frame = __builtin_frame_address(2);
+        /*
+         * low ----------------------------------------------> high
+         * [saved bp][saved ip][args][local vars][saved bp][saved ip]
+         *                     ^----------------^
+         *               allow copies only within here
+         */
+        while (stack <= frame && frame < stackend) {
+                /*
+                 * If obj + len extends past the last frame, this
+                 * check won't pass and the next frame will be 0,
+                 * causing us to bail out and correctly report
+                 * the copy as invalid.
+                 */
+                if (obj + len <= frame)
+                        return obj >= oldframe + 2 * sizeof(void *) ? 1 : -1;
+                oldframe = frame;
+                frame = *(const void * const *)frame;
+        }
+        return -1;
+#else
+        return 0;
+#endif
+}
 #else /* !__ASSEMBLY__ */
 #ifdef CONFIG_X86_64
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 52f230094c51..a0ae610b9280 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -761,9 +761,10 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
         * case, and do only runtime checking for non-constant sizes.
         */
-        if (likely(sz < 0 || sz >= n))
+        if (likely(sz < 0 || sz >= n)) {
+                check_object_size(to, n, false);
                n = _copy_from_user(to, from, n);
-        else if(__builtin_constant_p(n))
+        } else if (__builtin_constant_p(n))
                copy_from_user_overflow();
        else
                __copy_from_user_overflow(sz, n);
@@ -781,9 +782,10 @@ copy_to_user(void __user *to, const void *from, unsigned long n)
        might_fault();
        /* See the comment in copy_from_user() above. */
-        if (likely(sz < 0 || sz >= n))
+        if (likely(sz < 0 || sz >= n)) {
+                check_object_size(from, n, true);
                n = _copy_to_user(to, from, n);
-        else if(__builtin_constant_p(n))
+        } else if (__builtin_constant_p(n))
                copy_to_user_overflow();
        else
                __copy_to_user_overflow(sz, n);
diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
index 4b32da24faaf..7d3bdd1ed697 100644
--- a/arch/x86/include/asm/uaccess_32.h
+++ b/arch/x86/include/asm/uaccess_32.h
@@ -37,6 +37,7 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero
 static __always_inline unsigned long __must_check
 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
 {
+        check_object_size(from, n, true);
        return __copy_to_user_ll(to, from, n);
 }
@@ -95,6 +96,7 @@ static __always_inline unsigned long
 __copy_from_user(void *to, const void __user *from, unsigned long n)
 {
        might_fault();
+        check_object_size(to, n, false);
        if (__builtin_constant_p(n)) {
                unsigned long ret;
diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
index 2eac2aa3e37f..673059a109fe 100644
--- a/arch/x86/include/asm/uaccess_64.h
+++ b/arch/x86/include/asm/uaccess_64.h
@@ -54,6 +54,7 @@ int __copy_from_user_nocheck(void *dst, const void __user *src, unsigned size)
 {
        int ret = 0;
+        check_object_size(dst, size, false);
        if (!__builtin_constant_p(size))
                return copy_user_generic(dst, (__force void *)src, size);
        switch (size) {
@@ -119,6 +120,7 @@ int __copy_to_user_nocheck(void __user *dst, const void *src, unsigned size)
 {
        int ret = 0;
+        check_object_size(src, size, true);
        if (!__builtin_constant_p(size))
                return copy_user_generic((__force void *)dst, src, size);
        switch (size) {
diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
index f2e4e90621ec..d572b78b65e1 100644
--- a/include/linux/mmzone.h
+++ b/include/linux/mmzone.h
@@ -68,8 +68,10 @@ extern char * const migratetype_names[MIGRATE_TYPES];
 #ifdef CONFIG_CMA
 #  define is_migrate_cma(migratetype) unlikely((migratetype) == MIGRATE_CMA)
+#  define is_migrate_cma_page(_page) (get_pageblock_migratetype(_page) == MIGRATE_CMA)
 #else
 #  define is_migrate_cma(migratetype) false
+#  define is_migrate_cma_page(_page) false
 #endif
 #define for_each_migratetype_order(order, type) \
diff --git a/include/linux/slab.h b/include/linux/slab.h
index 1a4ea551aae5..4293808d8cfb 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -155,6 +155,18 @@ void kfree(const void *);
 void kzfree(const void *);
 size_t ksize(const void *);
+#ifdef CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR
+const char *__check_heap_object(const void *ptr, unsigned long n,
+                                struct page *page);
+#else
+static inline const char *__check_heap_object(const void *ptr,
+                                              unsigned long n,
+                                              struct page *page)
+{
+        return NULL;
+}
+#endif
 /*
 * Some archs want to perform DMA into kmalloc caches and need a guaranteed
 * alignment larger than the alignment of a 64-bit integer.
diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index 352b1542f5cc..cbd8990e2e77 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -105,6 +105,30 @@ static inline int test_ti_thread_flag(struct thread_info *ti, int flag)
 #define tif_need_resched() test_thread_flag(TIF_NEED_RESCHED)
+#ifndef CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES
+static inline int arch_within_stack_frames(const void * const stack,
+                                           const void * const stackend,
+                                           const void *obj, unsigned long len)
+{
+        return 0;
+}
+#endif
+#ifdef CONFIG_HARDENED_USERCOPY
+extern void __check_object_size(const void *ptr, unsigned long n,
+                                        bool to_user);
+static inline void check_object_size(const void *ptr, unsigned long n,
+                                     bool to_user)
+{
+        __check_object_size(ptr, n, to_user);
+}
+#else
+static inline void check_object_size(const void *ptr, unsigned long n,
+                                     bool to_user)
+{ }
+#endif /* CONFIG_HARDENED_USERCOPY */
 #endif  /* __KERNEL__ */
 #endif /* _LINUX_THREAD_INFO_H */
diff --git a/init/Kconfig b/init/Kconfig
index 69886493ff1e..cac3f096050d 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1761,6 +1761,7 @@ choice
 config SLAB
        bool "SLAB"
+        select HAVE_HARDENED_USERCOPY_ALLOCATOR
        help
          The regular slab allocator that is established and known to work
          well in all environments. It organizes cache hot objects in
@@ -1768,6 +1769,7 @@ config SLAB
 config SLUB
        bool "SLUB (Unqueued Allocator)"
+        select HAVE_HARDENED_USERCOPY_ALLOCATOR
        help
           SLUB is a slab allocator that minimizes cache line usage
           instead of managing queues of cached objects (SLAB approach).
diff --git a/mm/Makefile b/mm/Makefile
index fc059666c760..2ca1faf3fa09 100644
--- a/mm/Makefile
+++ b/mm/Makefile
@@ -21,6 +21,9 @@ KCOV_INSTRUMENT_memcontrol.o := n
 KCOV_INSTRUMENT_mmzone.o := n
 KCOV_INSTRUMENT_vmstat.o := n
+# Since __builtin_frame_address does work as used, disable the warning.
+CFLAGS_usercopy.o += $(call cc-disable-warning, frame-address)
 mmu-y                   := nommu.o
 mmu-$(CONFIG_MMU)       := gup.o highmem.o memory.o mincore.o \
                           mlock.o mmap.o mprotect.o mremap.o msync.o rmap.o \
@@ -99,3 +102,4 @@ obj-$(CONFIG_USERFAULTFD) += userfaultfd.o
 obj-$(CONFIG_IDLE_PAGE_TRACKING) += page_idle.o
 obj-$(CONFIG_FRAME_VECTOR) += frame_vector.o
 obj-$(CONFIG_DEBUG_PAGE_REF) += debug_page_ref.o
+obj-$(CONFIG_HARDENED_USERCOPY) += usercopy.o
diff --git a/mm/slab.c b/mm/slab.c
index 261147ba156f..b67271024135 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -4441,6 +4441,36 @@ static int __init slab_proc_init(void)
 module_init(slab_proc_init);
 #endif
+#ifdef CONFIG_HARDENED_USERCOPY
+/*
+ * Rejects objects that are incorrectly sized.
+ *
+ * Returns NULL if check passes, otherwise const char * to name of cache
+ * to indicate an error.
+ */
+const char *__check_heap_object(const void *ptr, unsigned long n,
+                                struct page *page)
+{
+        struct kmem_cache *cachep;
+        unsigned int objnr;
+        unsigned long offset;
+        /* Find and validate object. */
+        cachep = page->slab_cache;
+        objnr = obj_to_index(cachep, page, (void *)ptr);
+        BUG_ON(objnr >= cachep->num);
+        /* Find offset within object. */
+        offset = ptr - index_to_obj(cachep, page, objnr) - obj_offset(cachep);
+        /* Allow address range falling entirely within object size. */
+        if (offset <= cachep->object_size && n <= cachep->object_size - offset)
+                return NULL;
+        return cachep->name;
+}
+#endif /* CONFIG_HARDENED_USERCOPY */
 /**
 * ksize - get the actual amount of memory allocated for a given object
 * @objp: Pointer to the object
diff --git a/mm/slub.c b/mm/slub.c
index 850737bdfbd8..cead06394e9e 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3764,6 +3764,46 @@ void *__kmalloc_node(size_t size, gfp_t flags, int node)
 EXPORT_SYMBOL(__kmalloc_node);
 #endif
+#ifdef CONFIG_HARDENED_USERCOPY
+/*
+ * Rejects objects that are incorrectly sized.
+ *
+ * Returns NULL if check passes, otherwise const char * to name of cache
+ * to indicate an error.
+ */
+const char *__check_heap_object(const void *ptr, unsigned long n,
+                                struct page *page)
+{
+        struct kmem_cache *s;
+        unsigned long offset;
+        size_t object_size;
+        /* Find object and usable object size. */
+        s = page->slab_cache;
+        object_size = slab_ksize(s);
+        /* Reject impossible pointers. */
+        if (ptr < page_address(page))
+                return s->name;
+        /* Find offset within object. */
+        offset = (ptr - page_address(page)) % s->size;
+        /* Adjust for redzone and reject if within the redzone. */
+        if (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE) {
+                if (offset < s->red_left_pad)
+                        return s->name;
+                offset -= s->red_left_pad;
+        }
+        /* Allow address range falling entirely within object size. */
+        if (offset <= object_size && n <= object_size - offset)
+                return NULL;
+        return s->name;
+}
+#endif /* CONFIG_HARDENED_USERCOPY */
 static size_t __ksize(const void *object)
 {
        struct page *page;
diff --git a/mm/usercopy.c b/mm/usercopy.c
new file mode 100644
index 000000000000..8ebae91a6b55
--- /dev/null
+++ b/mm/usercopy.c
@@ -0,0 +1,268 @@
+/*
+ * This implements the various checks for CONFIG_HARDENED_USERCOPY*,
+ * which are designed to protect kernel memory from needless exposure
+ * and overwrite under many unintended conditions. This code is based
+ * on PAX_USERCOPY, which is:
+ *
+ * Copyright (C) 2001-2016 PaX Team, Bradley Spengler, Open Source
+ * Security Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/mm.h>
+#include <linux/slab.h>
+#include <asm/sections.h>
+enum {
+        BAD_STACK = -1,
+        NOT_STACK = 0,
+        GOOD_FRAME,
+        GOOD_STACK,
+};
+/*
+ * Checks if a given pointer and length is contained by the current
+ * stack frame (if possible).
+ *
+ * Returns:
+ *      NOT_STACK: not at all on the stack
+ *      GOOD_FRAME: fully within a valid stack frame
+ *      GOOD_STACK: fully on the stack (when can't do frame-checking)
+ *      BAD_STACK: error condition (invalid stack position or bad stack frame)
+ */
+static noinline int check_stack_object(const void *obj, unsigned long len)
+{
+        const void * const stack = task_stack_page(current);
+        const void * const stackend = stack + THREAD_SIZE;
+        int ret;
+        /* Object is not on the stack at all. */
+        if (obj + len <= stack || stackend <= obj)
+                return NOT_STACK;
+        /*
+         * Reject: object partially overlaps the stack (passing the
+         * the check above means at least one end is within the stack,
+         * so if this check fails, the other end is outside the stack).
+         */
+        if (obj < stack || stackend < obj + len)
+                return BAD_STACK;
+        /* Check if object is safely within a valid frame. */
+        ret = arch_within_stack_frames(stack, stackend, obj, len);
+        if (ret)
+                return ret;
+        return GOOD_STACK;
+}
+static void report_usercopy(const void *ptr, unsigned long len,
+                            bool to_user, const char *type)
+{
+        pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
+                to_user ? "exposure" : "overwrite",
+                to_user ? "from" : "to", ptr, type ? : "unknown", len);
+        /*
+         * For greater effect, it would be nice to do do_group_exit(),
+         * but BUG() actually hooks all the lock-breaking and per-arch
+         * Oops code, so that is used here instead.
+         */
+        BUG();
+}
+/* Returns true if any portion of [ptr,ptr+n) over laps with [low,high). */
+static bool overlaps(const void *ptr, unsigned long n, unsigned long low,
+                     unsigned long high)
+{
+        unsigned long check_low = (uintptr_t)ptr;
+        unsigned long check_high = check_low + n;
+        /* Does not overlap if entirely above or entirely below. */
+        if (check_low >= high || check_high < low)
+                return false;
+        return true;
+}
+/* Is this address range in the kernel text area? */
+static inline const char *check_kernel_text_object(const void *ptr,
+                                                   unsigned long n)
+{
+        unsigned long textlow = (unsigned long)_stext;
+        unsigned long texthigh = (unsigned long)_etext;
+        unsigned long textlow_linear, texthigh_linear;
+        if (overlaps(ptr, n, textlow, texthigh))
+                return "<kernel text>";
+        /*
+         * Some architectures have virtual memory mappings with a secondary
+         * mapping of the kernel text, i.e. there is more than one virtual
+         * kernel address that points to the kernel image. It is usually
+         * when there is a separate linear physical memory mapping, in that
+         * __pa() is not just the reverse of __va(). This can be detected
+         * and checked:
+         */
+        textlow_linear = (unsigned long)__va(__pa(textlow));
+        /* No different mapping: we're done. */
+        if (textlow_linear == textlow)
+                return NULL;
+        /* Check the secondary mapping... */
+        texthigh_linear = (unsigned long)__va(__pa(texthigh));
+        if (overlaps(ptr, n, textlow_linear, texthigh_linear))
+                return "<linear kernel text>";
+        return NULL;
+}
+static inline const char *check_bogus_address(const void *ptr, unsigned long n)
+{
+        /* Reject if object wraps past end of memory. */
+        if (ptr + n < ptr)
+                return "<wrapped address>";
+        /* Reject if NULL or ZERO-allocation. */
+        if (ZERO_OR_NULL_PTR(ptr))
+                return "<null>";
+        return NULL;
+}
+static inline const char *check_heap_object(const void *ptr, unsigned long n,
+                                            bool to_user)
+{
+        struct page *page, *endpage;
+        const void *end = ptr + n - 1;
+        bool is_reserved, is_cma;
+        /*
+         * Some architectures (arm64) return true for virt_addr_valid() on
+         * vmalloced addresses. Work around this by checking for vmalloc
+         * first.
+         */
+        if (is_vmalloc_addr(ptr))
+                return NULL;
+        if (!virt_addr_valid(ptr))
+                return NULL;
+        page = virt_to_head_page(ptr);
+        /* Check slab allocator for flags and size. */
+        if (PageSlab(page))
+                return __check_heap_object(ptr, n, page);
+        /*
+         * Sometimes the kernel data regions are not marked Reserved (see
+         * check below). And sometimes [_sdata,_edata) does not cover
+         * rodata and/or bss, so check each range explicitly.
+         */
+        /* Allow reads of kernel rodata region (if not marked as Reserved). */
+        if (ptr >= (const void *)__start_rodata &&
+            end <= (const void *)__end_rodata) {
+                if (!to_user)
+                        return "<rodata>";
+                return NULL;
+        }
+        /* Allow kernel data region (if not marked as Reserved). */
+        if (ptr >= (const void *)_sdata && end <= (const void *)_edata)
+                return NULL;
+        /* Allow kernel bss region (if not marked as Reserved). */
+        if (ptr >= (const void *)__bss_start &&
+            end <= (const void *)__bss_stop)
+                return NULL;
+        /* Is the object wholly within one base page? */
+        if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) ==
+                   ((unsigned long)end & (unsigned long)PAGE_MASK)))
+                return NULL;
+        /* Allow if start and end are inside the same compound page. */
+        endpage = virt_to_head_page(end);
+        if (likely(endpage == page))
+                return NULL;
+        /*
+         * Reject if range is entirely either Reserved (i.e. special or
+         * device memory), or CMA. Otherwise, reject since the object spans
+         * several independently allocated pages.
+         */
+        is_reserved = PageReserved(page);
+        is_cma = is_migrate_cma_page(page);
+        if (!is_reserved && !is_cma)
+                goto reject;
+        for (ptr += PAGE_SIZE; ptr <= end; ptr += PAGE_SIZE) {
+                page = virt_to_head_page(ptr);
+                if (is_reserved && !PageReserved(page))
+                        goto reject;
+                if (is_cma && !is_migrate_cma_page(page))
+                        goto reject;
+        }
+        return NULL;
+reject:
+        return "<spans multiple pages>";
+}
+/*
+ * Validates that the given object is:
+ * - not bogus address
+ * - known-safe heap or stack object
+ * - not in kernel text
+ */
+void __check_object_size(const void *ptr, unsigned long n, bool to_user)
+{
+        const char *err;
+        /* Skip all tests if size is zero. */
+        if (!n)
+                return;
+        /* Check for invalid addresses. */
+        err = check_bogus_address(ptr, n);
+        if (err)
+                goto report;
+        /* Check for bad heap object. */
+        err = check_heap_object(ptr, n, to_user);
+        if (err)
+                goto report;
+        /* Check for bad stack object. */
+        switch (check_stack_object(ptr, n)) {
+        case NOT_STACK:
+                /* Object is not touching the current process stack. */
+                break;
+        case GOOD_FRAME:
+        case GOOD_STACK:
+                /*
+                 * Object is either in the correct frame (when it
+                 * is possible to check) or just generally on the
+                 * process stack (when frame checking not available).
+                 */
+                return;
+        default:
+                err = "<process stack>";
+                goto report;
+        }
+        /* Check for object in kernel to avoid text exposure. */
+        err = check_kernel_text_object(ptr, n);
+        if (!err)
+                return;
+report:
+        report_usercopy(ptr, n, to_user, err);
+}
+EXPORT_SYMBOL(__check_object_size);
diff --git a/security/Kconfig b/security/Kconfig
index 176758cdfa57..df28f2b6f3e1 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -118,6 +118,34 @@ config LSM_MMAP_MIN_ADDR
          this low address space will need the permission specific to the
          systems running LSM.
+config HAVE_HARDENED_USERCOPY_ALLOCATOR
+        bool
+        help
+          The heap allocator implements __check_heap_object() for
+          validating memory ranges against heap object sizes in
+          support of CONFIG_HARDENED_USERCOPY.
+config HAVE_ARCH_HARDENED_USERCOPY
+        bool
+        help
+          The architecture supports CONFIG_HARDENED_USERCOPY by
+          calling check_object_size() just before performing the
+          userspace copies in the low level implementation of
+          copy_to_user() and copy_from_user().
+config HARDENED_USERCOPY
+        bool "Harden memory copies between kernel and userspace"
+        depends on HAVE_ARCH_HARDENED_USERCOPY
+        select BUG
+        help
+          This option checks for obviously wrong memory regions when
+          copying memory to/from the kernel (via copy_to_user() and
+          copy_from_user() functions) by rejecting memory ranges that
+          are larger than the specified heap object, span multiple
+          separately allocates pages, are not on the process stack,
+          or are part of the kernel text. This kills entire classes
+          of heap overflow exploits and similar kernel memory exposures.
 source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig