# git rev-parse -q --verify ce63b04945771378f238ffd53ea665854aa27e20^{commit}
ce63b04945771378f238ffd53ea665854aa27e20
already have revision, skipping fetch
# git checkout -q -f -B kisskb ce63b04945771378f238ffd53ea665854aa27e20
# git clean -qxdf
# < git log -1
# commit ce63b04945771378f238ffd53ea665854aa27e20
# Author: Michael Ellerman <mpe@ellerman.id.au>
# Date:   Wed Nov 22 12:15:42 2017 +1100
# 
#     powerpc: Check address limit on user-mode return (TIF_FSCHECK)
#     
#     set_fs() sets the addr_limit, which is used in access_ok() to
#     determine if an address is a user or kernel address.
#     
#     Some code paths use set_fs() to temporarily elevate the addr_limit so
#     that kernel code can read/write kernel memory as if it were user
#     memory. That is fine as long as the code can't ever return to
#     userspace with the addr_limit still elevated.
#     
#     If that did happen, then userspace can read/write kernel memory as if
#     it were user memory, eg. just with write(2). In case it's not clear,
#     that is very bad. It has also happened in the past due to bugs.
#     
#     Commit 5ea0727b163c ("x86/syscalls: Check address limit on user-mode
#     return") added a mechanism to check the addr_limit value before
#     returning to userspace. Any call to set_fs() sets a thread flag,
#     TIF_FSCHECK, and if we see that on the return to userspace we go out
#     of line to check that the addr_limit value is not elevated.
#     
#     For further info see the above commit, as well as:
#       https://lwn.net/Articles/722267/
#       https://bugs.chromium.org/p/project-zero/issues/detail?id=990
#     
#     Verified to work on 64-bit Book3S using a POC that objdumps the system
#     call handler, and a modified lkdtm_CORRUPT_USER_DS() that doesn't kill
#     the caller.
#     
#     Before:
#       $ sudo ./test-tif-fscheck
#       ...
#       0000000000000000 <.data>:
#              0:       e1 f7 8a 79     rldicl. r10,r12,30,63
#              4:       80 03 82 40     bne     0x384
#              8:       00 40 8a 71     andi.   r10,r12,16384
#              c:       78 0b 2a 7c     mr      r10,r1
#             10:       10 fd 21 38     addi    r1,r1,-752
#             14:       08 00 c2 41     beq-    0x1c
#             18:       58 09 2d e8     ld      r1,2392(r13)
#             1c:       00 00 41 f9     std     r10,0(r1)
#             20:       70 01 61 f9     std     r11,368(r1)
#             24:       78 01 81 f9     std     r12,376(r1)
#             28:       70 00 01 f8     std     r0,112(r1)
#             2c:       78 00 41 f9     std     r10,120(r1)
#             30:       20 00 82 41     beq     0x50
#             34:       a6 42 4c 7d     mftb    r10
#     
#     After:
#     
#       $ sudo ./test-tif-fscheck
#       Killed
#     
#     And in dmesg:
#       Invalid address limit on user-mode return
#       WARNING: CPU: 1 PID: 3689 at ../include/linux/syscalls.h:260 do_notify_resume+0x140/0x170
#       ...
#       NIP [c00000000001ee50] do_notify_resume+0x140/0x170
#       LR [c00000000001ee4c] do_notify_resume+0x13c/0x170
#       Call Trace:
#         do_notify_resume+0x13c/0x170 (unreliable)
#         ret_from_except_lite+0x70/0x74
#     
#     Performance overhead is essentially zero in the usual case, because
#     the bit is checked as part of the existing _TIF_USER_WORK_MASK check.
#     
#     Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
# < /opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux-gcc --version
# < git log --format=%s --max-count=1 ce63b04945771378f238ffd53ea665854aa27e20
# < make -s -j 20 ARCH=powerpc O=/kisskb/build/powerpc-next_powerpc-allmodconfig_powerpc CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux-  allmodconfig
# Added to kconfig CONFIG_BUILD_DOCSRC=n
# Added to kconfig CONFIG_MODULE_SIG=n
# Added to kconfig CONFIG_SAMPLES=n
# yes \n | make -s -j 20 ARCH=powerpc O=/kisskb/build/powerpc-next_powerpc-allmodconfig_powerpc CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux-  oldconfig
yes: standard output: Broken pipe
yes: write error
# make -s -j 20 ARCH=powerpc O=/kisskb/build/powerpc-next_powerpc-allmodconfig_powerpc CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux-  
/kisskb/src/drivers/gpu/drm/nouveau/nvkm/subdev/top/gk104.c: In function 'gk104_top_oneinit':
/kisskb/src/drivers/gpu/drm/nouveau/nvkm/subdev/top/gk104.c:101:1: warning: 'inst' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/gpu/drm/nouveau/nvkm/subdev/top/gk104.c:101:1: warning: 'type' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/gpu/drm/nouveau/nv50_display.c: In function 'nv50_head_lut_load.isra.8':
/kisskb/src/arch/powerpc/include/asm/io.h:176:1: warning: 'b' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/gpu/drm/nouveau/nv50_display.c:1805:18: note: 'b' was declared here
/kisskb/src/arch/powerpc/include/asm/io.h:176:1: warning: 'g' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/gpu/drm/nouveau/nv50_display.c:1805:15: note: 'g' was declared here
/kisskb/src/arch/powerpc/include/asm/io.h:176:1: warning: 'r' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/gpu/drm/nouveau/nv50_display.c:1805:12: note: 'r' was declared here
/kisskb/src/drivers/nvme/host/lightnvm.c: In function 'nvme_nvm_get_chk_meta':
/kisskb/src/drivers/nvme/host/lightnvm.c:624:2: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/media/usb/dvb-usb/pctv452e.c: In function 'pctv452e_frontend_attach':
/kisskb/src/drivers/media/usb/dvb-usb/pctv452e.c:922:2: warning: value computed is not used [-Wunused-value]
/kisskb/src/drivers/net/tun.c: In function 'tun_get_user':
/kisskb/src/drivers/net/tun.c:1822:30: warning: 'copylen' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/net/tun.c:1732:46: warning: 'linear' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/net/wireless/broadcom/b43/phy_n.c: In function 'b43_nphy_rf_ctl_override_rev7':
/kisskb/src/drivers/net/wireless/broadcom/b43/phy_n.c:202:21: warning: 'val_addr' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/tty/serial/8250/8250_core.c: In function 'serial_unlink_irq_chain':
/kisskb/src/drivers/tty/serial/8250/8250_core.c:251:18: warning: 'i' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/staging/fsl-dpaa2/ethsw/ethsw.c: In function 'port_vlans_add':
/kisskb/src/drivers/staging/fsl-dpaa2/ethsw/ethsw.c:720:11: warning: 'err' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/staging/fsl-dpaa2/ethsw/ethsw.c: In function 'swdev_port_obj_del':
/kisskb/src/drivers/staging/fsl-dpaa2/ethsw/ethsw.c:923:2: warning: 'err' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c: In function 'ibmvscsis_rdma':
/kisskb/src/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c:3323:18: warning: 'server_ioba' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c:3317:18: warning: 'client_ioba' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c: In function 'hclgevf_bind_ring_to_vector':
/kisskb/src/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c:609:16: warning: 'type' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c: In function 'rtl8723a_phy_lc_calibrate':
/kisskb/src/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c:3481:23: warning: 'rf_amode' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/net/ethernet/ibm/ibmvnic.c: In function 'reset_rx_pools':
/kisskb/src/drivers/net/ethernet/ibm/ibmvnic.c:437:6: warning: 'rc' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/net/ethernet/intel/ice/ice_main.c: In function 'ice_vsi_open':
/kisskb/src/drivers/net/ethernet/intel/ice/ice_main.c:4979:5: warning: 'err' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/net/ethernet/intel/ice/ice_main.c:4983:5: warning: 'err' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c: In function 'update_root_ft_create':
/kisskb/src/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:872:5: warning: 'err' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/staging/lustre/lustre/ptlrpc/nrs.c: In function 'ptlrpc_nrs_policy_register.constprop.1':
/kisskb/src/include/linux/string.h:266:29: warning: array subscript is above array bounds [-Warray-bounds]
WARNING: vmlinux.o(.text+0x376938): Section mismatch in reference from the function .devm_memremap_pages() to the function .meminit.text:.arch_add_memory()
The function .devm_memremap_pages() references
the function __meminit .arch_add_memory().
This is often because .devm_memremap_pages lacks a __meminit 
annotation or the annotation of .arch_add_memory is wrong.

WARNING: vmlinux.o(.text+0x377184): Section mismatch in reference from the function .devm_memremap_pages_release() to the function .meminit.text:.arch_remove_memory()
The function .devm_memremap_pages_release() references
the function __meminit .arch_remove_memory().
This is often because .devm_memremap_pages_release lacks a __meminit 
annotation or the annotation of .arch_remove_memory is wrong.

WARNING: vmlinux.o(.text+0x4a620c): Section mismatch in reference from the function .hmm_devmem_release() to the function .meminit.text:.arch_remove_memory()
The function .hmm_devmem_release() references
the function __meminit .arch_remove_memory().
This is often because .hmm_devmem_release lacks a __meminit 
annotation or the annotation of .arch_remove_memory is wrong.

WARNING: vmlinux.o(.text+0x4a6528): Section mismatch in reference from the function .hmm_devmem_pages_create() to the function .meminit.text:.arch_add_memory()
The function .hmm_devmem_pages_create() references
the function __meminit .arch_add_memory().
This is often because .hmm_devmem_pages_create lacks a __meminit 
annotation or the annotation of .arch_add_memory is wrong.

WARNING: vmlinux.o(.text.unlikely+0x2650): Section mismatch in reference from the function .remove_pmd_table() to the function .meminit.text:.split_kernel_mapping()
The function .remove_pmd_table() references
the function __meminit .split_kernel_mapping().
This is often because .remove_pmd_table lacks a __meminit 
annotation or the annotation of .split_kernel_mapping is wrong.

WARNING: vmlinux.o(.text.unlikely+0x293c): Section mismatch in reference from the function .remove_pud_table() to the function .meminit.text:.split_kernel_mapping()
The function .remove_pud_table() references
the function __meminit .split_kernel_mapping().
This is often because .remove_pud_table lacks a __meminit 
annotation or the annotation of .split_kernel_mapping is wrong.

WARNING: drivers/hwmon/ibmpowernv.o(.text+0xa3c): Section mismatch in reference from the function .create_device_attrs() to the function .init.text:.make_sensor_label()
The function .create_device_attrs() references
the function __init .make_sensor_label().
This is often because .create_device_attrs lacks a __init 
annotation or the annotation of .make_sensor_label is wrong.

/opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux-ld: drivers/misc/lkdtm/lkdtm.o: .opd is not a regular array of opd entries
Completed OK
# rm -rf /kisskb/build/powerpc-next_powerpc-allmodconfig_powerpc
# Build took: 0:13:09.615283