# git rev-parse -q --verify c7ce5fe9288c5692fa456a804cf5ea5976d842f1^{commit}
c7ce5fe9288c5692fa456a804cf5ea5976d842f1
already have revision, skipping fetch
# git checkout -q -f -B kisskb c7ce5fe9288c5692fa456a804cf5ea5976d842f1
# git clean -qxdf
# < git log -1
# commit c7ce5fe9288c5692fa456a804cf5ea5976d842f1
# Author: Michael Neuling <mikey@neuling.org>
# Date:   Fri Jul 19 15:05:02 2019 +1000
# 
#     powerpc/tm: Fix oops on sigreturn on systems without TM
#     
#     On systems like P9 powernv where we have no TM (or P8 booted with
#     ppc_tm=off), userspace can construct a signal context which still has
#     the MSR TS bits set. The kernel tries to restore this context which
#     results in the following crash:
#     
#       Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
#       Oops: Unrecoverable exception, sig: 6 [#1]
#       LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
#       Modules linked in:
#       CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
#       NIP:  c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
#       REGS: c00000003fffbd70 TRAP: 0700   Not tainted  (5.2.0-11045-g7142b497d8)
#       MSR:  8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]>  CR: 42004242  XER: 00000000
#       CFAR: c0000000000022e0 IRQMASK: 0
#       GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
#       GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
#       GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
#       GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
#       GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
#       GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
#       GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
#       GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
#       NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
#       LR [00007fffb2d67e48] 0x7fffb2d67e48
#       Call Trace:
#       Instruction dump:
#       e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
#       e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18
#     
#     The problem is the signal code assumes TM is enabled when
#     CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as
#     with P9 powernv or if `ppc_tm=off` is used on P8.
#     
#     This means any local user can crash the system.
#     
#     Fix the problem by returning a bad stack frame to the user if they try
#     to set the MSR TS bits with sigreturn() on systems where TM is not
#     supported.
#     
#     Found with sigfuz kernel selftest on P9.
#     
#     This fixes CVE-2019-13648.
#     
#     Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
#     # NOTE: fixes commit 2b0a576d15e0 released in v3.9.
#     # Consider a stable tag:
#     # Cc: stable@vger.kernel.org # v3.9+
#     Cc: stable@vger.kernel.org # v3.9
#     Reported-by: Praveen Pandey <Praveen.Pandey@in.ibm.com>
#     Signed-off-by: Michael Neuling <mikey@neuling.org>
#     Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
#     Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@neuling.org
# < /opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux-gcc --version
# < /opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux-ld --version
# < git log --format=%s --max-count=1 c7ce5fe9288c5692fa456a804cf5ea5976d842f1
# < make -s -j 120 ARCH=powerpc O=/kisskb/build/powerpc-fixes_85xx_ge_imp3a_defconfig_powerpc-gcc4.6 CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux-  85xx/ge_imp3a_defconfig
# make -s -j 120 ARCH=powerpc O=/kisskb/build/powerpc-fixes_85xx_ge_imp3a_defconfig_powerpc-gcc4.6 CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux-  
<stdin>:1511:2: warning: #warning syscall clone3 not implemented [-Wcpp]
/kisskb/src/kernel/rcu/srcutree.c: In function 'init_srcu_struct_fields':
/kisskb/src/kernel/rcu/srcutree.c:140:32: warning: 'levelspread[<Ucb40>]' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/kernel/rcu/srcutree.c:88:6: note: 'levelspread[<Ucb40>]' was declared here
/kisskb/src/kernel/printk/printk.c: In function 'devkmsg_sysctl_set_loglvl':
/kisskb/src/kernel/printk/printk.c:194:16: warning: 'old' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/fs/proc/inode.c: In function 'proc_reg_open':
/kisskb/src/include/linux/list.h:65:12: warning: 'pdeo' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/fs/proc/inode.c:331:21: note: 'pdeo' was declared here
/kisskb/src/drivers/base/regmap/regmap.c: In function 'regmap_raw_read':
/kisskb/src/drivers/base/regmap/regmap.c:2591:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/base/regmap/regmap.c: In function '_regmap_raw_write':
/kisskb/src/drivers/base/regmap/regmap.c:1852:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/tty/serial/8250/8250_core.c: In function 'univ8250_release_irq':
/kisskb/src/drivers/tty/serial/8250/8250_core.c:248:18: warning: 'i' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/tty/serial/8250/8250_core.c:228:19: note: 'i' was declared here
/kisskb/src/fs/nfsd/nfs4xdr.c: In function 'nfsd4_encode_components_esc':
/kisskb/src/fs/nfsd/nfs4xdr.c:2065:9: warning: 'str' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/usb/core/devio.c: In function 'async_completed':
/kisskb/src/drivers/usb/core/devio.c:613:23: warning: 'errno' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/fs/udf/unicode.c: In function 'udf_name_conv_char':
/kisskb/src/fs/udf/unicode.c:132:8: warning: 'c' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/net/tun.c: In function 'tun_get_user':
/kisskb/src/drivers/net/tun.c:1831:30: warning: 'copylen' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/net/tun.c:1744:46: warning: 'linear' may be used uninitialized in this function [-Wuninitialized]
INFO: Uncompressed kernel (size 0x858610) overlaps the address of the wrapper(0x400000)
INFO: Fixing the link_address of wrapper to (0x900000)
Image Name:   Linux-5.2.0-gc7ce5fe9288c
Created:      Sat Jul 20 00:59:33 2019
Image Type:   PowerPC Linux Kernel Image (gzip compressed)
Data Size:    4285085 Bytes = 4184.65 KiB = 4.09 MiB
Load Address: 00000000
Entry Point:  00000000
Completed OK
# rm -rf /kisskb/build/powerpc-fixes_85xx_ge_imp3a_defconfig_powerpc-gcc4.6
# Build took: 0:00:33.562800