# git rev-parse -q --verify 457afdc0071dbd343a59426890b9677ca2882c23^{commit} 457afdc0071dbd343a59426890b9677ca2882c23 already have revision, skipping fetch # git checkout -q -f -B kisskb 457afdc0071dbd343a59426890b9677ca2882c23 # git clean -qxdf # < git log -1 # commit 457afdc0071dbd343a59426890b9677ca2882c23 # Author: Gustavo Romero # Date: Tue Sep 3 14:47:17 2019 +1000 # # powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts # # When in userspace and MSR FP=0 the hardware FP state is unrelated to # the current process. This is extended for transactions where if tbegin # is run with FP=0, the hardware checkpoint FP state will also be # unrelated to the current process. Due to this, we need to ensure this # hardware checkpoint is updated with the correct state before we enable # FP for this process. # # Unfortunately we get this wrong when returning to a process from a # hardware interrupt. A process that starts a transaction with FP=0 can # take an interrupt. When the kernel returns back to that process, we # change to FP=1 but with hardware checkpoint FP state not updated. If # this transaction is then rolled back, the FP registers now contain the # wrong state. # # The process looks like this: # Userspace: Kernel # # Start userspace # with MSR FP=0 TM=1 # < ----- # ... # tbegin # bne # Hardware interrupt # ---- > # # .... # ret_from_except # restore_math() # /* sees FP=0 */ # restore_fp() # tm_active_with_fp() # /* sees FP=1 (Incorrect) */ # load_fp_state() # FP = 0 -> 1 # < ----- # Return to userspace # with MSR TM=1 FP=1 # with junk in the FP TM checkpoint # TM rollback # reads FP junk # # When returning from the hardware exception, tm_active_with_fp() is # incorrectly making restore_fp() call load_fp_state() which is setting # FP=1. # # The fix is to remove tm_active_with_fp(). # # tm_active_with_fp() is attempting to handle the case where FP state # has been changed inside a transaction. In this case the checkpointed # and transactional FP state is different and hence we must restore the # FP state (ie. we can't do lazy FP restore inside a transaction that's # used FP). It's safe to remove tm_active_with_fp() as this case is # handled by restore_tm_state(). restore_tm_state() detects if FP has # been using inside a transaction and will set load_fp and call # restore_math() to ensure the FP state (checkpoint and transaction) is # restored. # # This is a data integrity problem for the current process as the FP # registers are corrupted. It's also a security problem as the FP # registers from one process may be leaked to another. # # Similarly for VMX. # # A simple testcase to replicate this will be posted to # tools/testing/selftests/powerpc/tm/tm-poison.c # # This fixes CVE-2019-15031. # # Fixes: a7771176b439 ("powerpc: Don't enable FP/Altivec if not checkpointed") # Cc: stable@vger.kernel.org # 4.15+ # Signed-off-by: Gustavo Romero # Signed-off-by: Michael Neuling # Signed-off-by: Michael Ellerman # Link: https://lore.kernel.org/r/20190903044718.13773-2-mikey@neuling.org # < /opt/cross/kisskb/gcc-4.6.3-nolibc/m68k-linux/bin/m68k-linux-gcc --version # < /opt/cross/kisskb/gcc-4.6.3-nolibc/m68k-linux/bin/m68k-linux-ld --version # < git log --format=%s --max-count=1 457afdc0071dbd343a59426890b9677ca2882c23 # < make -s -j 48 ARCH=m68k O=/kisskb/build/powerpc-fixes_m68k-defconfig_m68k CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/m68k-linux/bin/m68k-linux- defconfig # make -s -j 48 ARCH=m68k O=/kisskb/build/powerpc-fixes_m68k-defconfig_m68k CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/m68k-linux/bin/m68k-linux- :1511:2: warning: #warning syscall clone3 not implemented [-Wcpp] /kisskb/src/arch/m68k/mvme147/config.c: In function 'mvme147_hwclk': /kisskb/src/arch/m68k/mvme147/config.c:175:2: warning: #warning check me! [-Wcpp] /kisskb/src/arch/m68k/mvme16x/config.c: In function 'mvme16x_hwclk': /kisskb/src/arch/m68k/mvme16x/config.c:440:2: warning: #warning check me! [-Wcpp] /kisskb/src/kernel/printk/printk.c: In function 'devkmsg_sysctl_set_loglvl': /kisskb/src/kernel/printk/printk.c:194:16: warning: 'old' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/ipc/shm.c: In function 'ksys_shmdt': /kisskb/src/ipc/shm.c:1712:59: warning: 'file' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/lib/mpi/mpicoder.c: In function 'mpi_read_raw_from_sgl': /kisskb/src/lib/mpi/mpicoder.c:336:12: warning: 'buff' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/lib/rhashtable.c: In function 'rht_deferred_worker': /kisskb/src/include/linux/rhashtable.h:110:10: warning: 'next' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/lib/rhashtable.c:222:28: note: 'next' was declared here /kisskb/src/kernel/acct.c: In function 'acct_pin_kill': /kisskb/src/kernel/acct.c:177:2: warning: value computed is not used [-Wunused-value] /kisskb/src/fs/cifs/smb2pdu.c: In function 'SMB2_ioctl_init': /kisskb/src/fs/cifs/smb2pdu.c:2671:19: warning: 'in_data_buf' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/net/core/gen_stats.c: In function '__gnet_stats_copy_basic': /kisskb/src/net/core/gen_stats.c:157:19: warning: 'seq' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/net/core/dev.c: In function 'validate_xmit_skb_list': /kisskb/src/net/core/dev.c:3407:15: warning: 'tail' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/net/core/filter.c: In function 'bpf_clear_redirect_map': /kisskb/src/net/core/filter.c:3599:4: warning: value computed is not used [-Wunused-value] /kisskb/src/drivers/md/raid10.c: In function 'read_balance': /kisskb/src/drivers/md/raid10.c:840:22: warning: 'best_pending_slot' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/fs/proc/inode.c: In function 'proc_reg_open': /kisskb/src/include/linux/list.h:65:12: warning: 'pdeo' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/fs/proc/inode.c:338:21: note: 'pdeo' was declared here /kisskb/src/fs/ocfs2/alloc.c: In function 'ocfs2_trim_mainbm': /kisskb/src/fs/ocfs2/alloc.c:7590:17: warning: 'first_bit' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/net/sctp/output.c: In function 'sctp_packet_config': /kisskb/src/include/net/sock.h:1960:19: warning: 'sk' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/net/sctp/output.c:79:15: note: 'sk' was declared here /kisskb/src/drivers/net/ethernet/8390/lib8390.c:201:12: warning: '__ei_open' defined but not used [-Wunused-function] /kisskb/src/drivers/net/ethernet/8390/lib8390.c:230:12: warning: '__ei_close' defined but not used [-Wunused-function] /kisskb/src/drivers/net/ethernet/8390/lib8390.c:254:13: warning: '__ei_tx_timeout' defined but not used [-Wunused-function] /kisskb/src/drivers/net/ethernet/8390/lib8390.c:300:20: warning: '__ei_start_xmit' defined but not used [-Wunused-function] /kisskb/src/drivers/net/ethernet/8390/lib8390.c:509:13: warning: '__ei_poll' defined but not used [-Wunused-function] /kisskb/src/drivers/net/ethernet/8390/lib8390.c:850:33: warning: '__ei_get_stats' defined but not used [-Wunused-function] /kisskb/src/drivers/net/ethernet/8390/lib8390.c:950:13: warning: '__ei_set_multicast_list' defined but not used [-Wunused-function] /kisskb/src/drivers/net/ethernet/8390/lib8390.c:988:27: warning: '____alloc_ei_netdev' defined but not used [-Wunused-function] /kisskb/src/fs/ocfs2/file.c: In function 'ocfs2_file_write_iter': /kisskb/src/fs/ocfs2/file.c:2372:3: warning: value computed is not used [-Wunused-value] /kisskb/src/fs/udf/unicode.c: In function 'udf_name_conv_char': /kisskb/src/fs/udf/unicode.c:132:8: warning: 'c' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/net/macsec.c: In function 'macsec_del_rxsa': /kisskb/src/drivers/net/macsec.c:1918:2: warning: 'assoc_num' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/net/macsec.c:1918:2: warning: 'rx_sc' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/net/macsec.c: In function 'macsec_del_txsa': /kisskb/src/drivers/net/macsec.c:1995:2: warning: 'assoc_num' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/net/macsec.c:1995:2: warning: 'tx_sc' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/net/macsec.c: In function 'macsec_upd_txsa': /kisskb/src/drivers/net/macsec.c:2060:5: warning: 'assoc_num' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/net/macsec.c:2060:24: warning: 'tx_sc' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/net/macsec.c:2061:21: warning: 'secy' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/net/tun.c: In function 'tun_get_user': /kisskb/src/drivers/net/tun.c:1831:30: warning: 'copylen' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/net/tun.c:1524:31: warning: 'linear' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/net/tun.c:1744:46: note: 'linear' was declared here /kisskb/src/fs/posix_acl.c: In function 'get_acl': /kisskb/src/fs/posix_acl.c:148:3: warning: value computed is not used [-Wunused-value] Completed OK # rm -rf /kisskb/build/powerpc-fixes_m68k-defconfig_m68k # Build took: 0:01:20.676207