# git rev-parse -q --verify a8318c13e79badb92bc6640704a64cc022a6eb97^{commit}
a8318c13e79badb92bc6640704a64cc022a6eb97
already have revision, skipping fetch
# git checkout -q -f -B kisskb a8318c13e79badb92bc6640704a64cc022a6eb97
# git clean -qxdf
# < git log -1
# commit a8318c13e79badb92bc6640704a64cc022a6eb97
# Author: Gustavo Romero <gromero@linux.ibm.com>
# Date:   Wed Sep 4 00:55:28 2019 -0400
# 
#     powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts
#     
#     When in userspace and MSR FP=0 the hardware FP state is unrelated to
#     the current process. This is extended for transactions where if tbegin
#     is run with FP=0, the hardware checkpoint FP state will also be
#     unrelated to the current process. Due to this, we need to ensure this
#     hardware checkpoint is updated with the correct state before we enable
#     FP for this process.
#     
#     Unfortunately we get this wrong when returning to a process from a
#     hardware interrupt. A process that starts a transaction with FP=0 can
#     take an interrupt. When the kernel returns back to that process, we
#     change to FP=1 but with hardware checkpoint FP state not updated. If
#     this transaction is then rolled back, the FP registers now contain the
#     wrong state.
#     
#     The process looks like this:
#        Userspace:                      Kernel
#     
#                    Start userspace
#                     with MSR FP=0 TM=1
#                       < -----
#        ...
#        tbegin
#        bne
#                    Hardware interrupt
#                        ---- >
#                                         <do_IRQ...>
#                                         ....
#                                         ret_from_except
#                                           restore_math()
#                                             /* sees FP=0 */
#                                             restore_fp()
#                                               tm_active_with_fp()
#                                                 /* sees FP=1 (Incorrect) */
#                                               load_fp_state()
#                                             FP = 0 -> 1
#                       < -----
#                    Return to userspace
#                      with MSR TM=1 FP=1
#                      with junk in the FP TM checkpoint
#        TM rollback
#        reads FP junk
#     
#     When returning from the hardware exception, tm_active_with_fp() is
#     incorrectly making restore_fp() call load_fp_state() which is setting
#     FP=1.
#     
#     The fix is to remove tm_active_with_fp().
#     
#     tm_active_with_fp() is attempting to handle the case where FP state
#     has been changed inside a transaction. In this case the checkpointed
#     and transactional FP state is different and hence we must restore the
#     FP state (ie. we can't do lazy FP restore inside a transaction that's
#     used FP). It's safe to remove tm_active_with_fp() as this case is
#     handled by restore_tm_state(). restore_tm_state() detects if FP has
#     been using inside a transaction and will set load_fp and call
#     restore_math() to ensure the FP state (checkpoint and transaction) is
#     restored.
#     
#     This is a data integrity problem for the current process as the FP
#     registers are corrupted. It's also a security problem as the FP
#     registers from one process may be leaked to another.
#     
#     Similarly for VMX.
#     
#     A simple testcase to replicate this will be posted to
#     tools/testing/selftests/powerpc/tm/tm-poison.c
#     
#     This fixes CVE-2019-15031.
#     
#     Fixes: a7771176b439 ("powerpc: Don't enable FP/Altivec if not checkpointed")
#     Cc: stable@vger.kernel.org # 4.15+
#     Signed-off-by: Gustavo Romero <gromero@linux.ibm.com>
#     Signed-off-by: Michael Neuling <mikey@neuling.org>
#     Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
#     Link: https://lore.kernel.org/r/20190904045529.23002-2-gromero@linux.vnet.ibm.com
# < /opt/cross/kisskb/gcc-4.6.3-nolibc/mips-linux/bin/mips-linux-gcc --version
# < /opt/cross/kisskb/gcc-4.6.3-nolibc/mips-linux/bin/mips-linux-ld --version
# < git log --format=%s --max-count=1 a8318c13e79badb92bc6640704a64cc022a6eb97
# < make -s -j 32 ARCH=mips O=/kisskb/build/powerpc-fixes_mips-defconfig_mips CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/mips-linux/bin/mips-linux-  defconfig
# make -s -j 32 ARCH=mips O=/kisskb/build/powerpc-fixes_mips-defconfig_mips CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/mips-linux/bin/mips-linux-  
/kisskb/src/arch/mips/vdso/Makefile:39: MIPS VDSO requires binutils >= 2.25
<stdin>:1511:2: warning: #warning syscall clone3 not implemented [-Wcpp]
/kisskb/src/arch/mips/vdso/Makefile:39: MIPS VDSO requires binutils >= 2.25
/kisskb/src/fs/proc/inode.c: In function 'proc_reg_open':
/kisskb/src/include/linux/list.h:65:12: warning: 'pdeo' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/fs/proc/inode.c:338:21: note: 'pdeo' was declared here
/kisskb/src/net/bridge/br_netlink.c: In function 'br_afspec.isra.20':
/kisskb/src/net/bridge/br_netlink.c:648:7: warning: 'err' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/kernel/printk/printk.c: In function 'devkmsg_sysctl_set_loglvl':
/kisskb/src/kernel/printk/printk.c:194:16: warning: 'old' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/kernel/rcu/srcutree.c: In function 'init_srcu_struct_fields':
/kisskb/src/kernel/rcu/srcutree.c:140:32: warning: 'levelspread[<U9780>]' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/kernel/rcu/srcutree.c:88:6: note: 'levelspread[<U9780>]' was declared here
/kisskb/src/drivers/base/regmap/regmap.c: In function '_regmap_raw_write':
/kisskb/src/drivers/base/regmap/regmap.c:1852:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/base/regmap/regmap.c: In function 'regmap_raw_read':
/kisskb/src/drivers/base/regmap/regmap.c:2591:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/net/core/devlink.c: In function 'devlink_fmsg_prepare_skb':
/kisskb/src/net/core/devlink.c:4443:6: warning: 'err' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/tty/serial/8250/8250_core.c: In function 'univ8250_release_irq':
/kisskb/src/drivers/tty/serial/8250/8250_core.c:248:18: warning: 'i' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/tty/serial/8250/8250_core.c:228:19: note: 'i' was declared here
/kisskb/src/drivers/usb/core/devio.c: In function 'async_completed':
/kisskb/src/drivers/usb/core/devio.c:613:23: warning: 'errno' may be used uninitialized in this function [-Wuninitialized]
<stdin>:1511:2: warning: #warning syscall clone3 not implemented [-Wcpp]
/kisskb/src/arch/mips/vdso/Makefile:39: MIPS VDSO requires binutils >= 2.25
/kisskb/src/kernel/printk/printk.c: In function 'devkmsg_sysctl_set_loglvl':
/kisskb/src/kernel/printk/printk.c:194:16: warning: 'old' may be used uninitialized in this function [-Wuninitialized]
FIT description: Linux 5.3.0-rc2-ga8318c13e79b
Created:         Wed Sep  4 23:40:03 2019
 Image 0 (kernel@0)
  Description:  Linux 5.3.0-rc2-ga8318c13e79b
  Created:      Wed Sep  4 23:40:03 2019
  Type:         Kernel Image
  Compression:  gzip compressed
  Data Size:    4526060 Bytes = 4419.98 KiB = 4.32 MiB
  Architecture: MIPS
  OS:           Linux
  Load Address: 0x80100000
  Entry Point:  0x80860ed0
  Hash algo:    sha1
  Hash value:   2cc13630d282d96d807f899108563a06efc51ce3
 Image 1 (fdt@boston)
  Description:  img,boston Device Tree
  Created:      Wed Sep  4 23:40:03 2019
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    3793 Bytes = 3.70 KiB = 0.00 MiB
  Architecture: MIPS
  Hash algo:    sha1
  Hash value:   4799f50d688573234da6e9d7701234d394759ef4
 Image 2 (fdt@ni169445)
  Description:  NI 169445 device tree
  Created:      Wed Sep  4 23:40:03 2019
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    1871 Bytes = 1.83 KiB = 0.00 MiB
  Architecture: MIPS
  Hash algo:    sha1
  Hash value:   51b89b31605ee62038c8468c429af091dfc75ec7
 Image 3 (fdt@ocelot_pcb123)
  Description:  MSCC Ocelot PCB123 Device Tree
  Created:      Wed Sep  4 23:40:03 2019
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    4615 Bytes = 4.51 KiB = 0.00 MiB
  Architecture: MIPS
  Hash algo:    sha1
  Hash value:   8754eadee600cac22c9c34884cd901aac7e95e8a
 Image 4 (fdt@ocelot_pcb120)
  Description:  MSCC Ocelot PCB120 Device Tree
  Created:      Wed Sep  4 23:40:03 2019
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    5174 Bytes = 5.05 KiB = 0.00 MiB
  Architecture: MIPS
  Hash algo:    sha1
  Hash value:   1ab7d0871c0a9345c6269fb491bf028224da8256
 Image 5 (fdt@xilfpga)
  Description:  MIPSfpga (xilfpga) Device Tree
  Created:      Wed Sep  4 23:40:03 2019
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    2708 Bytes = 2.64 KiB = 0.00 MiB
  Architecture: MIPS
  Hash algo:    sha1
  Hash value:   63d058b780f65e22da30f0a183433765f1807f1d
 Default Configuration: 'conf@default'
 Configuration 0 (conf@default)
  Description:  Generic Linux kernel
  Kernel:       kernel@0
 Configuration 1 (conf@boston)
  Description:  Boston Linux kernel
  Kernel:       kernel@0
  FDT:          fdt@boston
 Configuration 2 (conf@ni169445)
  Description:  NI 169445 Linux Kernel
  Kernel:       kernel@0
  FDT:          fdt@ni169445
 Configuration 3 (conf@ocelot_pcb123)
  Description:  Ocelot Linux kernel
  Kernel:       kernel@0
  FDT:          fdt@ocelot_pcb123
 Configuration 4 (conf@ocelot_pcb120)
  Description:  Ocelot Linux kernel
  Kernel:       kernel@0
  FDT:          fdt@ocelot_pcb120
 Configuration 5 (conf@xilfpga)
  Description:  MIPSfpga Linux kernel
  Kernel:       kernel@0
  FDT:          fdt@xilfpga
Completed OK
# rm -rf /kisskb/build/powerpc-fixes_mips-defconfig_mips
# Build took: 0:01:44.219109