# git rev-parse -q --verify a8318c13e79badb92bc6640704a64cc022a6eb97^{commit}
a8318c13e79badb92bc6640704a64cc022a6eb97
already have revision, skipping fetch
# git checkout -q -f -B kisskb a8318c13e79badb92bc6640704a64cc022a6eb97
# git clean -qxdf
# < git log -1
# commit a8318c13e79badb92bc6640704a64cc022a6eb97
# Author: Gustavo Romero <gromero@linux.ibm.com>
# Date:   Wed Sep 4 00:55:28 2019 -0400
# 
#     powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts
#     
#     When in userspace and MSR FP=0 the hardware FP state is unrelated to
#     the current process. This is extended for transactions where if tbegin
#     is run with FP=0, the hardware checkpoint FP state will also be
#     unrelated to the current process. Due to this, we need to ensure this
#     hardware checkpoint is updated with the correct state before we enable
#     FP for this process.
#     
#     Unfortunately we get this wrong when returning to a process from a
#     hardware interrupt. A process that starts a transaction with FP=0 can
#     take an interrupt. When the kernel returns back to that process, we
#     change to FP=1 but with hardware checkpoint FP state not updated. If
#     this transaction is then rolled back, the FP registers now contain the
#     wrong state.
#     
#     The process looks like this:
#        Userspace:                      Kernel
#     
#                    Start userspace
#                     with MSR FP=0 TM=1
#                       < -----
#        ...
#        tbegin
#        bne
#                    Hardware interrupt
#                        ---- >
#                                         <do_IRQ...>
#                                         ....
#                                         ret_from_except
#                                           restore_math()
#                                             /* sees FP=0 */
#                                             restore_fp()
#                                               tm_active_with_fp()
#                                                 /* sees FP=1 (Incorrect) */
#                                               load_fp_state()
#                                             FP = 0 -> 1
#                       < -----
#                    Return to userspace
#                      with MSR TM=1 FP=1
#                      with junk in the FP TM checkpoint
#        TM rollback
#        reads FP junk
#     
#     When returning from the hardware exception, tm_active_with_fp() is
#     incorrectly making restore_fp() call load_fp_state() which is setting
#     FP=1.
#     
#     The fix is to remove tm_active_with_fp().
#     
#     tm_active_with_fp() is attempting to handle the case where FP state
#     has been changed inside a transaction. In this case the checkpointed
#     and transactional FP state is different and hence we must restore the
#     FP state (ie. we can't do lazy FP restore inside a transaction that's
#     used FP). It's safe to remove tm_active_with_fp() as this case is
#     handled by restore_tm_state(). restore_tm_state() detects if FP has
#     been using inside a transaction and will set load_fp and call
#     restore_math() to ensure the FP state (checkpoint and transaction) is
#     restored.
#     
#     This is a data integrity problem for the current process as the FP
#     registers are corrupted. It's also a security problem as the FP
#     registers from one process may be leaked to another.
#     
#     Similarly for VMX.
#     
#     A simple testcase to replicate this will be posted to
#     tools/testing/selftests/powerpc/tm/tm-poison.c
#     
#     This fixes CVE-2019-15031.
#     
#     Fixes: a7771176b439 ("powerpc: Don't enable FP/Altivec if not checkpointed")
#     Cc: stable@vger.kernel.org # 4.15+
#     Signed-off-by: Gustavo Romero <gromero@linux.ibm.com>
#     Signed-off-by: Michael Neuling <mikey@neuling.org>
#     Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
#     Link: https://lore.kernel.org/r/20190904045529.23002-2-gromero@linux.vnet.ibm.com
# < /opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-gcc --version
# < /opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-ld --version
# < git log --format=%s --max-count=1 a8318c13e79badb92bc6640704a64cc022a6eb97
# < make -s -j 120 ARCH=powerpc O=/kisskb/build/powerpc-fixes_pseries_le_defconfig+NO_SPLPAR_ppc64le-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-  pseries_le_defconfig
# Added to kconfig CONFIG_PPC_SPLPAR=n
# yes \n | make -s -j 120 ARCH=powerpc O=/kisskb/build/powerpc-fixes_pseries_le_defconfig+NO_SPLPAR_ppc64le-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-  oldconfig
yes: standard output: Broken pipe
# make -s -j 120 ARCH=powerpc O=/kisskb/build/powerpc-fixes_pseries_le_defconfig+NO_SPLPAR_ppc64le-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-  
/kisskb/src/kernel/futex.c: In function 'do_futex':
/kisskb/src/kernel/futex.c:1676:17: warning: 'oldval' may be used uninitialized in this function [-Wmaybe-uninitialized]
   return oldval == cmparg;
                 ^
/kisskb/src/kernel/futex.c:1651:6: note: 'oldval' was declared here
  int oldval, ret;
      ^
WARNING: vmlinux.o(.text+0x2e0c): Section mismatch in reference from the variable __boot_from_prom to the function .init.text:prom_init()
The function __boot_from_prom() references
the function __init prom_init().
This is often because __boot_from_prom lacks a __init 
annotation or the annotation of prom_init is wrong.

WARNING: vmlinux.o(.text+0x2fd0): Section mismatch in reference from the variable start_here_common to the function .init.text:start_kernel()
The function start_here_common() references
the function __init start_kernel().
This is often because start_here_common lacks a __init 
annotation or the annotation of start_kernel is wrong.

Completed OK
# rm -rf /kisskb/build/powerpc-fixes_pseries_le_defconfig+NO_SPLPAR_ppc64le-gcc5
# Build took: 0:01:30.794221