# git rev-parse -q --verify a8318c13e79badb92bc6640704a64cc022a6eb97^{commit} a8318c13e79badb92bc6640704a64cc022a6eb97 already have revision, skipping fetch # git checkout -q -f -B kisskb a8318c13e79badb92bc6640704a64cc022a6eb97 # git clean -qxdf # < git log -1 # commit a8318c13e79badb92bc6640704a64cc022a6eb97 # Author: Gustavo Romero # Date: Wed Sep 4 00:55:28 2019 -0400 # # powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts # # When in userspace and MSR FP=0 the hardware FP state is unrelated to # the current process. This is extended for transactions where if tbegin # is run with FP=0, the hardware checkpoint FP state will also be # unrelated to the current process. Due to this, we need to ensure this # hardware checkpoint is updated with the correct state before we enable # FP for this process. # # Unfortunately we get this wrong when returning to a process from a # hardware interrupt. A process that starts a transaction with FP=0 can # take an interrupt. When the kernel returns back to that process, we # change to FP=1 but with hardware checkpoint FP state not updated. If # this transaction is then rolled back, the FP registers now contain the # wrong state. # # The process looks like this: # Userspace: Kernel # # Start userspace # with MSR FP=0 TM=1 # < ----- # ... # tbegin # bne # Hardware interrupt # ---- > # # .... # ret_from_except # restore_math() # /* sees FP=0 */ # restore_fp() # tm_active_with_fp() # /* sees FP=1 (Incorrect) */ # load_fp_state() # FP = 0 -> 1 # < ----- # Return to userspace # with MSR TM=1 FP=1 # with junk in the FP TM checkpoint # TM rollback # reads FP junk # # When returning from the hardware exception, tm_active_with_fp() is # incorrectly making restore_fp() call load_fp_state() which is setting # FP=1. # # The fix is to remove tm_active_with_fp(). # # tm_active_with_fp() is attempting to handle the case where FP state # has been changed inside a transaction. In this case the checkpointed # and transactional FP state is different and hence we must restore the # FP state (ie. we can't do lazy FP restore inside a transaction that's # used FP). It's safe to remove tm_active_with_fp() as this case is # handled by restore_tm_state(). restore_tm_state() detects if FP has # been using inside a transaction and will set load_fp and call # restore_math() to ensure the FP state (checkpoint and transaction) is # restored. # # This is a data integrity problem for the current process as the FP # registers are corrupted. It's also a security problem as the FP # registers from one process may be leaked to another. # # Similarly for VMX. # # A simple testcase to replicate this will be posted to # tools/testing/selftests/powerpc/tm/tm-poison.c # # This fixes CVE-2019-15031. # # Fixes: a7771176b439 ("powerpc: Don't enable FP/Altivec if not checkpointed") # Cc: stable@vger.kernel.org # 4.15+ # Signed-off-by: Gustavo Romero # Signed-off-by: Michael Neuling # Signed-off-by: Michael Ellerman # Link: https://lore.kernel.org/r/20190904045529.23002-2-gromero@linux.vnet.ibm.com # < /opt/cross/kisskb/korg/gcc-8.1.0-nolibc/s390-linux/bin/s390-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-8.1.0-nolibc/s390-linux/bin/s390-linux-ld --version # < git log --format=%s --max-count=1 a8318c13e79badb92bc6640704a64cc022a6eb97 # < make -s -j 48 ARCH=s390 O=/kisskb/build/powerpc-fixes_s390-defconfig_s390x-gcc8 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.1.0-nolibc/s390-linux/bin/s390-linux- defconfig # make -s -j 48 ARCH=s390 O=/kisskb/build/powerpc-fixes_s390-defconfig_s390x-gcc8 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.1.0-nolibc/s390-linux/bin/s390-linux- /kisskb/src/arch/s390/mm/fault.c: In function 'do_fault_error': /kisskb/src/arch/s390/mm/fault.c:328:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (access == VM_EXEC && signal_return(regs) == 0) ^ /kisskb/src/arch/s390/mm/fault.c:330:2: note: here case VM_FAULT_BADMAP: ^~~~ /kisskb/src/arch/s390/mm/fault.c:332:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (user_mode(regs)) { ^ /kisskb/src/arch/s390/mm/fault.c:339:2: note: here case VM_FAULT_BADCONTEXT: ^~~~ In file included from /kisskb/src/include/linux/preempt.h:11, from /kisskb/src/include/linux/spinlock.h:51, from /kisskb/src/include/linux/mmzone.h:8, from /kisskb/src/include/linux/gfp.h:6, from /kisskb/src/include/linux/slab.h:15, from /kisskb/src/drivers/s390/crypto/ap_queue.c:13: /kisskb/src/drivers/s390/crypto/ap_queue.c: In function 'ap_sm_recv': /kisskb/src/include/linux/list.h:577:2: warning: this statement may fall through [-Wimplicit-fallthrough=] for (pos = list_first_entry(head, typeof(*pos), member); \ ^~~ /kisskb/src/drivers/s390/crypto/ap_queue.c:147:3: note: in expansion of macro 'list_for_each_entry' list_for_each_entry(ap_msg, &aq->pendingq, list) { ^~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/s390/crypto/ap_queue.c:155:2: note: here case AP_RESPONSE_NO_PENDING_REPLY: ^~~~ /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c: In function 'convert_response_ep11_xcrb': /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c:871:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (msg->cprbx.cprb_ver_id == 0x04) ^ /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c:874:2: note: here default: /* Unknown response type, this should NEVER EVER happen */ ^~~~~~~ /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c: In function 'convert_response_rng': /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c:901:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (msg->cprbx.cprb_ver_id == 0x02) ^ /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c:907:2: note: here default: /* Unknown response type, this should NEVER EVER happen */ ^~~~~~~ /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c: In function 'convert_response_xcrb': /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c:838:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (msg->cprbx.cprb_ver_id == 0x02) ^ /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c:844:2: note: here default: /* Unknown response type, this should NEVER EVER happen */ ^~~~~~~ /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c: In function 'convert_response_ica': /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c:801:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (msg->cprbx.cprb_ver_id == 0x02) ^ /kisskb/src/drivers/s390/crypto/zcrypt_msgtype6.c:808:2: note: here default: /* Unknown response type, this should NEVER EVER happen */ ^~~~~~~ /kisskb/src/drivers/s390/net/qeth_l2_main.c: In function 'qeth_l2_process_inbound_buffer': /kisskb/src/drivers/s390/net/qeth_l2_main.c:328:7: warning: this statement may fall through [-Wimplicit-fallthrough=] if (IS_OSN(card)) { ^ /kisskb/src/drivers/s390/net/qeth_l2_main.c:337:3: note: here default: ^~~~~~~ /kisskb/src/drivers/s390/char/con3215.c: In function 'raw3215_irq': /kisskb/src/drivers/s390/char/con3215.c:399:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (dstat == 0x08) ^ /kisskb/src/drivers/s390/char/con3215.c:401:2: note: here case 0x04: ^~~~ /kisskb/src/drivers/s390/net/ctcm_fsms.c: In function 'ctcmpc_chx_attnbusy': /kisskb/src/drivers/s390/net/ctcm_fsms.c:1703:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (grp->changed_side == 1) { ^ /kisskb/src/drivers/s390/net/ctcm_fsms.c:1707:2: note: here case MPCG_STATE_XID0IOWAIX: ^~~~ /kisskb/src/drivers/s390/net/ctcm_mpc.c: In function 'ctc_mpc_alloc_channel': /kisskb/src/drivers/s390/net/ctcm_mpc.c:358:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (callback) ^ /kisskb/src/drivers/s390/net/ctcm_mpc.c:360:2: note: here case MPCG_STATE_XID0IOWAIT: ^~~~ /kisskb/src/drivers/s390/net/ctcm_mpc.c: In function 'mpc_action_timeout': /kisskb/src/drivers/s390/net/ctcm_mpc.c:1469:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if ((fsm_getstate(rch->fsm) == CH_XID0_PENDING) && ^ /kisskb/src/drivers/s390/net/ctcm_mpc.c:1472:2: note: here default: ^~~~~~~ /kisskb/src/drivers/s390/net/ctcm_mpc.c: In function 'mpc_send_qllc_discontact': /kisskb/src/drivers/s390/net/ctcm_mpc.c:2087:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (grp->estconnfunc) { ^ /kisskb/src/drivers/s390/net/ctcm_mpc.c:2092:2: note: here case MPCG_STATE_FLOWC: ^~~~ In file included from /kisskb/src/drivers/s390/char/tape.h:17, from /kisskb/src/drivers/s390/char/tape_core.c:29: /kisskb/src/drivers/s390/char/tape_core.c: In function '__tape_do_irq': /kisskb/src/arch/s390/include/asm/debug.h:248:2: warning: this statement may fall through [-Wimplicit-fallthrough=] __ret; \ ^~~~~ /kisskb/src/drivers/s390/char/tape.h:34:2: note: in expansion of macro 'debug_sprintf_event' debug_sprintf_event(TAPE_DBF_AREA, level, str, ## __VA_ARGS__); \ ^~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/s390/char/tape_core.c:1117:5: note: in expansion of macro 'DBF_LH' DBF_LH(1, "(%08x): Request timed out\n", ^~~~~~ /kisskb/src/drivers/s390/char/tape_core.c:1119:4: note: here case -EIO: ^~~~ /kisskb/src/drivers/s390/char/tape_core.c: In function 'tape_generic_remove': /kisskb/src/drivers/s390/char/tape_core.c:679:4: warning: this statement may fall through [-Wimplicit-fallthrough=] tape_state_set(device, TS_NOT_OPER); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/s390/char/tape_core.c:680:3: note: here case TS_NOT_OPER: ^~~~ /kisskb/src/drivers/s390/char/tape_core.c: In function '__tape_start_request': /kisskb/src/drivers/s390/char/tape_core.c:950:7: warning: this statement may fall through [-Wimplicit-fallthrough=] if (device->tape_state == TS_UNUSED) ^ /kisskb/src/drivers/s390/char/tape_core.c:952:3: note: here default: ^~~~~~~ /kisskb/src/net/iucv/af_iucv.c: In function 'afiucv_hs_rcv': /kisskb/src/net/iucv/af_iucv.c:2246:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (skb->len == sizeof(struct af_iucv_trans_hdr)) { ^ /kisskb/src/net/iucv/af_iucv.c:2251:2: note: here case (AF_IUCV_FLAG_SHT): ^~~~ /kisskb/src/net/iucv/af_iucv.c: In function 'iucv_sock_close': /kisskb/src/net/iucv/af_iucv.c:510:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (iucv->transport == AF_IUCV_TRANS_HIPER) { ^ /kisskb/src/net/iucv/af_iucv.c:515:2: note: here case IUCV_DISCONN: /* fall through */ ^~~~ /kisskb/src/net/iucv/af_iucv.c:519:6: warning: this statement may fall through [-Wimplicit-fallthrough=] if (!err && !skb_queue_empty(&iucv->send_skb_q)) { ^ /kisskb/src/net/iucv/af_iucv.c:529:2: note: here case IUCV_CLOSING: /* fall through */ ^~~~ /kisskb/src/net/iucv/af_iucv.c:537:3: warning: this statement may fall through [-Wimplicit-fallthrough=] skb_queue_purge(&iucv->backlog_skb_q); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/net/iucv/af_iucv.c:539:2: note: here default: /* fall through */ ^~~~~~~ In file included from /kisskb/src/include/linux/kernel.h:15, from /kisskb/src/arch/s390/include/asm/bug.h:5, from /kisskb/src/include/linux/bug.h:5, from /kisskb/src/include/linux/scatterlist.h:7, from /kisskb/src/drivers/scsi/libsas/sas_discover.c:9: /kisskb/src/drivers/scsi/libsas/sas_discover.c: In function 'sas_discover_domain': /kisskb/src/include/linux/printk.h:309:2: warning: this statement may fall through [-Wimplicit-fallthrough=] printk(KERN_NOTICE pr_fmt(fmt), ##__VA_ARGS__) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/scsi/libsas/sas_discover.c:459:3: note: in expansion of macro 'pr_notice' pr_notice("ATA device seen but CONFIG_SCSI_SAS_ATA=N so cannot attach\n"); ^~~~~~~~~ /kisskb/src/drivers/scsi/libsas/sas_discover.c:462:2: note: here default: ^~~~~~~ /kisskb/src/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c: In function 'mlx5e_open_xsk': /kisskb/src/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c:127:1: warning: the frame size of 1312 bytes is larger than 1024 bytes [-Wframe-larger-than=] } ^ Completed OK # rm -rf /kisskb/build/powerpc-fixes_s390-defconfig_s390x-gcc8 # Build took: 0:04:23.059604