seabios missing NMI disable in rtc_mask()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
High
|
Heitor Alves de Siqueira | ||
Mitaka |
Fix Committed
|
High
|
Heitor Alves de Siqueira | ||
seabios (Ubuntu) |
Fix Released
|
High
|
Heitor Alves de Siqueira | ||
Trusty |
Fix Released
|
High
|
Heitor Alves de Siqueira | ||
Xenial |
Fix Released
|
High
|
Heitor Alves de Siqueira |
Bug Description
[Impact]
On seabios before rel-1.9.0~47, there's a bug in rtc_mask() that can cause VMs to miss interrupts and get stuck in a 'PAUSED' state due to KVM emulation errors.
While reading PORT_CMOS_DATA, an NMI can "steal" execution before the inb() call returns, which effectively leaves the guest waiting on the port read forever. This can then trigger watchdogs, and usually results in an KVM emulation error leaving the VM in the 'PAUSED' state. Since the guest VM is broken due to the missed interrupts, the only way to recover is restarting it.
[Test Plan]
Due to the somewhat small race window involved between the inb() call and an NMI coming in, this issue has been hard to reproduce consistently. Our test plan involves running the fixes in a heavily overcommited Openstack compute host where this issue has been reported multiple times, to also validate that no new regressions have been introduced.
[Where problems could occur]
The patch disables NMIs in rtc_mask(), so that it stays consistent with the other rtc_*() functions in seabios/
Since the patch is already present in all Ubuntu releases starting with Bionic and there have been no 'fixes:' tags for this patch upstream, the chance for new regressions should be fairly limited.
[Other Info]
This has been fixed by the following upstream patch:
- 3156b71a535e (rtc: Disable NMI in rtc_mask()) [0]
$ git describe --contains 3156b71a535e661
rel-1.9.0~47
$ rmadison seabios -s trusty-
seabios | 1.7.4-4ubuntu1 | trusty-updates | source, all
seabios | 1.8.2-1ubuntu1 | xenial | source, all
seabios | 1.10.2-1ubuntu1 | bionic | source, all
Releases starting with Bionic already have this fix.
[0] https:/
Changed in seabios (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in seabios (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in seabios (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in seabios (Ubuntu Trusty): | |
status: | In Progress → Confirmed |
assignee: | nobody → Heitor Alves de Siqueira (halves) |
Changed in seabios (Ubuntu Xenial): | |
assignee: | nobody → Heitor Alves de Siqueira (halves) |
Changed in seabios (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in seabios (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in cloud-archive: | |
status: | New → Fix Released |
importance: | Undecided → High |
assignee: | nobody → Heitor Alves de Siqueira (halves) |
Fixes are now available under the "ESM Infrastructure Security" PPA for Trusty and Xenial, according to the versions below:
Trusty -- 1.7.4-4ubuntu1+esm1
Xenial -- 1.8.2-1ubuntu1+esm1