Ubuntu
linux package

[UBUNTU 20.04] KVM: s390: pv: don't allow userspace to set the clock under PV - kernel part

Bug #1999882 reported by bugproxy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
linux (Ubuntu)
Fix Released
High
Skipper Bug Screeners
Focal
Fix Released
Medium
Unassigned
Jammy
Fix Released
Medium
Unassigned
Kinetic
Fix Released
Medium
Unassigned
Lunar
Fix Released
High
Skipper Bug Screeners

Bug Description

Description: KVM: s390: pv: don't allow userspace to set the clock under PV

Symptom: Timer issues and RCU stalls after suspending and resuming an IBM Secure Execution guest

Problem: KVM and QEMU try to set the guest's TOD clock after resume under PV, even though that is not permitted under SE.
               Hence,their view of the guest clock may deviate from the ultravisor's, possibly causing KVM to re-dispatch the
               guest too late on clock comparator interrupts.

Solution: Don't set the clock after resume under PV. Note that kernel and QEMU patches are required in lockstep,
               to avoid a warning message in QEMU.

Reproduction: 1. Start SE guest using libvirt.
               2. Pause the guest using "virsh suspend", wait for a few
                  seconds, resume using "virsh resume".
               3. Run "time sleep 1" in the guest.
               4. The sleep will sleep much longer than one second.

Upstream-ID: 6973091d1b50ab4042f6a2d495f59e9db3662ab8

Preventive fix: yes

Author: Nico Boehr <email address hidden>

Please note that fixing the described problem requires patches for the kernel as well as for QEMU.
This bug covers the kernel part, whereas the required QEMU part is described and handled in the following related bug:

   Bug?200901 - [UBUNTU 20.04] KVM: s390: pv: don't allow userspace to set the clock under PV - qemu part

Both parts, the kernel and the qemu patches should be applied / released at the same time to avoid problems resulting in the following warning message for customers:
   'warning: Unable to set KVM guest TOD clock: Operation not supported'

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-200889 severity-high targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
Frank Heimes (fheimes) wrote :

Commit 6973091d1b50 got upstream accepted with v6.1-rc5,
so lunar will have the fix incl., once it's on its target kernel 6.2.
Marking kinetic, jammy and focal as affected releases.

Changed in linux (Ubuntu):
importance: Undecided → High
Changed in ubuntu-z-systems:
importance: Undecided → High
status: New → Triaged
Changed in linux (Ubuntu):
status: New → Triaged
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in linux (Ubuntu Lunar):
status: Triaged → Confirmed
Changed in linux (Ubuntu Focal):
status: New → Triaged
Changed in linux (Ubuntu Jammy):
status: New → Triaged
Changed in linux (Ubuntu Kinetic):
status: New → Triaged
Revision history for this message
Roxana Nicolescu (roxanan) wrote :

Already pushed from upstream for current cycle (2023.01.30) for
kinetic and jammy
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2001726
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2001570

I will push the fix for focal as well, but it will be there in the next cycle.

Revision history for this message
Frank Heimes (fheimes) wrote :

Thx Roxana, with that I'm updating the affected 'L' series to 'In Progress', 'K' and 'J' to 'Fix Committed' and 'F' to New.

Changed in linux (Ubuntu Lunar):
status: Confirmed → In Progress
Changed in linux (Ubuntu Kinetic):
status: Triaged → Fix Committed
Changed in linux (Ubuntu Jammy):
status: Triaged → Fix Committed
Changed in linux (Ubuntu Focal):
status: Triaged → New
Changed in ubuntu-z-systems:
status: Triaged → Confirmed
status: Confirmed → In Progress
bugproxy (bugproxy)
tags: added: targetmilestone-inin2004
removed: targetmilestone-inin---
Stefan Bader (smb)
Changed in linux (Ubuntu Kinetic):
importance: Undecided → Medium
Changed in linux (Ubuntu Jammy):
importance: Undecided → Medium
Changed in linux (Ubuntu Focal):
status: New → In Progress
importance: Undecided → Medium
Stefan Bader (smb)
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.4.0-145.162 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux verification-needed-focal
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-03-07 03:55 EDT-------
Bug has been verified and is fixed with 5.4.0-145.162.

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-03-07 04:01 EDT-------
(In reply to comment #11)
> Bug has been verified and is fixed with 5.4.0-145.162.

Please note that the QEMU fix from LP 1999885 is still missing. We recommend releasing both fixes at the same time. Otherwise customers may get this warning message:

warning: Unable to set KVM guest TOD clock: Operation not supported

Frank Heimes (fheimes)
Changed in linux (Ubuntu Lunar):
status: In Progress → Fix Released
Revision history for this message
Frank Heimes (fheimes) wrote :

Commit 6973091d1b50ab4042f6a2d495f59e9db3662ab8 "KVM: s390: pv: don't allow userspace to set the clock under PV" has landed meanwhile in
- kinetic as 794f9867e476 with Ubuntu-5.19.0-34.35
- jammy as 5a83a4c11e53 with Ubuntu-5.15.0-65.72 and
- focal as f9d1f5d70044 with Ubuntu-5.4.0-145.162

Since we have:
5.15.0.67.65 | jammy-updates
5.19.0.38.34 | kinetic-updates
I'm updating the status for jammy and kinetic to Fix Released.

The updated focal kernel is still in -proposed:
5.4.0.146.144 | focal-proposed
(hence staying here for now with Fix Committed).

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.4.0-146.163

---------------
linux (5.4.0-146.163) focal; urgency=medium

  * focal/linux: 5.4.0-146.163 -proposed tracker (LP: #2012094)

  * NFS deathlock with last Kernel 5.4.0-144.161 and 5.15.0-67.74 (LP: #2009325)
    - NFS: Correct timing for assigning access cache timestamp

linux (5.4.0-145.162) focal; urgency=medium

  * focal/linux: 5.4.0-145.162 -proposed tracker (LP: #2008389)

  * [SRU]Update ice driver to support E823 devices (LP: #1986717)
    - ice: Add device ids for E822 devices
    - ice: add support for E823 devices

  * btrfs/154: rename fails with EOVERFLOW when calculating item size during
    item key collision (LP: #2004132)
    - btrfs: correctly calculate item size used when item key collision happens

  * rtcpie in timers from ubuntu_kernel_selftests randomly failing
    (LP: #1814234)
    - SAUCE: selftest: rtcpie: Force passing unreliable subtest

  * [UBUNTU 20.04] KVM: s390: pv: don't allow userspace to set the clock under
    PV - kernel part (LP: #1999882)
    - KVM: s390x: fix SCK locking
    - KVM: s390: pv: don't allow userspace to set the clock under PV

  * CVE-2021-3669
    - ipc: replace costly bailout check in sysvipc_find_ipc()

  * net:fcnal-test.sh 'nettest' command not found on F/K (LP: #2006391)
    - selftests/net: Find nettest in current directory

  * xfs: Preallocated ioend transactions cause deadlock due to log buffer
    exhaustion (LP: #2007219)
    - xfs: drop submit side trans alloc for append ioends

  * CVE-2022-4382
    - USB: gadgetfs: Fix race between mounting and unmounting

  * CVE-2022-2196
    - KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS

  * ubuntu_kernel_selftests: net:udpgso_bench.sh failed (LP: #1951447)
    - selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs

  * net:fcnal-test.sh didn't return a non-zero value even with some sub-tests
    failed (LP: #2006692)
    - selftests: net/fcnal-test.sh: add exit code

  * Fix selftests/ftracetests/Meta-selftests in Focal (LP: #2006453)
    - SAUCE: Fix ftrace/Meta-selftests bashism check

  * CVE-2023-23559
    - wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid

 -- Luke Nowakowski-Krijger <email address hidden> Fri, 17 Mar 2023 11:08:20 -0700

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws/5.4.0-1100.108 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-aws verification-needed-focal
removed: verification-done-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure/5.4.0-1106.112 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-azure
Frank Heimes (fheimes)
tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-03-31 08:03 EDT-------
As far as I am aware, this bug does not apply to linux-aws or linux-azure.

Revision history for this message
Frank Heimes (fheimes) wrote :

@Nico, yes, that's correct - that is unfortunately an issue with our kernel verification and test automation - please ignore, since this LP bug is closed (as Fix Released) anyway.

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-bluefield/5.4.0-1060.66 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-bluefield verification-needed-focal
removed: verification-done-focal
Revision history for this message
Frank Heimes (fheimes) wrote :

This bug is not related to bluefield, hence setting focal verification again to done, to unblock.

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-xilinx-zynqmp/5.4.0-1023.27 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-xilinx-zynqmp
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-04-14 05:09 EDT-------
This bug is not related to xilinx, hence setting focal verification again to done, to unblock.

tags: added: verification-done-focal
removed: verification-needed-focal
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.