[ssbs-0118] backport SSBS bug (arm64: cpufeature: Detect SSBS and advertise to userspace)

Bug #1911376 reported by Fred Kimmy on 2021-01-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kunpeng920
Undecided
Ike Panhc
Ubuntu-18.04
Undecided
Ike Panhc
linux (Ubuntu)
Undecided
Unassigned
Bionic
Medium
Ike Panhc

Bug Description

[Impact]
The SSBS patch in 4.14 stable kernel, and mainline kernel adds snippet
into arm64_cpufeatures but in bionic kernel, it is landed into arm64_elf_hwcaps.

[Fix]
Move SSBS snippet from arm64_elf_hwcaps back to arm64_features

[Test]
No known tool for SSB attack. Regression test only.

[Regression Potential]
Regression might be on all arm64 platforms. Regression test on all arm64 platform we have is recommended.

=================================
[Bug Description]
ubuntu 18.04.1 fail to enable this SSBS function, this sys log will call trace as follow:

[ 0.662089] Call trace:
[ 0.662870] setup_elf_hwcaps+0xb8/0xd4
[ 0.664023] setup_cpu_features+0x60/0xf8
[ 0.665216] smp_cpus_done+0x34/0xa8
[ 0.666547] smp_init+0x120/0x138
[ 0.667555] kernel_init_freeable+0xf4/0x260
[ 0.668860] kernel_init+0x18/0x110
[ 0.670025] ret_from_fork+0x10/0x18

[Steps to Reproduce]
1) boot this system
2) uname -a
Ubuntu 4.15.0-99.100-generic 4.15.18

[Actual Results]
 boot error:
[ 0.662089] Call trace:
[ 0.662870] setup_elf_hwcaps+0xb8/0xd4
[ 0.664023] setup_cpu_features+0x60/0xf8
[ 0.665216] smp_cpus_done+0x34/0xa8
[ 0.666547] smp_init+0x120/0x138
[ 0.667555] kernel_init_freeable+0xf4/0x260
[ 0.668860] kernel_init+0x18/0x110
[ 0.670025] ret_from_fork+0x10/0x18

[Expected Results]
no error

[Reproducibility]
NA

[Additional information]
(Firmware version, kernel version, affected hardware, etc. if required):
arm64: cpufeature: Detect SSBS and advertise to userspace

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d71be2b6c0e19180b5f80a6d42039cc074a693a2

backport this following code into "static const struct arm64_cpu_capabilities arm64_elf_hwcaps[]" which will be error.

1274 #ifdef CONFIG_ARM64_SSBD
1275 {
1276 .desc = "Speculative Store Bypassing Safe (SSBS)",
1277 .capability = ARM64_SSBS,
1278 .type = ARM64_CPUCAP_WEAK_LOCAL_CPU_FEATURE,
1279 .matches = has_cpuid_feature,
1280 .sys_reg = SYS_ID_AA64PFR1_EL1,
1281 .field_pos = ID_AA64PFR1_SSBS_SHIFT,
1282 .sign = FTR_UNSIGNED,
1283 .min_field_value = ID_AA64PFR1_SSBS_PSTATE_ONLY,
1284 .cpu_enable = cpu_enable_ssbs,
1285 },

[Resolution]

Can you backport aboving code into "static const struct arm64_cpu_capabilities arm64_features[] = {"?

summary: - [ssbs-0118] backport SSB bug (arm64: cpufeature: Detect SSBS and
+ [ssbs-0118] backport SSBS bug (arm64: cpufeature: Detect SSBS and
advertise to userspace)
Taihsiang Ho (taihsiangho) wrote :

The suggested code snippet is already in the current bionic master kernel tree (ubuntu kernel 4.15). See https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/tree/arch/arm64/kernel/cpufeature.c#n1256

The code snippet landed at the event of "Bionic update: upstream stable patchset 2019-11-08" LP:#1851876 by pulling two upstream commits[1], which should be released with bionic kernel version Ubuntu-4.15.0-71.80.

NEXT ACTION:
The working fix may be the other solution. Let's try to reproduce the issue on our site. @Fred, would you please elaborate how you enabled the SBSS function?

[1]
upstream commits 8f04e8e6e29c93421a95b61cad62e3918425eac7
(corresponding bionic-4.15 commit fd872fd82e12d765c4ae39a57ce2786c4e95c9a1 )

upstream commits d71be2b6c0e19180b5f80a6d42039cc074a693a2
(corresponding bionic-4.15 commit 2a3135c3033cd80a543d651f902fb7d4ebf0610c )

Changed in kunpeng920:
status: New → Incomplete
Fred Kimmy (kongzizaixian) wrote :

our internal platform have enabled SSBS function, Can you fix this bug to make a deb package? I will help me to test it.

Ike Panhc (ikepanhc) wrote :

This patch has been merged into bionic kernel since 4.15.0-71.80. Could you check again if current bionic-update kernel (4.15.0-130.134) still have SSB issue?

ubuntu-bionic$ gitoneline | grep SSBS
47d31180cc30 <email address hidden> 2020-03-13 00:31:00 -0400 arm64: ssbs: Fix context-switch when SSBS is present on all CPUs
46566c624c98 <email address hidden> 2019-11-12 19:04:50 +0100 arm64: Force SSBS on context switch
c76da031386f <email address hidden> 2019-11-12 19:04:50 +0100 arm64: ssbs: Don't treat CPUs with SSBS as unaffected by SSB
f2485ae5fd84 <email address hidden> 2019-11-12 19:04:48 +0100 arm64: fix SSBS sanitization
1931a913df7e <email address hidden> 2019-11-12 19:04:48 +0100 KVM: arm64: Set SCTLR_EL2.DSSBS if SSBD is forcefully disabled and !vhe
fd872fd82e12 <email address hidden> 2019-11-12 19:04:48 +0100 arm64: ssbd: Add support for PSTATE.SSBS rather than trapping to EL3
2a3135c3033c <email address hidden> 2019-11-12 19:04:48 +0100 arm64: cpufeature: Detect SSBS and advertise to userspace

tags: added: tairadar
Fred Kimmy (kongzizaixian) wrote :

I check ubuntu bionic branch (4.15.0-130.134), this error of backporting patch (arm64: cpufeature: Detect SSBS and advertise to userspace) still exist. Can you refer to this follow patch to fix this issue?

--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -1070,6 +1070,19 @@ static const struct arm64_cpu_capabilities arm64_features
[] = {
                .cpu_enable = cpu_enable_pan,
        },
 #endif /* CONFIG_ARM64_PAN */
+#ifdef CONFIG_ARM64_SSBD
+ {
+ .desc = "Speculative Store Bypassing Safe (SSBS)",
+ .capability = ARM64_SSBS,
+ .type = ARM64_CPUCAP_WEAK_LOCAL_CPU_FEATURE,
+ .matches = has_cpuid_feature,
+ .sys_reg = SYS_ID_AA64PFR1_EL1,
+ .field_pos = ID_AA64PFR1_SSBS_SHIFT,
+ .sign = FTR_UNSIGNED,
+ .min_field_value = ID_AA64PFR1_SSBS_PSTATE_ONLY,
+ .cpu_enable = cpu_enable_ssbs,
+ },
+#endif
 #if defined(CONFIG_AS_LSE) && defined(CONFIG_ARM64_LSE_ATOMICS)
        {
                .desc = "LSE atomic instructions",
@@ -1253,19 +1266,6 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = {
 #ifdef CONFIG_ARM64_SVE
        HWCAP_CAP(SYS_ID_AA64PFR0_EL1, ID_AA64PFR0_SVE_SHIFT, FTR_UNSIGNED, ID_AA64PFR0_SVE, CAP_HWCAP, HWCAP_SVE),
 #endif
-#ifdef CONFIG_ARM64_SSBD
- {
- .desc = "Speculative Store Bypassing Safe (SSBS)",
- .capability = ARM64_SSBS,
- .type = ARM64_CPUCAP_WEAK_LOCAL_CPU_FEATURE,
- .matches = has_cpuid_feature,
- .sys_reg = SYS_ID_AA64PFR1_EL1,
- .field_pos = ID_AA64PFR1_SSBS_SHIFT,
- .sign = FTR_UNSIGNED,
- .min_field_value = ID_AA64PFR1_SSBS_PSTATE_ONLY,
- .cpu_enable = cpu_enable_ssbs,
- },
-#endif

Ike Panhc (ikepanhc) wrote :

I see. The SSBS snippet looks in wrong place.

I will escalate this. Thanks.

Ike Panhc (ikepanhc) on 2021-01-22
Changed in kunpeng920:
status: Incomplete → In Progress
assignee: nobody → Ike Panhc (ikepanhc)
Ike Panhc (ikepanhc) on 2021-01-22
Changed in linux (Ubuntu):
status: New → In Progress
Changed in linux (Ubuntu Bionic):
status: New → In Progress
Changed in linux (Ubuntu):
status: In Progress → Invalid
Changed in linux (Ubuntu Bionic):
assignee: nobody → Ike Panhc (ikepanhc)
Ike Panhc (ikepanhc) wrote :

Hi,

Could you test the kernel debs here? Thanks

https://kernel.ubuntu.com/~ikepanhc/lp1911376.1/

Ike Panhc (ikepanhc) on 2021-02-04
description: updated
tags: removed: tairadar
Stefan Bader (smb) on 2021-02-19
Changed in linux (Ubuntu Bionic):
importance: Undecided → Medium
status: In Progress → Fix Committed
Ike Panhc (ikepanhc) on 2021-02-22
Changed in kunpeng920:
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Ike Panhc (ikepanhc) wrote :

Regression test on d05, kunpeng920, crb1s and crb2s all passed. Thanks.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Launchpad Janitor (janitor) wrote :
Download full text (11.7 KiB)

This bug was fixed in the package linux - 4.15.0-137.141

---------------
linux (4.15.0-137.141) bionic; urgency=medium

  * bionic/linux: 4.15.0-137.141 -proposed tracker (LP: #1916199)

  * Fix oops in skb_segment for Bionic series (LP: #1915552)
    - net: permit skb_segment on head_frag frag_list skb
    - net: bpf: add a test for skb_segment in test_bpf module
    - test_bpf: Fix NULL vs IS_ERR() check in test_skb_segment()

  * Bionic update: upstream stable patchset 2021-02-10 (LP: #1915328)
    - net: cdc_ncm: correct overhead in delayed_ndp_size
    - net: vlan: avoid leaks on register_vlan_dev() failures
    - net: ip: always refragment ip defragmented packets
    - net: fix pmtu check in nopmtudisc mode
    - x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR
    - x86/resctrl: Don't move a task to the same resource group
    - vmlinux.lds.h: Add PGO and AutoFDO input sections
    - drm/i915: Fix mismatch between misplaced vma check and vma insert
    - spi: pxa2xx: Fix use-after-free on unbind
    - iio: imu: st_lsm6dsx: flip irq return logic
    - iio: imu: st_lsm6dsx: fix edge-trigger interrupts
    - ARM: OMAP2+: omap_device: fix idling of devices during probe
    - i2c: sprd: use a specific timeout to avoid system hang up issue
    - cpufreq: powernow-k8: pass policy rather than use cpufreq_cpu_get()
    - spi: stm32: FIFO threshold level - fix align packet size
    - dmaengine: xilinx_dma: check dma_async_device_register return value
    - dmaengine: xilinx_dma: fix mixed_enum_type coverity warning
    - wil6210: select CONFIG_CRC32
    - block: rsxx: select CONFIG_CRC32
    - iommu/intel: Fix memleak in intel_irq_remapping_alloc
    - net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups
    - net/mlx5e: Fix two double free cases
    - wan: ds26522: select CONFIG_BITREVERSE
    - KVM: arm64: Don't access PMCR_EL0 when no PMU is available
    - block: fix use-after-free in disk_part_iter_next
    - net: drop bogus skb with CHECKSUM_PARTIAL and offset beyond end of trimmed
      packet
    - net: hns3: fix the number of queues actually used by ARQ
    - net: stmmac: dwmac-sun8i: Balance internal PHY resource references
    - net: stmmac: dwmac-sun8i: Balance internal PHY power
    - net/sonic: Fix some resource leaks in error handling paths
    - net: ipv6: fib: flush exceptions when purging route
    - dmaengine: xilinx_dma: fix incompatible param warning in _child_probe()
    - lightnvm: select CONFIG_CRC32
    - ASoC: dapm: remove widget from dirty list on free
    - MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB
    - MIPS: relocatable: fix possible boot hangup with KASLR enabled
    - ACPI: scan: Harden acpi_device_add() against device ID overflows
    - mm/hugetlb: fix potential missing huge page size info
    - dm snapshot: flush merged data before committing metadata
    - r8152: Add Lenovo Powered USB-C Travel Hub
    - ext4: fix bug for rename with RENAME_WHITEOUT
    - ARC: build: remove non-existing bootpImage from KBUILD_IMAGE
    - ARC: build: add uImage.lzma to the top-level target
    - ARC: build: add boot_targets to PHONY
    - btrfs: fix transaction leak and crash...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Changed in kunpeng920:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers