Sys oopsed with sysfs test in ubuntu_stress_smoke_test on X-hwe ARM64

Bug #1866772 reported by Po-Hsu Lin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Stress-ng
Undecided
Unassigned
ubuntu-kernel-tests
Medium
Colin Ian King
linux (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Eoan
Undecided
Unassigned
Focal
Undecided
Unassigned

Bug Description

== SRU Request [ BIONIC, DISCO, EOAN, FOCAL ] ==

Reading /sys/firmware/acpi/tables/data/BERT as root at at odd byte offset will cause an oops. This is because the source address is I/O mapped and this needs to be read with an I/O memcpy rather than an memcpy.

== Fix ==

The fix is upstream (linux-next) commit that will land in 5.7, the backport to bionic, eoan and focal is just a minor context wiggle.

commit 08c07cefb3042a55bc9f8243814b504d5eff93f3
Author: Colin Ian King <email address hidden>
Date: Thu Mar 12 11:13:45 2020 +0000

    ACPI: sysfs: copy ACPI data using io memory copying

== Test ==

Running on hotdog with the reproducer below (run as root):

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>

int main(void)
{
        int fd;
        char buffer[3];
        ssize_t n;

        fd = open("/sys/firmware/acpi/tables/data/BERT", O_RDONLY);
        if (fd < 0) {
                fprintf(stderr, "open failed: %d (%s)\n", errno, strerror(errno));
                return -1;
        }
        do {
                n = read(fd, buffer, sizeof(buffer));
        } while (n > 0);

        return 0;
}

Without the fix it will oops. With the fix it works OK.

== Regession Potential ==

This only affects the reading of the ACPI BERT table from /sys as root so it is limited in scope to just a very narrow use case. Normally the BERT table is just handled by the kernel, so access to this table is just for debugging purposes.

-----------------------

Issue found on new ARM64 node "hotdog" 4.15.0-91.92~16.04.1
Failed 2 of 2 attempts.

Test suite HEAD SHA1: 3f43e81

 sysfs STARTING
 sysfs RETURNED 0
 sysfs FAILED (kernel oopsed)
 [ 1075.760640] Unable to handle kernel paging request at virtual address ffff00004a70072a
 [ 1075.763319] Unable to handle kernel paging request at virtual address ffff00004a70e4ba
 [ 1075.768563] Mem abort info:
 [ 1075.768566] ESR = 0x96000021
 [ 1075.768568] Exception class = DABT (current EL), IL = 32 bits
 [ 1075.768569] SET = 0, FnV = 0
 [ 1075.768570] EA = 0, S1PTW = 0
 [ 1075.768571] Data abort info:
 [ 1075.768577] ISV = 0, ISS = 0x00000021
 [ 1075.776489] Mem abort info:
 [ 1075.776491] ESR = 0x96000021
 [ 1075.776493] Exception class = DABT (current EL), IL = 32 bits
 [ 1075.776494] SET = 0, FnV = 0
 [ 1075.776495] EA = 0, S1PTW = 0
 [ 1075.776496] Data abort info:
 [ 1075.776500] ISV = 0, ISS = 0x00000021
 [ 1075.779284] CM = 0, WnR = 0
 [ 1075.779288] swapper pgtable: 4k pages, 48-bit VAs, pgd = 00000000facfed4f
 [ 1075.779290] [ffff00004a70072a] *pgd=000000bffcffe003, *pud=0000009f6122c003, *pmd=000000bf5adf4003, *pte=0068000080280703
 [ 1075.782342] CM = 0, WnR = 0
 [ 1075.782346] swapper pgtable: 4k pages, 48-bit VAs, pgd = 00000000facfed4f
 [ 1075.782352] [ffff00004a70e4ba] *pgd=000000bffcffe003, *pud=0000009f6122c003, *pmd=000000bf5adf4003, *pte=006800008028e703
 [ 1075.788262] Internal error: Oops: 96000021 [#2] SMP
 [ 1075.788269] Modules linked in: unix_diag binfmt_misc snd_seq snd_seq_device snd_timer snd soundcore userio vfio_iommu_type1 vfio hci_vhci bluetooth ecdh_generic uhid cuse vhost_vsock vmw_vsock_virtio_transport_common vhost_net vhost vsock tap dccp_ipv4 dccp ipx p8023 atm psnap p8022 llc algif_rng algif_aead anubis fcrypt khazad seed tea md4 michael_mic poly1305_generic rmd128 rmd160 rmd256 rmd320 sha3_generic sm3_generic tgr192 wp512 algif_hash chacha20_neon chacha20_generic blowfish_generic blowfish_common cast5_generic des_generic salsa20_generic camellia_generic cast6_generic cast_common serpent_generic twofish_generic twofish_common algif_skcipher af_alg nls_iso8859_1 ipmi_ssif ipmi_devintf joydev input_leds ipmi_msghandler shpchp i2c_xlp9xx(+) thunderx2_pmu ib_iser rdma_cm iw_cm ib_cm ib_core
 [ 1075.942470] iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid uas usb_storage aes_ce_blk aes_ce_cipher crc32_ce qede ast i2c_algo_bit crct10dif_ce ptp ghash_ce ttm drm_kms_helper sha2_ce pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops sha256_arm64 sha1_ce mpt3sas qed drm raid_class scsi_transport_sas ahci libahci gpio_xlp aes_neon_bs aes_neon_blk crypto_simd cryptd aes_arm64
 [ 1075.991997] Process stress-ng-sysfs (pid: 108395, stack limit = 0x000000009cb607b8)
 [ 1075.999643] CPU: 100 PID: 108395 Comm: stress-ng-sysfs Tainted: G D 4.15.0-91-generic #92~16.04.1-Ubuntu
 [ 1076.010324] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL027 07/01/2019
 [ 1076.018314] pstate: 80400009 (Nzcv daif +PAN -UAO)
 [ 1076.023096] pc : __memcpy+0x84/0x180
 [ 1076.026663] lr : memory_read_from_buffer+0x64/0x88
 [ 1076.031441] sp : ffff00003ea2bd10
 [ 1076.034743] x29: ffff00003ea2bd10 x28: ffff80be4d85cb00
 [ 1076.040042] x27: ffff000008b42000 x26: 000000000000003f
 [ 1076.045342] x25: 0000000000000124 x24: ffff00004a700000
 [ 1076.050643] x23: ffff809e3a7e8500 x22: 000000000000000a
 [ 1076.055942] x21: ffff00003ea2bd88 x20: 000000000000000a
 [ 1076.061240] x19: 0000000000000734 x18: 0000000000000014
 [ 1076.066540] x17: 0000ffffaf4e1a58 x16: ffff0000082e8e28
 [ 1076.071839] x15: 00002d88734750e0 x14: 00181a0596c27059
 [ 1076.077138] x13: 00000003e8000000 x12: 0000000000000018
 [ 1076.082436] x11: 000000000006372e x10: 000000005e66c174
 [ 1076.087735] x9 : 003b9aca00000000 x8 : 000000000000003f
 [ 1076.093034] x7 : ffff000008645490 x6 : ffff809e3a7e8500
 [ 1076.098333] x5 : 000000000000000a x4 : 0000000000010000
 [ 1076.103633] x3 : ffff00004a700000 x2 : 000000000000000a
 [ 1076.108932] x1 : ffff00004a70072a x0 : ffff809e3a7e8500
 [ 1076.114231] Call trace:
 [ 1076.116668] __memcpy+0x84/0x180
 [ 1076.119887] acpi_data_show+0x54/0x80
 [ 1076.123541] sysfs_kf_bin_read+0x6c/0xa8
 [ 1076.127451] kernfs_fop_read+0xa4/0x1e0
 [ 1076.131274] __vfs_read+0x48/0x90
 [ 1076.134577] vfs_read+0x94/0x150
 [ 1076.137792] SyS_read+0x74/0xf0
 [ 1076.140923] el0_svc_naked+0x30/0x34
 [ 1076.144487] Code: a88120c7 a8c12027 a88120c7 36180062 (f8408423)
 [ 1076.150570] ---[ end trace 496ae41e9716bef2 ]---
 [ 1076.155180] Internal error: Oops: 96000021 [#3] SMP
 [ 1076.160054] Modules linked in: unix_diag binfmt_misc snd_seq snd_seq_device snd_timer snd soundcore userio vfio_iommu_type1 vfio hci_vhci bluetooth ecdh_generic uhid cuse vhost_vsock vmw_vsock_virtio_transport_common vhost_net vhost vsock tap dccp_ipv4 dccp ipx p8023 atm psnap p8022 llc algif_rng algif_aead anubis fcrypt khazad seed tea md4 michael_mic poly1305_generic rmd128 rmd160 rmd256 rmd320 sha3_generic sm3_generic tgr192 wp512 algif_hash chacha20_neon chacha20_generic blowfish_generic blowfish_common cast5_generic des_generic salsa20_generic camellia_generic cast6_generic cast_common serpent_generic twofish_generic twofish_common algif_skcipher af_alg nls_iso8859_1 ipmi_ssif ipmi_devintf joydev input_leds ipmi_msghandler shpchp i2c_xlp9xx(+) thunderx2_pmu ib_iser rdma_cm iw_cm ib_cm ib_core
 [ 1076.230688] iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid uas usb_storage aes_ce_blk aes_ce_cipher crc32_ce qede ast i2c_algo_bit crct10dif_ce ptp ghash_ce ttm drm_kms_helper sha2_ce pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops sha256_arm64 sha1_ce mpt3sas qed drm raid_class scsi_transport_sas ahci libahci gpio_xlp aes_neon_bs aes_neon_blk crypto_simd cryptd aes_arm64
 [ 1076.280211] Process stress-ng-sysfs (pid: 108405, stack limit = 0x00000000081889d7)
 [ 1076.287856] CPU: 155 PID: 108405 Comm: stress-ng-sysfs Tainted: G D 4.15.0-91-generic #92~16.04.1-Ubuntu
 [ 1076.298538] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL027 07/01/2019
 [ 1076.306530] pstate: 80400009 (Nzcv daif +PAN -UAO)
 [ 1076.311319] pc : __memcpy+0x84/0x180
 [ 1076.314890] lr : memory_read_from_buffer+0x64/0x88
 [ 1076.319667] sp : ffff00003eea3d10
 [ 1076.322969] x29: ffff00003eea3d10 x28: ffff80be4d858000
 [ 1076.328269] x27: ffff000008b42000 x26: 000000000000003f
 [ 1076.333568] x25: 0000000000000124 x24: ffff00004a700000
 [ 1076.338868] x23: ffff80bec6fa7400 x22: 000000000000000d
 [ 1076.344167] x21: ffff00003eea3d88 x20: 000000000000000d
 [ 1076.349467] x19: 000000000000e4c7 x18: 0000000000000014
 [ 1076.354767] x17: 0000ffffaf4e1a58 x16: ffff0000082e8e28
 [ 1076.360068] x15: 0000566c10765956 x14: 00181a0596c27059
 [ 1076.365368] x13: 00000003e8000000 x12: 0000000000000018
 [ 1076.370667] x11: 00000000000641a6 x10: 000000005e66c174
 [ 1076.375966] x9 : 003b9aca00000000 x8 : 000000000000003f
 [ 1076.381265] x7 : ffff000008645490 x6 : ffff80bec6fa7400
 [ 1076.386564] x5 : 000000000000000d x4 : 0000000000010000
 [ 1076.391864] x3 : ffff00004a700000 x2 : 000000000000000d
 [ 1076.397163] x1 : ffff00004a70e4ba x0 : ffff80bec6fa7400
 [ 1076.402463] Call trace:
 [ 1076.404901] __memcpy+0x84/0x180
 [ 1076.408125] acpi_data_show+0x54/0x80
 [ 1076.411785] sysfs_kf_bin_read+0x6c/0xa8
 [ 1076.415696] kernfs_fop_read+0xa4/0x1e0
 [ 1076.419520] __vfs_read+0x48/0x90
 [ 1076.422823] vfs_read+0x94/0x150
 [ 1076.426038] SyS_read+0x74/0xf0
 [ 1076.429171] el0_svc_naked+0x30/0x34
 [ 1076.432736] Code: a88120c7 a8c12027 a88120c7 36180062 (f8408423)
 [ 1076.438818] ---[ end trace 496ae41e9716bef3 ]---

CVE References

Po-Hsu Lin (cypressyew)
tags: added: 4.15 arm64 kqa-blocker sru-20200217 xenial
tags: added: ubuntu-stress-smoke-test
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

This test passed on other 3 ARM64 nodes (appleton-kernel, ms10-34-mcdivittB0-kernel, wright-kernel)

description: updated
Revision history for this message
Colin Ian King (colin-king) wrote :

This appears to specific to one machine - I suspect this is due to a particular ACPI table. If I can get full access to hotdog I'll check if this is a regression and debug this further.

Changed in ubuntu-kernel-tests:
importance: Undecided → Medium
assignee: nobody → Colin Ian King (colin-king)
status: New → Incomplete
Revision history for this message
Sean Feole (sfeole) wrote :

Giving that colin has already acknowledged this bug and confirmed it appears to be isolated to only one machine, i'm removing the kqa-blocker tag.

tags: removed: kqa-blocker
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

Colin,

I have your keys imported and locked the system.
Please access it with ubuntu@hotdog-kernel
Thanks

Revision history for this message
Colin Ian King (colin-king) wrote :

This is not a regression, it also occurs on 4.15.0-88-generic

Changed in ubuntu-kernel-tests:
status: Incomplete → In Progress
Revision history for this message
Colin Ian King (colin-king) wrote :

Reproducer occurs when doing odd sized reads that are > 1 byte:

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>

int main(void)
{
        int fd;
        char buffer[3];
        ssize_t n;

        fd = open("/sys/firmware/acpi/tables/data/BERT", O_RDONLY);
        if (fd < 0) {
                fprintf(stderr, "open failed: %d (%s)\n", errno, strerror(errno));
                return -1;
        }
        do {
                n = read(fd, buffer, sizeof(buffer));
        } while (n > 0);

        return 0;
}

Revision history for this message
Colin Ian King (colin-king) wrote :

Issue occurs with linux 5.6-rc5 too.

Revision history for this message
Colin Ian King (colin-king) wrote :

Replacing memcpy with unoptimized char copying avoids this issue, so it seems to be a misaligned read issue.

diff --git a/fs/libfs.c b/fs/libfs.c
index 77709c5923a8..f99e265b6d81 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -786,6 +786,8 @@ ssize_t memory_read_from_buffer(void *to, size_t count, loff_t *ppos,
                                const void *from, size_t available)
 {
        loff_t pos = *ppos;
+ char *p1, *p2;
+ size_t i;

        if (pos < 0)
                return -EINVAL;
@@ -798,8 +800,14 @@ ssize_t memory_read_from_buffer(void *to, size_t count, loff_t *ppos,
                        (unsigned long long)available,
                        (unsigned long long)pos,
                        (unsigned long long)count);
+
+ p1 = to;
+ p2 = from + pos;
+
+ for (i = 0; i < count; i++,p1++,p2++)
+ *p1 = *p2;

- memcpy(to, from + pos, count);
+ //memcpy(to, from + pos, count);
        *ppos = pos + count;

        return count;

This is called from acpi_data_show() which does:

rc = memory_read_from_buffer(buf, count, &offset, base,
                                     data_attr->attr.size);

On a second read, the contents of offset is odd making base + offset odd on the source address of a memcpy(). I thought memcpy could handle that.

Revision history for this message
Colin Ian King (colin-king) wrote :

Ah, looks like the source memory is mapped as I/O memory, so this works OK on x86 but probably unaligned I/O reads fail on this platform.

Revision history for this message
Colin Ian King (colin-king) wrote :

Fix sent upstream for review: https://lkml.org/lkml/2020/3/12/370

description: updated
description: updated
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1866772

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Bionic):
status: New → Incomplete
Changed in linux (Ubuntu Eoan):
status: New → Incomplete
tags: added: bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.4.0-21.25

---------------
linux (5.4.0-21.25) focal; urgency=medium

  * CVE-2020-8835
    - SAUCE: bpf: undo incorrect __reg_bound_offset32 handling

 -- Thadeu Lima de Souza Cascardo <email address hidden> Thu, 26 Mar 2020 17:51:28 -0300

Changed in linux (Ubuntu Focal):
status: Incomplete → Fix Released
Changed in linux (Ubuntu Bionic):
status: Incomplete → Fix Committed
Changed in linux (Ubuntu Eoan):
status: Incomplete → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-eoan
Revision history for this message
Colin Ian King (colin-king) wrote :

Tested on Eoan with kernel 5.3.0-47-generic #39-Ubuntu with reproducer and stress-ng sysfs test, fix worked fine.

tags: added: verification-done-eoan
removed: verification-needed-eoan
Revision history for this message
Colin Ian King (colin-king) wrote :

Tested on Focal with kernel 5.4.0-23-generic #27-Ubuntu with reproducer and it works fine. There is another issue with the sysfs test, need to debug that and I'll file another bug for that.

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Colin Ian King (colin-king) wrote :

Focal passes autotest stress-ng tests:

14:06:30 INFO | Summary:
14:06:30 INFO | Stressors run: 191
14:06:30 INFO | Skipped: 1, binderfs
14:06:30 INFO | Failed: 0,
14:06:30 INFO | Oopsed: 0,
14:06:30 INFO | Oomed: 0,
14:06:30 INFO | Passed: 190, access af-alg affinity aio aiol bad-altstack bigheap branch brk cache cap chattr chdir chmod chown chroot clock close context cpu crypt cyclic daemon dccp dentry dev dev-shm dir dirdeep dnotify dup dynlib enosys env epoll eventfd fallocate fanotify fault fcntl fiemap fifo file-ioctl filename flock fork fp-error fstat full funcret futex get getdent getrandom handle hdd hrtimers icache icmp-flood inode-flags inotify io iomix ioprio ipsec-mb itimer judy key kill klog lease link locka lockbus lockf lockofd loop madvise malloc mcontend membarrier memfd memhotplug memrate memthrash mergesort mincore mknod mlock mmap mmapaddr mmapfixed mmapfork mmapmany mq mremap msg msync netdev netlink-proc netlink-task nice null open personality physpage pidfd pipe pipeherd pkey poll prctl procfs pthread ptrace pty radixsort ramfs rawdev rawsock readahead reboot rename revio rlimit rmap rtc schedpolicy sctp seal seccomp seek sem sem-sysv sendfile set shellsort shm shm-sysv sigfd sigfpe sigio sigpending sigpipe sigq sigrt sigsegv sigsuspend skiplist sleep sock sockabuse sockdiag sockmany softlockup splice stackmmap stream swap switch symlink sync-file sysbadaddr sysfs tee timer timerfd tlb-shootdown tmpfs tree tsearch tun udp udp-flood unshare urandom userfaultfd utime vdso vfork vm vm-addr vm-rw vm-segv vm-splice wait x86syscall yield zero zombie
14:06:30 INFO | Badret: 0,
14:06:30 INFO |
14:06:30 INFO | Tests took 972 seconds to run

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Colin Ian King (colin-king) wrote :

Tested on Bionic with kernel 4.15.0-97-generic #98 with reproducer and stress-ng sysfs test, fix worked fine.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Download full text (9.8 KiB)

Hello Colin, I can see this issue with 5.0 kernel (5.0.0-47.51~18.04.1) as well, with the same node hotdog-kernel.

Do you think if we should fix this in 5.0 as well?
Thanks

 sysfs FAILED (kernel oopsed)
 [ 1108.615397] Unable to handle kernel paging request at virtual address ffff000046afa6a6
 [ 1108.617127] Unable to handle kernel paging request at virtual address ffff000046afd2d7
 [ 1108.623317] Mem abort info:
 [ 1108.627466] Unable to handle kernel paging request at virtual address ffff000046affffd
 [ 1108.627469] Mem abort info:
 [ 1108.627470] ESR = 0x96000021
 [ 1108.627473] Exception class = DABT (current EL), IL = 32 bits
 [ 1108.627477] SET = 0, FnV = 0
 [ 1108.627480] EA = 0, S1PTW = 0
 [ 1108.627482] Data abort info:
 [ 1108.627485] ISV = 0, ISS = 0x00000021
 [ 1108.627487] CM = 0, WnR = 0
 [ 1108.627490] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000815ac000
 [ 1108.627495] [ffff000046affffd] pgd=000000bffcfff003, pud=0000009f28e05003, pmd=0000009de53f9003, pte=006800008028f703
 [ 1108.627507] Internal error: Oops: 96000021 [#1] SMP
 [ 1108.627515] Modules linked in: unix_diag binfmt_misc snd_seq snd_seq_device snd_timer snd soundcore userio cuse hci_vhci bluetooth ecdh_generic vfio_iommu_type1 vfio uhid vhost_vsock vmw_vsock_virtio_transport_common vsock vhost_net vhost tap dccp_ipv4 dccp atm algif_rng aegis128 aegis128l aegis256 morus1280 morus640 algif_aead anubis fcrypt khazad seed sm4_generic tea crc32_generic md4 michael_mic nhpoly1305_neon nhpoly1305 poly1305_generic rmd128 rmd160 rmd256 rmd320 sha3_generic sm3_generic streebog_generic tgr192 wp512 algif_hash blowfish_generic blowfish_common cast5_generic des_generic salsa20_generic chacha_neon chacha_generic camellia_generic cast6_generic cast_common serpent_generic twofish_generic twofish_common algif_skcipher af_alg nls_iso8859_1 ipmi_ssif joydev input_leds ipmi_devintf ipmi_msghandler thunderx2_pmu sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456
 [ 1108.627576] async_raid6_recov async_memcpy async_pq async_xor async_tx xor xor_neon raid6_pq libcrc32c raid1 raid0 multipath linear i2c_smbus aes_ce_blk aes_ce_cipher uas ast i2c_algo_bit ttm drm_kms_helper syscopyarea crct10dif_ce usb_storage ghash_ce sysfillrect qede sha2_ce sysimgblt mpt3sas fb_sys_fops qed sha256_arm64 sha1_ce raid_class drm scsi_transport_sas ahci crc8 gpio_xlp i2c_xlp9xx hid_generic usbhid hid aes_neon_bs aes_neon_blk crypto_simd cryptd aes_arm64
 [ 1108.627607] Process stress-ng-sysfs (pid: 203940, stack limit = 0x0000000047d7ff87)
 [ 1108.627612] CPU: 93 PID: 203940 Comm: stress-ng-sysfs Not tainted 5.0.0-47-generic #51~18.04.1-Ubuntu
 [ 1108.627614] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL027 07/01/2019
 [ 1108.627616] pstate: 80400009 (Nzcv daif +PAN -UAO)
 [ 1108.627623] pc : __memcpy+0x9c/0x180
 [ 1108.627629] lr : memory_read_from_buffer+0x64/0x88
 [ 1108.627630] sp : ffff000059933c90
 [ 1108.627631] x29: ffff000059933c90 x28: ffff809e4d35ac40
 [ 1108.627634] x27: 0000000000000000 x26: 0000000000000000
 [ 1108.627636] x25: 00000000560000...

description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.3.0-51.44

---------------
linux (5.3.0-51.44) eoan; urgency=medium

  * CVE-2020-11884
    - SAUCE: s390/mm: fix page table upgrade vs 2ndary address mode accesses

 -- Thadeu Lima de Souza Cascardo <email address hidden> Wed, 22 Apr 2020 17:35:41 -0300

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.15.0-99.100

---------------
linux (4.15.0-99.100) bionic; urgency=medium

  * CVE-2020-11884
    - SAUCE: s390/mm: fix page table upgrade vs 2ndary address mode accesses

 -- Marcelo Henrique Cerri <email address hidden> Wed, 22 Apr 2020 15:31:14 -0300

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Released
Po-Hsu Lin (cypressyew)
Changed in stress-ng:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers