arm64: prevent losing page dirty state

Bug #1908503 reported by Andrea Righi on 2020-12-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-aws (Ubuntu)
High
Andrea Righi
Bionic
High
Andrea Righi
Focal
High
Andrea Righi
Groovy
High
Andrea Righi
Hirsute
High
Andrea Righi

Bug Description

[Impact]

With hardware dirty bit management enabled calling pte_wrprotect() on a dirty PTE will clean the dirty state without flushing the content of the page to the backing store.

[Test case]

Bug reported by Amazon, a specific test case is not provided. This problem has been hit by a customer.

[Fix]

Apply commit:
 ff1712f953e27f0b0718762ec17d0adb15c9fd0b ("arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect()")

Backport activity is minimal, it only requires to adjust the context a bit to remove the previous pte_wrprotect() implementation.

[Regression potential]

The fix is specific for arm64 pgtable, it is an upstream fix also marked for stable. The only potential downside could be the extra overhead introduced by the additional call to pte_mkdirty() in pte_wrprotect(), so worst case scenario it could introduce a performance regression. It doesn't seem to potentially introduce any other kind of regression / breakage.

CVE References

Andrea Righi (arighi) on 2020-12-17
Changed in linux-aws (Ubuntu Bionic):
assignee: nobody → Andrea Righi (arighi)
Changed in linux-aws (Ubuntu Focal):
assignee: nobody → Andrea Righi (arighi)
Changed in linux-aws (Ubuntu Groovy):
assignee: nobody → Andrea Righi (arighi)
Changed in linux-aws (Ubuntu Hirsute):
assignee: nobody → Andrea Righi (arighi)
Changed in linux-aws (Ubuntu Bionic):
importance: Undecided → High
Changed in linux-aws (Ubuntu Focal):
importance: Undecided → High
Changed in linux-aws (Ubuntu Groovy):
importance: Undecided → High
Changed in linux-aws (Ubuntu Hirsute):
importance: Undecided → High
Ian (ian-may) on 2020-12-17
Changed in linux-aws (Ubuntu Bionic):
status: New → Fix Committed
Changed in linux-aws (Ubuntu Focal):
status: New → Fix Committed
Changed in linux-aws (Ubuntu Groovy):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (32.6 KiB)

This bug was fixed in the package linux-aws - 5.4.0-1034.35

---------------
linux-aws (5.4.0-1034.35) focal; urgency=medium

  * focal/linux-aws: 5.4.0-1034.35 -proposed tracker (LP: #1908586)

  * arm64: prevent losing page dirty state (LP: #1908503)
    - arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect()

linux-aws (5.4.0-1033.34) focal; urgency=medium

  * focal/linux-aws: 5.4.0-1033.34 -proposed tracker (LP: #1907586)

  * Focal update: v5.4.75 upstream stable release (LP: #1904450)
    - [Config] aws: update config for DW_APB_TIMER

  [ Ubuntu: 5.4.0-59.65 ]

  * focal/linux: 5.4.0-59.65 -proposed tracker (LP: #1907604)
  * focal: selftests/bpf build broken: test_map_init.skel.h: No such file or
    directory (LP: #1906866)
    - SAUCE: Revert selftests/ "bpf: Zero-fill re-used per-cpu map element"
  * Packaging resync (LP: #1786013)
    - update dkms package versions
  * memory is leaked when tasks are moved to net_prio (LP: #1886859)
    - netprio_cgroup: Fix unlimited memory leak of v2 cgroups
  * Focal update: v5.4.78 upstream stable release (LP: #1905618)
    - drm/i915/gem: Flush coherency domains on first set-domain-ioctl
    - time: Prevent undefined behaviour in timespec64_to_ns()
    - nbd: don't update block size after device is started
    - KVM: arm64: Force PTE mapping on fault resulting in a device mapping
    - PCI: qcom: Make sure PCIe is reset before init for rev 2.1.0
    - usb: dwc3: gadget: Continue to process pending requests
    - usb: dwc3: gadget: Reclaim extra TRBs after request completion
    - btrfs: tracepoints: output proper root owner for trace_find_free_extent()
    - btrfs: sysfs: init devices outside of the chunk_mutex
    - btrfs: reschedule when cloning lots of extents
    - ASoC: Intel: kbl_rt5663_max98927: Fix kabylake_ssp_fixup function
    - genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY
    - hv_balloon: disable warning when floor reached
    - net: xfrm: fix a race condition during allocing spi
    - ASoC: codecs: wcd9335: Set digital gain range correctly
    - xfs: set xefi_discard when creating a deferred agfl free log intent item
    - netfilter: use actual socket sk rather than skb sk when routing harder
    - netfilter: nf_tables: missing validation from the abort path
    - netfilter: ipset: Update byte and packet counters regardless of whether they
      match
    - powerpc/eeh_cache: Fix a possible debugfs deadlock
    - perf trace: Fix segfault when trying to trace events by cgroup
    - perf tools: Add missing swap for ino_generation
    - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link()
    - iommu/vt-d: Fix a bug for PDP check in prq_event_thread
    - afs: Fix warning due to unadvanced marshalling pointer
    - can: rx-offload: don't call kfree_skb() from IRQ context
    - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ
      context
    - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR
      frames
    - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone()
    - can: j1939: swap addr and pgn in the send example
    - can: j1939: j1939_sk_bind(): return failure if n...

Changed in linux-aws (Ubuntu Focal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (7.0 KiB)

This bug was fixed in the package linux-aws - 4.15.0-1093.99

---------------
linux-aws (4.15.0-1093.99) bionic; urgency=medium

  * bionic/linux-aws: 4.15.0-1093.99 -proposed tracker (LP: #1911275)

  * aws: network performance regression due to initial TCP receive buffer size
    change (LP: #1910200)
    - tcp: select sane initial rcvq_space.space for big MSS

  * arm64: prevent losing page dirty state (LP: #1908503)
    - arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect()

  * Disable Atari partition support for cloud kernels (LP: #1908264)
    - [Config] Disable Atari partition support

  * aws: xen-netfront: prevent potential error on hibernate (LP: #1906850)
    - SAUCE: xen-netfront: prevent unnecessary close on hibernate

  [ Ubuntu: 4.15.0-133.137 ]

  * bionic/linux: 4.15.0-133.137 -proposed tracker (LP: #1911295)
  * [drm:qxl_enc_commit [qxl]] *ERROR* head number too large or missing monitors
    config: (LP: #1908219)
    - qxl: remove qxl_io_log()
    - qxl: move qxl_send_monitors_config()
    - qxl: hook monitors_config updates into crtc, not encoder.
  * Touchpad not detected on ByteSpeed C15B laptop (LP: #1906128)
    - Input: i8042 - add ByteSpeed touchpad to noloop table
  * vmx_nm_test in ubuntu_kvm_unit_tests interrupted on X-oracle-4.15 /
    B-oracle-4.15 / X-KVM / B-KVM (LP: #1872401)
    - KVM: nVMX: Always reflect #NM VM-exits to L1
  * stack trace in kernel (LP: #1903596)
    - net: napi: remove useless stack trace
  * CVE-2020-27777
    - [Config]: Set CONFIG_PPC_RTAS_FILTER
  * Bionic update: upstream stable patchset 2020-12-04 (LP: #1906875)
    - regulator: defer probe when trying to get voltage from unresolved supply
    - ring-buffer: Fix recursion protection transitions between interrupt context
    - time: Prevent undefined behaviour in timespec64_to_ns()
    - nbd: don't update block size after device is started
    - btrfs: sysfs: init devices outside of the chunk_mutex
    - btrfs: reschedule when cloning lots of extents
    - genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY
    - hv_balloon: disable warning when floor reached
    - net: xfrm: fix a race condition during allocing spi
    - perf tools: Add missing swap for ino_generation
    - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link()
    - can: rx-offload: don't call kfree_skb() from IRQ context
    - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ
      context
    - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR
      frames
    - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone()
    - can: peak_usb: add range checking in decode operations
    - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping
    - can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is
      on
    - xfs: flush new eof page on truncate to avoid post-eof corruption
    - Btrfs: fix missing error return if writeback for extent buffer never started
    - ath9k_htc: Use appropriate rs_datalen type
    - usb: gadget: goku_udc: fix potential crashes in probe
    - gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free
  ...

Read more...

Changed in linux-aws (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers