s390/pci: add extra padding to function measurement block

Bug #1572291 reported by bugproxy
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
Fix Released
Undecided
Unassigned
Ubuntu on IBM z Systems
Fix Released
Critical
Tim Gardner
linux (Ubuntu)
Fix Released
Critical
Tim Gardner
Xenial
Fix Released
Critical
Tim Gardner

Bug Description

Please backport upstream commit:

commit 9d89d9e61d361f3adb75e1aebe4bb367faf16cfa
Author: Sebastian Ott <email address hidden>
Date: Thu Mar 31 11:48:31 2016 +0200

    s390/pci: add extra padding to function measurement block

    Newer machines might use a different (larger) format for function
    measurement blocks. To ensure that we comply with the alignment
    requirement on these machines and prevent memory corruption (when
    firmware writes more data than we expect) add 16 padding bytes
    at the end of the fmb.

    Cc: <email address hidden> # v4.1+
    Signed-off-by: Sebastian Ott <email address hidden>
    Signed-off-by: Martin Schwidefsky <email address hidden>

 arch/s390/include/asm/pci.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

CVE References

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-140474 severity-high targetmilestone-inin1604
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Luciano Chavez (lnx1138)
affects: ubuntu → linux (Ubuntu)
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Xenial):
assignee: Skipper Bug Screeners (skipper-screen-team) → Tim Gardner (timg-tpi)
status: New → In Progress
dann frazier (dannf)
Changed in ubuntu-z-systems:
status: New → In Progress
assignee: nobody → Tim Gardner (timg-tpi)
bugproxy (bugproxy)
tags: added: targetmilestone-inin16041
removed: targetmilestone-inin1604
bugproxy (bugproxy)
tags: added: severity-critical
removed: severity-high
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
dann frazier (dannf)
Changed in ubuntu-z-systems:
importance: Undecided → Critical
status: In Progress → Fix Committed
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Changed in ubuntu-release-notes:
status: New → In Progress
status: In Progress → Fix Released
Mathew Hodson (mhodson)
Changed in linux (Ubuntu):
importance: Undecided → Critical
Changed in linux (Ubuntu Xenial):
importance: Undecided → Critical
Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Revision history for this message
Tim Gardner (timg-tpi) wrote :

Marking verified since it also came in via 4.4 stable.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

@bugproxy

Kernel with this bug fix is available for testing from xenial-proposed pocket. See https://wiki.ubuntu.com/Testing/EnableProposed for more details how to enable and install packages from -proposed. Note -proposed is not to be used for day-to-day production systems, and only for selective testing of bugfixes and packages.

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2016-04-29 05:45 EDT-------
At first I reproduced this on kernel 4.4.0-15:

Creating workload:
cat /dev/urandom |gzip -9 > /dev/null &
cat /dev/urandom |gzip -9 > /dev/null &
ping 10.100.86.49

Let PCI device recover:
for i in `seq 1 100`; do echo 1 > /sys/bus/pci/devices/0000\:00\:00.0/recover; echo $i;sleep 1;done

On the 32nd recovery I got the kernel panic.
Retried that and on the 19th recovery the panic occured.

Updated system to 4.4.0-22.38 and performed the above steps. Problem did not occur after 2x 100 recoveries. Fix works. Waiting for integration into xenial stream.

@Canonical: Please integrate into xenial and yaketty stream.

Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :
Download full text (23.7 KiB)

This bug was fixed in the package linux - 4.4.0-22.38

---------------
linux (4.4.0-22.38) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1573817

  * autoreconstruct: need to also generate extend-diff-ignore options for links
    (LP: #1574362)
    - [Packaging] autoreconstruct -- generate extend-diff-ignore for links

  * tipc: missing linearization of sk_buff (LP: #1567064)
    - tipc: move linearization of buffers to generic code

  * [Hyper-V] In-flight PCI Passthrough Patches (LP: #1570124)
    - SAUCE:(noup) drivers:hv: Lock access to hyperv_mmio resource tree
    - SAUCE:(noup) drivers:hv: Call vmbus_mmio_free() to reverse
      vmbus_mmio_allocate()
    - SAUCE:(noup) drivers:hv: Reverse order of resources in hyperv_mmio
    - SAUCE:(noup) drivers:hv: Track allocations of children of hv_vmbus in
      private resource tree
    - SAUCE:(noup) drivers:hv: Record MMIO range in use by frame buffer
    - SAUCE:(noup) drivers:hv: Separate out frame buffer logic when picking MMIO
      range

  * vbox: resync with 5.0.18-dfsg-2build1 (LP: #1571156)
    - ubuntu: vbox -- update to 5.0.18-dfsg-2build1

  * CONFIG_AUFS_XATTR is not set (LP: #1557776)
    - [Config] CONFIG_AUFS_XATTR=y

  * CVE-2016-3672 (LP: #1568523)
    - x86/mm/32: Enable full randomization on i386 and X86_32

  * CVE-2016-3955 (LP: #1572666)
    - USB: usbip: fix potential out-of-bounds write

  * Xenial update to v4.4.8 stable release (LP: #1573034)
    - hwmon: (max1111) Return -ENODEV from max1111_read_channel if not
      instantiated
    - PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument
    - parisc: Avoid function pointers for kernel exception routines
    - parisc: Fix kernel crash with reversed copy_from_user()
    - parisc: Unbreak handling exceptions from kernel modules
    - ALSA: timer: Use mod_timer() for rearming the system timer
    - ALSA: hda - Asus N750JV external subwoofer fixup
    - ALSA: hda - Fix white noise on Asus N750JV headphone
    - ALSA: hda - Apply fix for white noise on Asus N550JV, too
    - mm: fix invalid node in alloc_migrate_target()
    - powerpc/mm: Fixup preempt underflow with huge pages
    - libnvdimm: fix smart data retrieval
    - libnvdimm, pfn: fix uuid validation
    - compiler-gcc: disable -ftracer for __noclone functions
    - arm64: opcodes.h: Add arm big-endian config options before including arm
      header
    - drm/dp: move hw_mutex up the call stack
    - drm/udl: Use unlocked gem unreferencing
    - drm/radeon: add a dpm quirk for sapphire Dual-X R7 370 2G D5
    - drm/radeon: add another R7 370 quirk
    - drm/radeon: add a dpm quirk for all R7 370 parts
    - drm/amdgpu/gmc: move vram type fetching into sw_init
    - drm/amdgpu/gmc: use proper register for vram type on Fiji
    - xen/events: Mask a moving irq
    - tcp: convert cached rtt from usec to jiffies when feeding initial rto
    - tunnel: Clear IPCB(skb)->opt before dst_link_failure called
    - net: jme: fix suspend/resume on JMC260
    - net: vrf: Remove direct access to skb->data
    - net: qca_spi: Don't clear IFF_BROADCAST
    - net: qca_spi: clear IFF_TX_SKB_SHARING
    - net: fix bridge multicas...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-22.39

---------------
linux (4.4.0-22.39) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578721

  * LP: #1578705
    - bpf: fix double-fdput in replace_map_fd_with_map_ptr()

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 09:30:58 -0700

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2016-05-23 12:53 EDT-------
Unchanged kernel 4.4.0-22.39 now available in xenial. Retest not required. Closing bug.

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2016-05-23 12:59 EDT-------
Arrrgh. Kernel was NOT unchanged - suffix 38 was tested. Now we have build suffix 39. I will do the retest now.....

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2016-05-23 14:17 EDT-------
Successfully verified with kernel 4.4.0-22-generic #40-Ubuntu SMP Thu May 12 22:02:55 UTC 2016 s390x (which I got today from main). Now "closed" state is confirmed!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.