Potential memory corruption with capi adapters

Bug #1681469 reported by bugproxy on 2017-04-10
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Tim Gardner
Xenial
Undecided
Tim Gardner
Yakkety
Undecided
Tim Gardner
Zesty
Undecided
Tim Gardner
Artful
Undecided
Unassigned

Bug Description

== Comment: #0 - Frederic Barrat <email address hidden> - 2017-04-10 04:44:01 ==

---Problem Description---
Memory corruption can be seen when using a capi adapter. It can happen if the host process allocates/frees/reallocates memory areas used by the the capi adapter.
Some TLB invalidations may not be propagated to the capi adapter, causing the corruption.

Contact Information = <email address hidden>

---uname output---
Linux garri 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:05:15 UTC 2017 ppc64le ppc64le ppc64le GNU/Linux

---Additional Hardware Info---
capi card needed, with the AFU image used by libdonut development

Machine Type = Tuleta

---Debugger---
A debugger is not configured

---Steps to Reproduce---
 Run libdonut in a loop, until corruption is seen. Host process will dump core

Stack trace output:
 no

Oops output:
 no

System Dump Info:
  The system is not configured to capture a system dump.

*Additional Instructions for <email address hidden>:
-Attach sysctl -a output output to the bug.

== Comment: #1 - Frederic Barrat <email address hidden> - 2017-04-10 04:45:19 ==
Fix is already upstream:

commit 88b1bf7268f56887ca88eb09c6fb0f4fc970121a
Author: Frederic Barrat <email address hidden>
Date: Wed Mar 29 19:19:42 2017 +0200

    powerpc/mm: Add missing global TLB invalidate if cxl is active

Could it be backported to the 16.04 LTS release, as well as 17.04? Thanks

CVE References

bugproxy (bugproxy) on 2017-04-10
tags: added: architecture-ppc64le bugnameltc-153279 severity-high targetmilestone-inin16045
Changed in ubuntu:
assignee: nobody → Taco Screen team (taco-screen-team)
affects: ubuntu → linux (Ubuntu)
bugproxy (bugproxy) on 2017-04-10
tags: added: severity-critical
removed: severity-high

Leann,

Critical bug to add to the Kernel Team's queue.

                   Michael

On 04/10/2017 07:49 AM, Launchpad Bug Tracker wrote:
> bugproxy (bugproxy) has assigned this bug to you for Ubuntu:
>
> == Comment: #0 - Frederic Barrat <email address hidden> -
> 2017-04-10 04:44:01 ==
>
> ---Problem Description---
> Memory corruption can be seen when using a capi adapter. It can happen if the host process allocates/frees/reallocates memory areas used by the the capi adapter.
> Some TLB invalidations may not be propagated to the capi adapter, causing the corruption.
>
> Contact Information = <email address hidden>
>
> ---uname output---
> Linux garri 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:05:15 UTC 2017 ppc64le ppc64le ppc64le GNU/Linux
>
> ---Additional Hardware Info---
> capi card needed, with the AFU image used by libdonut development
>
>
> Machine Type = Tuleta
>
> ---Debugger---
> A debugger is not configured
>
> ---Steps to Reproduce---
> Run libdonut in a loop, until corruption is seen. Host process will dump core
>
>
> Stack trace output:
> no
>
> Oops output:
> no
>
> System Dump Info:
> The system is not configured to capture a system dump.
>
> *Additional Instructions for <email address hidden>:
> -Attach sysctl -a output output to the bug.
>
> == Comment: #1 - Frederic Barrat <email address hidden> - 2017-04-10 04:45:19 ==
> Fix is already upstream:
>
> commit 88b1bf7268f56887ca88eb09c6fb0f4fc970121a
> Author: Frederic Barrat <email address hidden>
> Date: Wed Mar 29 19:19:42 2017 +0200
>
> powerpc/mm: Add missing global TLB invalidate if cxl is active
>
>
> Could it be backported to the 16.04 LTS release, as well as 17.04?
> Thanks
>
> ** Affects: ubuntu
> Importance: Undecided
> Assignee: Taco Screen team (taco-screen-team)
> Status: New
>
>
> ** Tags: architecture-ppc64le bugnameltc-153279 severity-high targetmilestone-inin16045

--
Michael Hohnbaum
OIL Program Manager
Power (ppc64el) Development Project Manager
Canonical, Ltd.

Tim Gardner (timg-tpi) wrote :
Changed in linux (Ubuntu Xenial):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Changed in linux (Ubuntu Yakkety):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Changed in linux (Ubuntu Zesty):
assignee: Taco Screen team (taco-screen-team) → Tim Gardner (timg-tpi)
status: New → In Progress
Stefan Bader (smb) wrote :

Actually 4.4.60 upstream included this for Xenial.

Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Yakkety):
status: In Progress → Fix Committed
Seth Forshee (sforshee) on 2017-04-13
Changed in linux (Ubuntu Zesty):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-yakkety' to 'verification-done-yakkety'. If the problem still exists, change the tag 'verification-needed-yakkety' to 'verification-failed-yakkety'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-yakkety
bugproxy (bugproxy) on 2017-05-04
tags: added: verification-done-yakkety
removed: verification-needed-yakkety
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.8.0-52.55

---------------
linux (4.8.0-52.55) yakkety; urgency=low

  * linux: 4.8.0-52.55 -proposed tracker (LP: #1686976)

  * CVE-2017-7477: macsec: avoid heap overflow in skb_to_sgvec (LP: #1685892)
    - macsec: avoid heap overflow in skb_to_sgvec
    - macsec: dynamically allocate space for sglist

  * net/ipv4: original ingress device index set as the loopback interface.
    (LP: #1683982)
    - net: fix incorrect original ingress device index in PKTINFO

  * Touchpad not working correctly after kernel upgrade (LP: #1662589)
    - Input: ALPS - fix V8+ protocol handling (73 03 28)

  * ifup service of network device stay active after driver stop (LP: #1672144)
    - net: use net->count to check whether a netns is alive or not

  * [Hyper-V] mkfs regression in kernel 4.4+ (LP: #1682215)
    - block: relax check on sg gap

  * Potential memory corruption with capi adapters (LP: #1681469)
    - powerpc/mm: Add missing global TLB invalidate if cxl is active

  * [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and
    image (LP: #1650058)
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT
      transitions
    - net/mlx4_core: Avoid command timeouts during VF driver device shutdown

 -- Stefan Bader <email address hidden> Fri, 28 Apr 2017 12:17:12 +0200

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Brad Figg (brad-figg) on 2019-07-24
tags: added: cscc
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers