Bug #1754580 “[CVE] Spectre: System Z {kernel} UBUNTU18.04” : Bugs : linux package : Ubuntu

Revision history for this message

bugproxy (bugproxy) wrote on 2018-03-09: kernel config

#1

kernel config Edit (73.2 KiB, application/octet-stream)

Default Comment by Bridge

tags:

added: architecture-s39064 bugnameltc-165423 severity-critical targetmilestone-inin---

Revision history for this message

bugproxy (bugproxy) wrote on 2018-03-09: Ubuntu 18.04 kernel patches

#2

Ubuntu 18.04 kernel patches Edit (14.7 KiB, application/x-gzip)

Default Comment by Bridge

Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → linux (Ubuntu)

Heinz-Werner Seeck (heinz-werner-seeck) on 2018-03-09

information type:

Public → Private

Revision history for this message

bugproxy (bugproxy) wrote on 2018-03-09: Comment bridged from LTC Bugzilla

#3

------- Comment From <email address hidden> 2018-03-09 03:21 EDT-------
With Ubuntu bionic, kernel 4.15.0-11-generic #12-Ubuntu SMP Fri Feb 23 18:38:46 UTC 2018 s390x, I did not see any effect when switching kernel parameter between nobp=1 (secure) and nobp=0 (faster, but insecure). In the kenel config I could not find any option mentioning nobp either.
Attaching kernel config.

The default should be nobp=1 with bionic

git commits required for kernel patches
# 7041d28115e91f2144f811ffe8a195c696b1e1d0
# e2dd833389cc4069a96b57bdd24227b5f52288f5
# cf1489984641369611556bf00c48f945c77bcf02
# d768bd892fc8f066cd3aa000eb1867bcf32db0ee
# 6b73044b2b0081ee3dd1cd6eaab7dee552601efb
# f19fbd5ed642dc31c809596412dab1ed56f2f156
# 2cb370d615e9fbed9e95ed222c2c8f337181aa90
# d5feec04fe578c8dbd9e2e1439afc2f0af761ed4
# d3f468963cd6fd6d2aa5e26aed8b24232096d0e1

Ubuntu 18.04 kernel patches

Frank Heimes (fheimes) on 2018-03-09

Changed in ubuntu-z-systems:
status:	New → Triaged
importance:	Undecided → Critical
assignee:	nobody → Canonical Kernel Team (canonical-kernel-team)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-03-09:

#4

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status:	New → Confirmed

Joseph Salisbury (jsalisbury) on 2018-03-09

tags:	added: kernel-da-key
tags:	added: bionic
Changed in linux (Ubuntu Bionic):
status:	Confirmed → Triaged
importance:	Undecided → Critical

Revision history for this message

bugproxy (bugproxy) wrote on 2018-03-09:

#5

------- Comment From <email address hidden> 2018-03-09 05:59 EDT-------
*** Bug 165546 has been marked as a duplicate of this bug. ***

bugproxy (bugproxy) on 2018-03-14

tags:

added: targetmilestone-inin1804
removed: targetmilestone-inin---

Revision history for this message

Seth Forshee (sforshee) wrote on 2018-03-16:

#6

Can we make this bug public? Or is there a public bug for this issue that can be referenced in our git commit messages?

Changed in linux (Ubuntu Bionic):
assignee:	Skipper Bug Screeners (skipper-screen-team) → Seth Forshee (sforshee)
status:	Triaged → In Progress

Frank Heimes (fheimes) on 2018-03-16

Changed in ubuntu-z-systems:
status:	Triaged → In Progress

Frank Heimes (fheimes) on 2018-03-16

information type:

Private → Public

Revision history for this message

Seth Forshee (sforshee) wrote on 2018-03-16:

#7

The attached config does not seem to contain the new options. These are the values I've selected, please let me know if they should be changed.

CONFIG_EXPOLINE=y
CONFIG_EXPOLINE_FULL=y
# CONFIG_EXPOLINE_MEDIUM is not set
# CONFIG_EXPOLINE_OFF is not set
CONFIG_KERNEL_NOBP=y

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Frank Heimes (fheimes) on 2018-03-16

Changed in ubuntu-z-systems:
status:	In Progress → Fix Committed

Revision history for this message

bugproxy (bugproxy) wrote on 2018-03-19:

#8

------- Comment From <email address hidden> 2018-03-19 03:04 EDT-------
> The attached config does not seem to contain the new options.
> These are the values I've selected, please let me know if they
> should be changed.
>
> CONFIG_EXPOLINE=y
> CONFIG_EXPOLINE_FULL=y
> # CONFIG_EXPOLINE_MEDIUM is not set
> # CONFIG_EXPOLINE_OFF is not set
> CONFIG_KERNEL_NOBP=y

With the current code these are the correct values. With a future
patch that will use a machine indication if the expolines are still
needed we might want to change to CONFIG_EXPOLINE_MEDIUM
(and rename it to CONFIG_EXPOLINE_AUTO).

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-03-27:

#9

Download full text (32.6 KiB)

This bug was fixed in the package linux - 4.15.0-13.14

---------------
linux (4.15.0-13.14) bionic; urgency=medium

* linux: 4.15.0-13.14 -proposed tracker (LP: #1756408)

  * devpts: handle bind-mounts (LP: #1755857)
    - SAUCE: devpts: hoist out check for DEVPTS_SUPER_MAGIC
    - SAUCE: devpts: resolve devpts bind-mounts
    - SAUCE: devpts: comment devpts_mntget()
    - SAUCE: selftests: add devpts selftests

* [bionic][arm64] d-i: add hisi_sas_v3_hw to scsi-modules (LP: #1756103)
- d-i: add hisi_sas_v3_hw to scsi-modules

  * [Bionic][ARM64] enable ROCE and HNS3 driver support for hip08 SoC
    (LP: #1756097)
    - RDMA/hns: Refactor eq code for hip06
    - RDMA/hns: Add eq support of hip08
    - RDMA/hns: Add detailed comments for mb() call
    - RDMA/hns: Add rq inline data support for hip08 RoCE
    - RDMA/hns: Update the usage of sr_max and rr_max field
    - RDMA/hns: Set access flags of hip08 RoCE
    - RDMA/hns: Filter for zero length of sge in hip08 kernel mode
    - RDMA/hns: Fix QP state judgement before sending work requests
    - RDMA/hns: Assign dest_qp when deregistering mr
    - RDMA/hns: Fix endian problems around imm_data and rkey
    - RDMA/hns: Assign the correct value for tx_cqn
    - RDMA/hns: Create gsi qp in hip08
    - RDMA/hns: Add gsi qp support for modifying qp in hip08
    - RDMA/hns: Fill sq wqe context of ud type in hip08
    - RDMA/hns: Assign zero for pkey_index of wc in hip08
    - RDMA/hns: Update the verbs of polling for completion
    - RDMA/hns: Set the guid for hip08 RoCE device
    - net: hns3: Refactor of the reset interrupt handling logic
    - net: hns3: Add reset service task for handling reset requests
    - net: hns3: Refactors the requested reset & pending reset handling code
    - net: hns3: Add HNS3 VF IMP(Integrated Management Proc) cmd interface
    - net: hns3: Add mailbox support to VF driver
    - net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support
    - net: hns3: Add HNS3 VF driver to kernel build framework
    - net: hns3: Unified HNS3 {VF|PF} Ethernet Driver for hip08 SoC
    - net: hns3: Add mailbox support to PF driver
    - net: hns3: Change PF to add ring-vect binding & resetQ to mailbox
    - net: hns3: Add mailbox interrupt handling to PF driver
    - net: hns3: add support to query tqps number
    - net: hns3: add support to modify tqps number
    - net: hns3: change the returned tqp number by ethtool -x
    - net: hns3: free the ring_data structrue when change tqps
    - net: hns3: get rss_size_max from configuration but not hardcode
    - net: hns3: add a mask initialization for mac_vlan table
    - net: hns3: add vlan offload config command
    - net: hns3: add ethtool related offload command
    - net: hns3: add handling vlan tag offload in bd
    - net: hns3: cleanup mac auto-negotiation state query
    - net: hns3: fix for getting auto-negotiation state in hclge_get_autoneg
    - net: hns3: add support for set_pauseparam
    - net: hns3: add support to update flow control settings after autoneg
    - net: hns3: add Asym Pause support to phy default features
    - net: hns3: add support for querying advertised pause frame by ethtool ethx
    - net:...

This bug was fixed in the package linux - 4.15.0-13.14

---------------
linux (4.15.0-13.14) bionic; urgency=medium

* linux: 4.15.0-13.14 -proposed tracker (LP: #1756408)

* devpts: handle bind-mounts (LP: #1755857)
    - SAUCE: devpts: hoist out check for DEVPTS_SUPER_MAGIC
    - SAUCE: devpts: resolve devpts bind-mounts
    - SAUCE: devpts: comment devpts_mntget()
    - SAUCE: selftests: add devpts selftests

* [bionic][arm64] d-i: add hisi_sas_v3_hw to scsi-modules (LP: #1756103)
    - d-i: add hisi_sas_v3_hw to scsi-modules

* [Bionic][ARM64] enable ROCE and HNS3 driver support for hip08 SoC
    (LP: #1756097)
    - RDMA/hns: Refactor eq code for hip06
    - RDMA/hns: Add eq support of hip08
    - RDMA/hns: Add detailed comments for mb() call
    - RDMA/hns: Add rq inline data support for hip08 RoCE
    - RDMA/hns: Update the usage of sr_max and rr_max field
    - RDMA/hns: Set access flags of hip08 RoCE
    - RDMA/hns: Filter for zero length of sge in hip08 kernel mode
    - RDMA/hns: Fix QP state judgement before sending work requests
    - RDMA/hns: Assign dest_qp when deregistering mr
    - RDMA/hns: Fix endian problems around imm_data and rkey
    - RDMA/hns: Assign the correct value for tx_cqn
    - RDMA/hns: Create gsi qp in hip08
    - RDMA/hns: Add gsi qp support for modifying qp in hip08
    - RDMA/hns: Fill sq wqe context of ud type in hip08
    - RDMA/hns: Assign zero for pkey_index of wc in hip08
    - RDMA/hns: Update the verbs of polling for completion
    - RDMA/hns: Set the guid for hip08 RoCE device
    - net: hns3: Refactor of the reset interrupt handling logic
    - net: hns3: Add reset service task for handling reset requests
    - net: hns3: Refactors the requested reset & pending reset handling code
    - net: hns3: Add HNS3 VF IMP(Integrated Management Proc) cmd interface
    - net: hns3: Add mailbox support to VF driver
    - net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support
    - net: hns3: Add HNS3 VF driver to kernel build framework
    - net: hns3: Unified HNS3 {VF|PF} Ethernet Driver for hip08 SoC
    - net: hns3: Add mailbox support to PF driver
    - net: hns3: Change PF to add ring-vect binding & resetQ to mailbox
    - net: hns3: Add mailbox interrupt handling to PF driver
    - net: hns3: add support to query tqps number
    - net: hns3: add support to modify tqps number
    - net: hns3: change the returned tqp number by ethtool -x
    - net: hns3: free the ring_data structrue when change tqps
    - net: hns3: get rss_size_max from configuration but not hardcode
    - net: hns3: add a mask initialization for mac_vlan table
    - net: hns3: add vlan offload config command
    - net: hns3: add ethtool related offload command
    - net: hns3: add handling vlan tag offload in bd
    - net: hns3: cleanup mac auto-negotiation state query
    - net: hns3: fix for getting auto-negotiation state in hclge_get_autoneg
    - net: hns3: add support for set_pauseparam
    - net: hns3: add support to update flow control settings after autoneg
    - net: hns3: add Asym Pause support to phy default features
    - net: hns3: add support for querying advertised pause frame by ethtool ethx
    - net: hns3: Increase the default depth of bucket for TM shaper
    - net: hns3: change TM sched mode to TC-based mode when SRIOV enabled
    - net: hns3: hns3_get_channels() can be static
    - net: hns3: Add ethtool interface for vlan filter
    - net: hns3: Disable VFs change rxvlan offload status
    - net: hns3: Unify the strings display of packet statistics
    - net: hns3: Fix spelling errors
    - net: hns3: Remove repeat statistic of rx_errors
    - net: hns3: Modify the update period of packet statistics
    - net: hns3: Mask the packet statistics query when NIC is down
    - net: hns3: Fix an error of total drop packet statistics
    - net: hns3: Fix a loop index error of tqp statistics query
    - net: hns3: Fix an error macro definition of HNS3_TQP_STAT
    - net: hns3: Remove a useless member of struct hns3_stats
    - net: hns3: Add packet statistics of netdev
    - net: hns3: Fix a response data read error of tqp statistics query
    - net: hns3: fix for updating fc_mode_last_time
    - net: hns3: fix for setting MTU
    - net: hns3: fix for changing MTU
    - net: hns3: add MTU initialization for hardware
    - net: hns3: fix for not setting pause parameters
    - net: hns3: remove redundant semicolon
    - net: hns3: Add more packet size statisctics
    - Revert "net: hns3: Add packet statistics of netdev"
    - net: hns3: report the function type the same line with hns3_nic_get_stats64
    - net: hns3: add ethtool_ops.get_channels support for VF
    - net: hns3: remove TSO config command from VF driver
    - net: hns3: add ethtool_ops.get_coalesce support to PF
    - net: hns3: add ethtool_ops.set_coalesce support to PF
    - net: hns3: refactor interrupt coalescing init function
    - net: hns3: refactor GL update function
    - net: hns3: remove unused GL setup function
    - net: hns3: change the unit of GL value macro
    - net: hns3: add int_gl_idx setup for TX and RX queues
    - net: hns3: add feature check when feature changed
    - net: hns3: check for NULL function pointer in hns3_nic_set_features
    - net: hns: Fix for variable may be used uninitialized warnings
    - net: hns3: add support for get_regs
    - net: hns3: add manager table initialization for hardware
    - net: hns3: add ethtool -p support for fiber port
    - net: hns3: add net status led support for fiber port
    - net: hns3: converting spaces into tabs to avoid checkpatch.pl warning
    - net: hns3: add get/set_coalesce support to VF
    - net: hns3: add int_gl_idx setup for VF
    - [Config]: enable CONFIG_HNS3_HCLGEVF as module.

* [Bionic][ARM64] add RAS extension and SDEI features (LP: #1756096)
    - KVM: arm64: Store vcpu on the stack during __guest_enter()
    - KVM: arm/arm64: Convert kvm_host_cpu_state to a static per-cpu allocation
    - KVM: arm64: Change hyp_panic()s dependency on tpidr_el2
    - arm64: alternatives: use tpidr_el2 on VHE hosts
    - KVM: arm64: Stop save/restoring host tpidr_el1 on VHE
    - Docs: dt: add devicetree binding for describing arm64 SDEI firmware
    - firmware: arm_sdei: Add driver for Software Delegated Exceptions
    - arm64: Add vmap_stack header file
    - arm64: uaccess: Add PAN helper
    - arm64: kernel: Add arch-specific SDEI entry code and CPU masking
    - firmware: arm_sdei: Add support for CPU and system power states
    - firmware: arm_sdei: add support for CPU private events
    - arm64: acpi: Remove __init from acpi_psci_use_hvc() for use by SDEI
    - firmware: arm_sdei: Discover SDEI support via ACPI
    - arm64: sysreg: Move to use definitions for all the SCTLR bits
    - arm64: cpufeature: Detect CPU RAS Extentions
    - arm64: kernel: Survive corrected RAS errors notified by SError
    - arm64: Unconditionally enable IESB on exception entry/return for firmware-
      first
    - arm64: kernel: Prepare for a DISR user
    - KVM: arm/arm64: mask/unmask daif around VHE guests
    - KVM: arm64: Set an impdef ESR for Virtual-SError using VSESR_EL2.
    - KVM: arm64: Save/Restore guest DISR_EL1
    - KVM: arm64: Save ESR_EL2 on guest SError
    - KVM: arm64: Handle RAS SErrors from EL1 on guest exit
    - KVM: arm64: Handle RAS SErrors from EL2 on guest exit
    - KVM: arm64: Emulate RAS error registers and set HCR_EL2's TERR & TEA
    - [Config]: enable RAS_EXTN and ARM_SDE_INTERFACE

* [Bionic][ARM64] PCI and SAS driver patches for hip08 SoCs (LP: #1756094)
    - scsi: hisi_sas: fix dma_unmap_sg() parameter
    - scsi: ata: enhance the definition of SET MAX feature field value
    - scsi: hisi_sas: relocate clearing ITCT and freeing device
    - scsi: hisi_sas: optimise port id refresh function
    - scsi: hisi_sas: some optimizations of host controller reset
    - scsi: hisi_sas: modify hisi_sas_dev_gone() for reset
    - scsi: hisi_sas: add an mechanism to do reset work synchronously
    - scsi: hisi_sas: change ncq process for v3 hw
    - scsi: hisi_sas: add RAS feature for v3 hw
    - scsi: hisi_sas: add some print to enhance debugging
    - scsi: hisi_sas: improve int_chnl_int_v2_hw() consistency with v3 hw
    - scsi: hisi_sas: add v2 hw port AXI error handling support
    - scsi: hisi_sas: use an general way to delay PHY work
    - scsi: hisi_sas: do link reset for some CHL_INT2 ints
    - scsi: hisi_sas: judge result of internal abort
    - scsi: hisi_sas: add internal abort dev in some places
    - scsi: hisi_sas: fix SAS_QUEUE_FULL problem while running IO
    - scsi: hisi_sas: re-add the lldd_port_deformed()
    - scsi: hisi_sas: add v3 hw suspend and resume
    - scsi: hisi_sas: Change frame type for SET MAX commands
    - scsi: hisi_sas: make local symbol host_attrs static
    - scsi: hisi_sas: fix a bug in hisi_sas_dev_gone()
    - SAUCE: scsi: hisi_sas: config for hip08 ES
    - SAUCE: scsi: hisi_sas: export device table of v3 hw to userspace
    - PM / core: Add LEAVE_SUSPENDED driver flag
    - PCI / PM: Support for LEAVE_SUSPENDED driver flag
    - PCI/AER: Skip recovery callbacks for correctable errors from ACPI APEI
    - PCI/ASPM: Calculate LTR_L1.2_THRESHOLD from device characteristics
    - PCI/ASPM: Enable Latency Tolerance Reporting when supported
    - PCI/ASPM: Unexport internal ASPM interfaces
    - PCI: Make PCI_SCAN_ALL_PCIE_DEVS work for Root as well as Downstream Ports
    - PCI/AER: Return error if AER is not supported
    - PCI/DPC: Enable DPC only if AER is available

* [CVE] Spectre: System Z {kernel} UBUNTU18.04 (LP: #1754580)
    - s390: scrub registers on kernel entry and KVM exit
    - s390: add optimized array_index_mask_nospec
    - s390/alternative: use a copy of the facility bit mask
    - s390: add options to change branch prediction behaviour for the kernel
    - s390: run user space and KVM guests with modified branch prediction
    - s390: introduce execute-trampolines for branches
    - s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*)
    - s390: do not bypass BPENTER for interrupt system calls
    - s390/entry.S: fix spurious zeroing of r0

* s390/crypto: Fix kernel crash on aes_s390 module remove (LP: #1753424)
    - SAUCE: s390/crypto: Fix kernel crash on aes_s390 module remove.

* [Feature]Update Ubuntu 18.04 lpfc FC driver with 32/64GB HBA support and bug
    fixes (LP: #1752182)
    - scsi: lpfc: FLOGI failures are reported when connected to a private loop.
    - scsi: lpfc: Expand WQE capability of every NVME hardware queue
    - scsi: lpfc: Handle XRI_ABORTED_CQE in soft IRQ
    - scsi: lpfc: Fix NVME LS abort_xri
    - scsi: lpfc: Raise maximum NVME sg list size for 256 elements
    - scsi: lpfc: Driver fails to detect direct attach storage array
    - scsi: lpfc: Fix display for debugfs queInfo
    - scsi: lpfc: Adjust default value of lpfc_nvmet_mrq
    - scsi: lpfc: Fix ndlp ref count for pt2pt mode issue RSCN
    - scsi: lpfc: Linux LPFC driver does not process all RSCNs
    - scsi: lpfc: correct port registrations with nvme_fc
    - scsi: lpfc: Correct driver deregistrations with host nvme transport
    - scsi: lpfc: Fix crash during driver unload with running nvme traffic
    - scsi: lpfc: Fix driver handling of nvme resources during unload
    - scsi: lpfc: small sg cnt cleanup
    - scsi: lpfc: Fix random heartbeat timeouts during heavy IO
    - scsi: lpfc: update driver version to 11.4.0.5
    - scsi: lpfc: Fix -EOVERFLOW behavior for NVMET and defer_rcv
    - scsi: lpfc: Fix receive PRLI handling
    - scsi: lpfc: Increase SCSI CQ and WQ sizes.
    - scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled
    - scsi: lpfc: Fix issues connecting with nvme initiator
    - scsi: lpfc: Fix infinite wait when driver unregisters a remote NVME port.
    - scsi: lpfc: Beef up stat counters for debug
    - scsi: lpfc: update driver version to 11.4.0.6
    - scsi: lpfc: correct sg_seg_cnt attribute min vs default
    - scsi: scsi_transport_fc: fix typos on 64/128 GBit define names
    - scsi: lpfc: don't dereference localport before it has been null checked
    - scsi: lpfc: fix a couple of minor indentation issues
    - treewide: Use DEVICE_ATTR_RW
    - treewide: Use DEVICE_ATTR_RO
    - treewide: Use DEVICE_ATTR_WO
    - scsi: lpfc: Fix frequency of Release WQE CQEs
    - scsi: lpfc: Increase CQ and WQ sizes for SCSI
    - scsi: lpfc: move placement of target destroy on driver detach
    - scsi: lpfc: correct debug counters for abort
    - scsi: lpfc: Add WQ Full Logic for NVME Target
    - scsi: lpfc: Fix PRLI handling when topology type changes
    - scsi: lpfc: Fix IO failure during hba reset testing with nvme io.
    - scsi: lpfc: Fix RQ empty firmware trap
    - scsi: lpfc: Allow set of maximum outstanding SCSI cmd limit for a target
    - scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
    - scsi: lpfc: Fix issue_lip if link is disabled
    - scsi: lpfc: Indicate CONF support in NVMe PRLI
    - scsi: lpfc: Fix SCSI io host reset causing kernel crash
    - scsi: lpfc: Validate adapter support for SRIU option
    - scsi: lpfc: Fix header inclusion in lpfc_nvmet
    - scsi: lpfc: Treat SCSI Write operation Underruns as an error
    - scsi: lpfc: Fix nonrecovery of NVME controller after cable swap.
    - scsi: lpfc: update driver version to 11.4.0.7
    - scsi: lpfc: Update 11.4.0.7 modified files for 2018 Copyright
    - scsi: lpfc: Rework lpfc to allow different sli4 cq and eq handlers
    - scsi: lpfc: Rework sli4 doorbell infrastructure
    - scsi: lpfc: Add SLI-4 if_type=6 support to the code base
    - scsi: lpfc: Add push-to-adapter support to sli4
    - scsi: lpfc: Add PCI Ids for if_type=6 hardware
    - scsi: lpfc: Add 64G link speed support
    - scsi: lpfc: Add if_type=6 support for cycling valid bits
    - scsi: lpfc: Enable fw download on if_type=6 devices
    - scsi: lpfc: Add embedded data pointers for enhanced performance
    - scsi: lpfc: Fix nvme embedded io length on new hardware
    - scsi: lpfc: Work around NVME cmd iu SGL type
    - scsi: lpfc: update driver version to 12.0.0.0
    - scsi: lpfc: Change Copyright of 12.0.0.0 modified files to 2018
    - scsi: lpfc: use __raw_writeX on DPP copies
    - scsi: lpfc: Add missing unlock in WQ full logic

* CVE-2018-8043
    - net: phy: mdio-bcm-unimac: fix potential NULL dereference in
      unimac_mdio_probe()

* Bionic update to 4.15.10 stable release (LP: #1756100)
    - Revert "UBUNTU: SAUCE: ALSA: hda/realtek - Add support headset mode for DELL
      WYSE"
    - RDMA/ucma: Limit possible option size
    - RDMA/ucma: Check that user doesn't overflow QP state
    - RDMA/mlx5: Fix integer overflow while resizing CQ
    - bpf: cpumap: use GFP_KERNEL instead of GFP_ATOMIC in __cpu_map_entry_alloc()
    - IB/uverbs: Improve lockdep_check
    - mac80211_hwsim: don't use WQ_MEM_RECLAIM
    - net/smc: fix NULL pointer dereference on sock_create_kern() error path
    - regulator: stm32-vrefbuf: fix check on ready flag
    - drm/i915: Check for fused or unused pipes
    - drm/i915/audio: fix check for av_enc_map overflow
    - drm/i915: Fix rsvd2 mask when out-fence is returned
    - drm/i915: Clear the in-use marker on execbuf failure
    - drm/i915: Disable DC states around GMBUS on GLK
    - drm/i915: Update watermark state correctly in sanitize_watermarks
    - drm/i915: Try EDID bitbanging on HDMI after failed read
    - drm/i915/perf: fix perf stream opening lock
    - scsi: core: Avoid that ATA error handling can trigger a kernel hang or oops
    - scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
    - drm/i915: Always call to intel_display_set_init_power() in resume_early.
    - workqueue: Allow retrieval of current task's work struct
    - drm: Allow determining if current task is output poll worker
    - drm/nouveau: Fix deadlock on runtime suspend
    - drm/radeon: Fix deadlock on runtime suspend
    - drm/amdgpu: Fix deadlock on runtime suspend
    - drm/nouveau: prefer XBGR2101010 for addfb ioctl
    - drm/amd/powerplay/smu7: allow mclk switching with no displays
    - drm/amd/powerplay/vega10: allow mclk switching with no displays
    - Revert "drm/radeon/pm: autoswitch power state when in balanced mode"
    - drm/amd/display: check for ipp before calling cursor operations
    - drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE
    - drm/amd/powerplay: fix power over limit on Fiji
    - drm/amd/display: Default HDMI6G support to true. Log VBIOS table error.
    - drm/amdgpu: used cached pcie gen info for SI (v2)
    - drm/amdgpu: Notify sbios device ready before send request
    - drm/radeon: fix KV harvesting
    - drm/amdgpu: fix KV harvesting
    - drm/amdgpu:Correct max uvd handles
    - drm/amdgpu:Always save uvd vcpu_bo in VM Mode
    - ovl: redirect_dir=nofollow should not follow redirect for opaque lower
    - MIPS: BMIPS: Do not mask IPIs during suspend
    - MIPS: ath25: Check for kzalloc allocation failure
    - MIPS: OCTEON: irq: Check for null return on kzalloc allocation
    - PCI: dwc: Fix enumeration end when reaching root subordinate
    - Input: matrix_keypad - fix race when disabling interrupts
    - Revert "Input: synaptics - Lenovo Thinkpad T460p devices should use RMI"
    - bug: use %pB in BUG and stack protector failure
    - lib/bug.c: exclude non-BUG/WARN exceptions from report_bug()
    - mm/memblock.c: hardcode the end_pfn being -1
    - Documentation/sphinx: Fix Directive import error
    - loop: Fix lost writes caused by missing flag
    - virtio_ring: fix num_free handling in error case
    - KVM: s390: fix memory overwrites when not using SCA entries
    - arm64: mm: fix thinko in non-global page table attribute check
    - IB/core: Fix missing RDMA cgroups release in case of failure to register
      device
    - Revert "nvme: create 'slaves' and 'holders' entries for hidden controllers"
    - kbuild: Handle builtin dtb file names containing hyphens
    - dm bufio: avoid false-positive Wmaybe-uninitialized warning
    - IB/mlx5: Fix incorrect size of klms in the memory region
    - bcache: fix crashes in duplicate cache device register
    - bcache: don't attach backing with duplicate UUID
    - x86/MCE: Save microcode revision in machine check records
    - x86/MCE: Serialize sysfs changes
    - perf tools: Fix trigger class trigger_on()
    - x86/spectre_v2: Don't check microcode versions when running under
      hypervisors
    - ALSA: hda/realtek - Add support headset mode for DELL WYSE
    - ALSA: hda/realtek - Add headset mode support for Dell laptop
    - ALSA: hda/realtek: Limit mic boost on T480
    - ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520
    - ALSA: hda/realtek - Make dock sound work on ThinkPad L570
    - ALSA: seq: More protection for concurrent write and ioctl races
    - ALSA: hda: add dock and led support for HP EliteBook 820 G3
    - ALSA: hda: add dock and led support for HP ProBook 640 G2
    - scsi: qla2xxx: Fix NULL pointer crash due to probe failure
    - scsi: qla2xxx: Fix recursion while sending terminate exchange
    - dt-bindings: Document mti,mips-cpc binding
    - MIPS: CPC: Map registers using DT in mips_cpc_default_phys_base()
    - nospec: Kill array_index_nospec_mask_check()
    - nospec: Include <asm/barrier.h> dependency
    - x86/entry: Reduce the code footprint of the 'idtentry' macro
    - x86/entry/64: Use 'xorl' for faster register clearing
    - x86/mm: Remove stale comment about KMEMCHECK
    - x86/asm: Improve how GEN_*_SUFFIXED_RMWcc() specify clobbers
    - x86/IO-APIC: Avoid warning in 32-bit builds
    - x86/LDT: Avoid warning in 32-bit builds with older gcc
    - x86-64/realmode: Add instruction suffix
    - Revert "x86/retpoline: Simplify vmexit_fill_RSB()"
    - x86/speculation: Use IBRS if available before calling into firmware
    - x86/retpoline: Support retpoline builds with Clang
    - x86/speculation, objtool: Annotate indirect calls/jumps for objtool
    - x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
    - x86/paravirt, objtool: Annotate indirect calls
    - x86/boot, objtool: Annotate indirect jump in secondary_startup_64()
    - x86/mm/sme, objtool: Annotate indirect call in sme_encrypt_execute()
    - objtool: Use existing global variables for options
    - objtool: Add retpoline validation
    - objtool: Add module specific retpoline rules
    - objtool, retpolines: Integrate objtool with retpoline support more closely
    - objtool: Fix another switch table detection issue
    - objtool: Fix 32-bit build
    - x86/kprobes: Fix kernel crash when probing .entry_trampoline code
    - watchdog: hpwdt: SMBIOS check
    - watchdog: hpwdt: Check source of NMI
    - watchdog: hpwdt: fix unused variable warning
    - watchdog: hpwdt: Remove legacy NMI sourcing.
    - netfilter: add back stackpointer size checks
    - netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation
    - netfilter: xt_hashlimit: fix lock imbalance
    - netfilter: x_tables: fix missing timer initialization in xt_LED
    - netfilter: nat: cope with negative port range
    - netfilter: IDLETIMER: be syzkaller friendly
    - netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
    - netfilter: bridge: ebt_among: add missing match size checks
    - netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
    - netfilter: use skb_to_full_sk in ip6_route_me_harder
    - tpm_tis: Move ilb_base_addr to tpm_tis_data
    - tpm: Keep CLKRUN enabled throughout the duration of transmit_cmd()
    - tpm: delete the TPM_TIS_CLK_ENABLE flag
    - tpm: remove unused variables
    - tpm: only attempt to disable the LPC CLKRUN if is already enabled
    - x86/xen: Calculate __max_logical_packages on PV domains
    - scsi: qla2xxx: Fix system crash for Notify ack timeout handling
    - scsi: qla2xxx: Fix gpnid error processing
    - scsi: qla2xxx: Move session delete to driver work queue
    - scsi: qla2xxx: Skip IRQ affinity for Target QPairs
    - scsi: qla2xxx: Fix re-login for Nport Handle in use
    - scsi: qla2xxx: Retry switch command on time out
    - scsi: qla2xxx: Serialize GPNID for multiple RSCN
    - scsi: qla2xxx: Fix login state machine stuck at GPDB
    - scsi: qla2xxx: Fix NPIV host cleanup in target mode
    - scsi: qla2xxx: Relogin to target port on a cable swap
    - scsi: qla2xxx: Fix Relogin being triggered too fast
    - scsi: qla2xxx: Fix PRLI state check
    - scsi: qla2xxx: Fix abort command deadlock due to spinlock
    - scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport
    - scsi: qla2xxx: Fix scan state field for fcport
    - scsi: qla2xxx: Clear loop id after delete
    - scsi: qla2xxx: Defer processing of GS IOCB calls
    - scsi: qla2xxx: Remove aborting ELS IOCB call issued as part of timeout.
    - scsi: qla2xxx: Fix system crash in qlt_plogi_ack_unref
    - scsi: qla2xxx: Fix memory leak in dual/target mode
    - NFS: Fix an incorrect type in struct nfs_direct_req
    - pNFS: Prevent the layout header refcount going to zero in pnfs_roc()
    - NFS: Fix unstable write completion
    - Linux 4.15.10

* Bionic update to 4.15.10 stable release (LP: #1756100) // CVE-2018-1000004.
    - ALSA: seq: Don't allow resizing pool in use

* nfp: prioritize stats updates (LP: #1752061)
    - nfp: flower: prioritize stats updates

* Ubuntu 18.04 - Kernel crash on nvme subsystem-reset /dev/nvme0 (Bolt / NVMe)
    (LP: #1753371)
    - nvme-pci: Fix EEH failure on ppc

* sbsa watchdog crashes thunderx2 system (LP: #1755595)
    - watchdog: sbsa: use 32-bit read for WCV

* KVM: s390: add vcpu stat counters for many instruction (LP: #1755132)
    - KVM: s390: diagnoses are instructions as well
    - KVM: s390: add vcpu stat counters for many instruction

* CIFS SMB2/SMB3 does not work for domain based DFS (LP: #1747572)
    - CIFS: make IPC a regular tcon
    - CIFS: use tcon_ipc instead of use_ipc parameter of SMB2_ioctl
    - CIFS: dump IPC tcon in debug proc file

* i2c-thunderx: erroneous error message "unhandled state: 0" (LP: #1754076)
    - i2c: octeon: Prevent error message on bus error

* Boston-LC:bos1u1: Stress test on Qlogic Fibre Channel on Ubuntu KVM guest
    that caused KVM host crashed in qlt_free_session_done call (LP: #1750441)
    - scsi: qla2xxx: Fix memory corruption during hba reset test

* Ubuntu 18.04 - Performance: Radix page fault handler bug in KVM
    (LP: #1752236)
    - KVM: PPC: Book3S HV: Fix handling of large pages in radix page fault handler

* Fix ARC hit rate (LP: #1755158)
    - SAUCE: Fix ARC hit rate (LP: #1755158)

* Bionic update to 4.15.9 stable release (LP: #1755275)
    - bpf: fix mlock precharge on arraymaps
    - bpf: fix memory leak in lpm_trie map_free callback function
    - bpf: fix rcu lockdep warning for lpm_trie map_free callback
    - bpf, x64: implement retpoline for tail call
    - bpf, arm64: fix out of bounds access in tail call
    - bpf: add schedule points in percpu arrays management
    - bpf: allow xadd only on aligned memory
    - bpf, ppc64: fix out of bounds access in tail call
    - scsi: mpt3sas: fix oops in error handlers after shutdown/unload
    - scsi: mpt3sas: wait for and flush running commands on shutdown/unload
    - KVM: x86: fix backward migration with async_PF
    - Linux 4.15.9

* Bionic update to 4.15.8 stable release (LP: #1755179)
    - hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
    - ipmi_si: Fix error handling of platform device
    - platform/x86: dell-laptop: Allocate buffer on heap rather than globally
    - powerpc/pseries: Enable RAS hotplug events later
    - Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking
    - ixgbe: fix crash in build_skb Rx code path
    - tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the
      bus
    - tpm: fix potential buffer overruns caused by bit glitches on the bus
    - tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on
      the bus
    - tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the
      bus
    - tpm_tis: fix potential buffer overruns caused by bit glitches on the bus
    - ALSA: usb-audio: Add a quirck for B&W PX headphones
    - ALSA: control: Fix memory corruption risk in snd_ctl_elem_read
    - ALSA: x86: Fix missing spinlock and mutex initializations
    - ALSA: hda: Add a power_save blacklist
    - ALSA: hda - Fix pincfg at resume on Lenovo T470 dock
    - mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers
    - mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias
    - mmc: dw_mmc: Avoid accessing registers in runtime suspended state
    - mmc: dw_mmc: Factor out dw_mci_init_slot_caps
    - mmc: dw_mmc: Fix out-of-bounds access for slot's caps
    - timers: Forward timer base before migrating timers
    - parisc: Use cr16 interval timers unconditionally on qemu
    - parisc: Reduce irq overhead when run in qemu
    - parisc: Fix ordering of cache and TLB flushes
    - parisc: Hide virtual kernel memory layout
    - btrfs: use proper endianness accessors for super_copy
    - block: fix the count of PGPGOUT for WRITE_SAME
    - block: kyber: fix domain token leak during requeue
    - block: pass inclusive 'lend' parameter to truncate_inode_pages_range
    - vfio: disable filesystem-dax page pinning
    - cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
    - dax: fix vma_is_fsdax() helper
    - direct-io: Fix sleep in atomic due to sync AIO
    - x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
    - x86/platform/intel-mid: Handle Intel Edison reboot correctly
    - x86/cpu_entry_area: Sync cpu_entry_area to initial_page_table
    - bridge: check brport attr show in brport_show
    - fib_semantics: Don't match route with mismatching tclassid
    - hdlc_ppp: carrier detect ok, don't turn off negotiation
    - ipv6 sit: work around bogus gcc-8 -Wrestrict warning
    - net: amd-xgbe: fix comparison to bitshift when dealing with a mask
    - net: ethernet: ti: cpsw: fix net watchdog timeout
    - net: fix race on decreasing number of TX queues
    - net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68
    - netlink: ensure to loop over all netns in genlmsg_multicast_allns()
    - net: sched: report if filter is too large to dump
    - ppp: prevent unregistered channels from connecting to PPP units
    - sctp: verify size of a new chunk in _sctp_make_chunk()
    - udplite: fix partial checksum initialization
    - net/mlx5e: Fix TCP checksum in LRO buffers
    - sctp: fix dst refcnt leak in sctp_v4_get_dst
    - mlxsw: spectrum_switchdev: Check success of FDB add operation
    - net/mlx5e: Specify numa node when allocating drop rq
    - net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT
    - tcp: Honor the eor bit in tcp_mtu_probe
    - rxrpc: Fix send in rxrpc_send_data_packet()
    - tcp_bbr: better deal with suboptimal GSO
    - doc: Change the min default value of tcp_wmem/tcp_rmem.
    - net/mlx5e: Fix loopback self test when GRO is off
    - net_sched: gen_estimator: fix broken estimators based on percpu stats
    - net/sched: cls_u32: fix cls_u32 on filter replace
    - sctp: do not pr_err for the duplicated node in transport rhlist
    - mlxsw: spectrum_router: Fix error path in mlxsw_sp_vr_create
    - net: ipv4: Set addr_type in hash_keys for forwarded case
    - sctp: fix dst refcnt leak in sctp_v6_get_dst()
    - bridge: Fix VLAN reference count problem
    - net/mlx5e: Verify inline header size do not exceed SKB linear size
    - tls: Use correct sk->sk_prot for IPV6
    - amd-xgbe: Restore PCI interrupt enablement setting on resume
    - cls_u32: fix use after free in u32_destroy_key()
    - mlxsw: spectrum_router: Do not unconditionally clear route offload
      indication
    - netlink: put module reference if dump start fails
    - tcp: purge write queue upon RST
    - tuntap: correctly add the missing XDP flush
    - tuntap: disable preemption during XDP processing
    - virtio-net: disable NAPI only when enabled during XDP set
    - cxgb4: fix trailing zero in CIM LA dump
    - net/mlx5: Fix error handling when adding flow rules
    - net: phy: Restore phy_resume() locking assumption
    - tcp: tracepoint: only call trace_tcp_send_reset with full socket
    - l2tp: don't use inet_shutdown on tunnel destroy
    - l2tp: don't use inet_shutdown on ppp session destroy
    - l2tp: fix races with tunnel socket close
    - l2tp: fix race in pppol2tp_release with session object destroy
    - l2tp: fix tunnel lookup use-after-free race
    - s390/qeth: fix underestimated count of buffer elements
    - s390/qeth: fix SETIP command handling
    - s390/qeth: fix overestimated count of buffer elements
    - s390/qeth: fix IP removal on offline cards
    - s390/qeth: fix double-free on IP add/remove race
    - Revert "s390/qeth: fix using of ref counter for rxip addresses"
    - s390/qeth: fix IP address lookup for L3 devices
    - s390/qeth: fix IPA command submission race
    - tcp: revert F-RTO middle-box workaround
    - tcp: revert F-RTO extension to detect more spurious timeouts
    - blk-mq: don't call io sched's .requeue_request when requeueing rq to
      ->dispatch
    - media: m88ds3103: don't call a non-initalized function
    - EDAC, sb_edac: Fix out of bound writes during DIMM configuration on KNL
    - KVM: s390: take care of clock-comparator sign control
    - KVM: s390: provide only a single function for setting the tod (fix SCK)
    - KVM: s390: consider epoch index on hotplugged CPUs
    - KVM: s390: consider epoch index on TOD clock syncs
    - nospec: Allow index argument to have const-qualified type
    - x86/mm: Fix {pmd,pud}_{set,clear}_flags()
    - ARM: orion: fix orion_ge00_switch_board_info initialization
    - ARM: dts: rockchip: Remove 1.8 GHz operation point from phycore som
    - ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
    - ARM: kvm: fix building with gcc-8
    - KVM: X86: Fix SMRAM accessing even if VM is shutdown
    - KVM: mmu: Fix overlap between public and private memslots
    - KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
    - KVM: x86: move LAPIC initialization after VMCS creation
    - KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR
      path as unlikely()
    - KVM: x86: fix vcpu initialization with userspace lapic
    - KVM/x86: remove WARN_ON() for when vm_munmap() fails
    - ACPI / bus: Parse tables as term_list for Dell XPS 9570 and Precision M5530
    - ARM: dts: LogicPD SOM-LV: Fix I2C1 pinmux
    - ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux
    - powerpc/64s/radix: Boot-time NULL pointer protection using a guard-PID
    - md: only allow remove_and_add_spares when no sync_thread running.
    - platform/x86: dell-laptop: fix kbd_get_state's request value
    - Linux 4.15.8

* ZFS setgid broken on 0.7 (LP: #1753288)
    - SAUCE: Fix ZFS setgid

* /proc/kallsyms prints "(null)" for null addresses in 4.15 (LP: #1754297)
    - vsprintf: avoid misleading "(null)" for %px

* Miscellaneous Ubuntu changes
    - d-i: Add netsec to nic-modules
    - [Config] fix up retpoline abi files
    - [Config] set NOBP and expoline options for s390

-- Thadeu Lima de Souza Cascardo <cascardo@canonical.com>  Fri, 16 Mar 2018 14:49:27 -0300

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Frank Heimes (fheimes) on 2018-03-27

Changed in ubuntu-z-systems:
status:	Fix Committed → Fix Released

Revision history for this message

bugproxy (bugproxy) wrote on 2018-05-22:

#10

------- Comment From <email address hidden> 2018-05-22 04:01 EDT-------
IBM Bugzilla status closed; Further updates will be provide via kernel-stable releases

Ubuntu
linux package

[CVE] Spectre: System Z {kernel} UBUNTU18.04

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

	Status	Importance	Assigned to
Ubuntu on IBM z Systems	Fix Released	Critical	Canonical Kernel Team
linux (Ubuntu)	Fix Released	Critical	Seth Forshee
Bionic	Fix Released	Critical	Seth Forshee

Ubuntulinux package

[CVE] Spectre: System Z {kernel} UBUNTU18.04

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package