Additional spectre and meltdown patches

Bug #1760099 reported by bugproxy on 2018-03-30
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
The Ubuntu-power-systems project
Medium
Canonical Kernel Team
linux (Ubuntu)
Medium
Canonical Kernel Team
Trusty
Medium
Canonical Kernel Team
Xenial
Medium
Canonical Kernel Team
Artful
Medium
Canonical Kernel Team
Bionic
Medium
Canonical Kernel Team

Bug Description

== Comment: #0 - Breno Leitao <email address hidden> - 2018-03-29 08:53:56 ==
Hi Canonical,

There are some additional patches for Spectre and Meltdown that is required on ppc64el. We would need to have them included on all Ubuntu kernels.

This is the patch series:

[v2,10/10] powerpc/64s: Wire up cpu_show_spectre_v2() [v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown
[v2,09/10] powerpc/64s: Wire up cpu_show_spectre_v1() [v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown
[v2,08/10] powerpc/pseries: Use the security flags in pseries_setup_rfi_flush() [v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown
[v2,07/10] powerpc/powernv: Use the security flags in pnv_setup_rfi_flush() [v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown
[v2,06/10] powerpc/64s: Enhance the information in cpu_show_meltdown() [v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown
[v2,05/10] powerpc/64s: Move cpu_show_meltdown() [v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown
[v2,04/10] powerpc/powernv: Set or clear security feature flags [v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown
[v2,03/10] powerpc/pseries: Set or clear security feature flags [v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown
[v2,02/10] powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags [v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown
[v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown [v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown

http://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=36012&state=*

== Comment: #1 - Breno Leitao <email address hidden> - 2018-03-29 08:55:48 ==
This is a better formatted patch series list:

[v2,10/10] powerpc/64s: Wire up cpu_show_spectre_v2()
[v2,09/10] powerpc/64s: Wire up cpu_show_spectre_v1()
[v2,08/10] powerpc/pseries: Use the security flags in pseries_setup_rfi_flush()
[v2,07/10] powerpc/powernv: Use the security flags in pnv_setup_rfi_flus()
[v2,06/10] powerpc/64s: Enhance the information in cpu_show_meltdown()
[v2,05/10] powerpc/64s: Move cpu_show_meltdown()
[v2,04/10] powerpc/powernv: Set or clear security feature flags
[v2,03/10] powerpc/pseries: Set or clear security feature flags
[v2,02/10] powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags
[v2,01/10] powerpc: Add security feature flags for Spectre/Meltdown

CVE References

bugproxy (bugproxy) on 2018-03-30
tags: added: architecture-ppc64le bugnameltc-166222 severity-medium targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects: ubuntu → linux (Ubuntu)
Changed in ubuntu-power-systems:
importance: Undecided → Medium
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
tags: added: triage-g
tags: added: pti
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
tags: added: kernel-da-key
Changed in linux (Ubuntu Artful):
status: New → Triaged
Changed in linux (Ubuntu Xenial):
status: New → Triaged
Changed in linux (Ubuntu Artful):
importance: Undecided → Medium
Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu Artful):
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu Bionic):
assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) → Canonical Kernel Team (canonical-kernel-team)
Changed in ubuntu-power-systems:
status: New → Triaged
Changed in linux (Ubuntu Xenial):
assignee: Canonical Kernel Team (canonical-kernel-team) → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Artful):
assignee: Canonical Kernel Team (canonical-kernel-team) → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Bionic):
assignee: Canonical Kernel Team (canonical-kernel-team) → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Xenial):
assignee: Joseph Salisbury (jsalisbury) → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu Artful):
assignee: Joseph Salisbury (jsalisbury) → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu Bionic):
assignee: Joseph Salisbury (jsalisbury) → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Tyler Hicks (tyhicks) wrote :

@Breno the changes in this patch set touch some of the same areas of code:

  http://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=33861&state=*

  [v3,5/5] rfi-flush: Call setup_rfi_flush() after LPM migration
  [v3,4/5] rfi-flush: Differentiate enabled and patched flush types
  [v3,3/5] rfi-flush: Always enable fallback flush on pseries
  [v3,2/5] rfi-flush: Make it possible to call setup_rfi_flush() again
  [v3,1/5] rfi-flush: Move the logic to avoid a redo into the debugfs code

Should we backport around those changes or are they also required?

Breno Leitão (breno-leitao) wrote :

Hey Tyler,

I thought these patches were in already, so, let's bring them also.

Backporting without these fixes might not be easy to accomplish, and nothing something we want to keep for the whole 18.04 life. Let's try to be as near as possible to upstream and bring the required patches in.

Thanks for asking,
Breno

Tyler Hicks (tyhicks) wrote :

@Breno ack, I'll look at bringing them in, as well.

Do you want these changes (both patch sets) in 18.04 only or are you asking for them to be in 17.10, 16.04, and 14.04, as well?

Tyler Hicks (tyhicks) wrote :

@Breno in addition to the question above about which releases you're requesting, I have a new question about section mismatch warnings that the first patchset introduces:

WARNING: vmlinux.o(.text+0x22228): Section mismatch in reference from the function setup_rfi_flush() to the function .init.text:safe_stack_limit()
The function setup_rfi_flush() references
the function __init safe_stack_limit().
This is often because setup_rfi_flush lacks a __init
annotation or the annotation of safe_stack_limit is wrong.

WARNING: vmlinux.o(.text+0x22250): Section mismatch in reference from the function setup_rfi_flush() to the function .init.text:memblock_alloc_base()
The function setup_rfi_flush() references
the function __init memblock_alloc_base().
This is often because setup_rfi_flush lacks a __init
annotation or the annotation of memblock_alloc_base is wrong.

The "rfi-flush: Make it possible to call setup_rfi_flush() again" patch removes the __init__ annotation from setup_rfi_flush() and then the "rfi-flush: Call setup_rfi_flush() after LPM migration" patch makes it so that setup_rfi_flush() can be called outside of the initialization phase. If it is called outside of the initialization phase, it could call the two __init__ functions mentioned in the warnings above. So, from what I can tell, these are legitimate warnings. Are you all aware of these warnings and, if so, have you determined that they're not a problem?

Breno Leitão (breno-leitao) wrote :

Hi Tyler,

Yes, we need to backport this patchset to all the current supported kernel. Since most of the supported kernel contains the whole RFI infra structure, I do not expect it to be hard. If you need help, I can find someone to help on the backport.

Regarding the problem you are facing, I talked to the powerpc maintainer (Michael Ellerman) and he suggested squashing the warning using something as the code below. He will be also sending the patch upstream.

```
diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
index 66f2b6299c40..44c30dd38067 100644
--- a/arch/powerpc/kernel/setup_64.c
+++ b/arch/powerpc/kernel/setup_64.c
@@ -880,7 +880,7 @@ void rfi_flush_enable(bool enable)
     rfi_flush = enable;
 }

-static void init_fallback_flush(void)
+static void __ref init_fallback_flush(void)
 {
     u64 l1d_size, limit;
     int cpu;

```

Tyler Hicks (tyhicks) wrote :

Thanks! I just submitted the pull request for bionic. We're too late for the current SRU cycle for the stable releases (17.10, 16.04 LTS, and 14.04 LTS) so we'll have to pick them up in the next SRU cycle.

Note that I didn't include the section mismatch warning since it hadn't been reviewed or merged into linux-next but the patch was sufficient in showing me that the warning isn't an issue. Thanks for following up on that.

Seth Forshee (sforshee) on 2018-04-09
Changed in linux (Ubuntu Bionic):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (35.7 KiB)

This bug was fixed in the package linux - 4.15.0-19.20

---------------
linux (4.15.0-19.20) bionic; urgency=medium

  * linux: 4.15.0-19.20 -proposed tracker (LP: #1766021)

  * Kernel 4.15.0-15 breaks Dell PowerEdge 12th Gen servers (LP: #1765232)
    - Revert "blk-mq: simplify queue mapping & schedule with each possisble CPU"
    - Revert "genirq/affinity: assign vectors to all possible CPUs"

linux (4.15.0-18.19) bionic; urgency=medium

  * linux: 4.15.0-18.19 -proposed tracker (LP: #1765490)

  * [regression] Ubuntu 18.04:[4.15.0-17-generic #18] KVM Guest Kernel:
    meltdown: rfi/fallback displacement flush not enabled bydefault (kvm)
    (LP: #1765429)
    - powerpc/pseries: Fix clearing of security feature flags

  * signing: only install a signed kernel (LP: #1764794)
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Config] signing -- enable Opal signing for ppc64el
    - [Packaging] printenv -- add signing options

  * [18.04 FEAT] Sign POWER host/NV kernels (LP: #1696154)
    - [Packaging] signing -- add support for signing Opal kernel binaries

  * Please cherrypick s390 unwind fix (LP: #1765083)
    - s390/compat: fix setup_frame32

  * Ubuntu 18.04 installer does not detect any IPR based HDD/RAID array [S822L]
    [ipr] (LP: #1751813)
    - d-i: move ipr to storage-core-modules on ppc64el

  * drivers/gpu/drm/bridge/adv7511/adv7511.ko missing (LP: #1764816)
    - SAUCE: (no-up) rename the adv7511 drm driver to adv7511_drm

  * Miscellaneous Ubuntu changes
    - [Packaging] Add linux-oem to rebuild test blacklist.

linux (4.15.0-17.18) bionic; urgency=medium

  * linux: 4.15.0-17.18 -proposed tracker (LP: #1764498)

  * Eventual OOM with profile reloads (LP: #1750594)
    - SAUCE: apparmor: fix memory leak when duplicate profile load

linux (4.15.0-16.17) bionic; urgency=medium

  * linux: 4.15.0-16.17 -proposed tracker (LP: #1763785)

  * [18.04] [bug] CFL-S(CNP)/CNL GPIO testing failed (LP: #1757346)
    - [Config]: Set CONFIG_PINCTRL_CANNONLAKE=y

  * [Ubuntu 18.04] USB Type-C test failed on GLK (LP: #1758797)
    - SAUCE: usb: typec: ucsi: Increase command completion timeout value

  * Fix trying to "push" an already active pool VP (LP: #1763386)
    - SAUCE: powerpc/xive: Fix trying to "push" an already active pool VP

  * hisi_sas: Revert and replace SAUCE patches w/ upstream (LP: #1762824)
    - Revert "UBUNTU: SAUCE: scsi: hisi_sas: export device table of v3 hw to
      userspace"
    - Revert "UBUNTU: SAUCE: scsi: hisi_sas: config for hip08 ES"
    - scsi: hisi_sas: modify some register config for hip08
    - scsi: hisi_sas: add v3 hw MODULE_DEVICE_TABLE()

  * Realtek card reader - RTS5243 [VEN_10EC&DEV_5260] (LP: #1737673)
    - misc: rtsx: Move Realtek Card Reader Driver to misc
    - updateconfigs for Realtek Card Reader Driver
    - misc: rtsx: Add support for RTS5260
    - misc: rtsx: Fix symbol clashes

  * Mellanox [mlx5] [bionic] UBSAN: Undefined behaviour in
    ./include/linux/net_dim.h (LP: #1...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Changed in ubuntu-power-systems:
status: Triaged → In Progress
tags: added: triage-a
removed: triage-g
Tyler Hicks (tyhicks) wrote :

The Xenial 4.4 kernel was fixed in 4.4.0-127.153:

  https://launchpad.net/ubuntu/+source/linux/4.4.0-127.153

Changed in linux (Ubuntu Xenial):
status: Triaged → Fix Released
Tyler Hicks (tyhicks) wrote :

The Artful 4.13 kernel has already received some of these fixes in 4.13.0-43.48 and the same is true for the Trusty 3.13 kernel in 3.13.0-151.201.

They contain these patches:

    - powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags
    - powerpc: Add security feature flags for Spectre/Meltdown
    - powerpc/pseries: Set or clear security feature flags
    - powerpc/powernv: Set or clear security feature flags
    - powerpc/powernv: Use the security flags in pnv_setup_rfi_flush()
    - powerpc/pseries: Use the security flags in pseries_setup_rfi_flush()

The missing commits in both kernels are:

  [v2,10/10] powerpc/64s: Wire up cpu_show_spectre_v2()
  [v2,09/10] powerpc/64s: Wire up cpu_show_spectre_v1()
  [v2,06/10] powerpc/64s: Enhance the information in cpu_show_meltdown()
  [v2,05/10] powerpc/64s: Move cpu_show_meltdown()

Tyler Hicks (tyhicks) wrote :

@Breno since the missing commits are only for improved reporting of vulnerability status, does IBM consider them to be needed for Ubuntu 14.04's 3.13 kernel? (Ubuntu 17.10's 4.13 kernel will go EoL soon so it probably won't receive the changes)

Changed in ubuntu-power-systems:
status: In Progress → Triaged

This bug was nominated against a series that is no longer supported, ie artful. The bug task representing the artful nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu Artful):
status: Triaged → Won't Fix
Manoj Iyer (manjo) on 2018-08-14
Changed in ubuntu-power-systems:
status: Triaged → Fix Committed
Andrew Cloke (andrew-cloke) wrote :

Marking as Incomplete while awaiting answer to the question in comment #11.

Changed in ubuntu-power-systems:
status: Fix Committed → Incomplete
Manoj Iyer (manjo) on 2019-01-14
Changed in linux (Ubuntu Trusty):
status: Triaged → Won't Fix
Changed in ubuntu-power-systems:
status: Incomplete → Fix Released
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Andy Whitcroft (apw) on 2019-02-14
tags: added: kernel-fixup-verification-needed-bionic
removed: verification-needed-bionic
Andy Whitcroft (apw) wrote :

This bug was erroneously marked for verification in bionic; verification is not required and verification-needed-bionic is being removed.

tags: added: verification-done-bionic
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers