Bug #1785675 “Security fix: check if IOMMU page is contained in ...” : Bugs : linux package : Ubuntu

bugproxy (bugproxy) on 2018-08-06

tags:	added: architecture-ppc64le bugnameltc-170311 severity-critical targetmilestone-inin1804
Changed in ubuntu:
assignee:	nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects:	ubuntu → linux (Ubuntu)

Andrew Cloke (andrew-cloke) on 2018-08-06

Changed in ubuntu-power-systems:
assignee:	nobody → Canonical Kernel Team (canonical-kernel-team)
importance:	Undecided → Critical
tags:	added: triage-g

Joseph Salisbury (jsalisbury) on 2018-08-07

Changed in linux (Ubuntu):
importance:	Undecided → Critical

Joseph Salisbury (jsalisbury) on 2018-08-07

Changed in linux (Ubuntu Bionic):
importance:	Undecided → Critical
status:	New → Triaged
Changed in linux (Ubuntu):
status:	New → Triaged

Andrew Cloke (andrew-cloke) on 2018-08-07

Changed in ubuntu-power-systems:
status:	New → Triaged

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-08-07:

#1

I built a test kernel with commit 76fa4975f3ed. It required commit 1463edca6734d as a prereq.

The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1785675

Can you test this kernel and see if it resolves this bug?

Note about installing test kernels:
* If the test kernel is prior to 4.15(Bionic) you need to install the linux-image and linux-image-extra .deb packages.
* If the test kernel is 4.15(Bionic) or newer, you need to install the linux-modules, linux-modules-extra and linux-image-unsigned .deb packages.

Thanks in advance!

Revision history for this message

bugproxy (bugproxy) wrote on 2018-08-09: Comment bridged from LTC Bugzilla

#2

------- Comment From <email address hidden> 2018-08-09 12:24 EDT-------
(In reply to comment #6)
> I built a test kernel with commit 76fa4975f3ed. It required commit
> 1463edca6734d as a prereq.
>
> The test kernel can be downloaded from:
> http://kernel.ubuntu.com/~jsalisbury/lp1785675
>
> Can you test this kernel and see if it resolves this bug?
>
> Note about installing test kernels:
> * If the test kernel is prior to 4.15(Bionic) you need to install the
> linux-image and linux-image-extra .deb packages.
> * If the test kernel is 4.15(Bionic) or newer, you need to install the
> linux-modules, linux-modules-extra and linux-image-unsigned .deb packages.
>
> Thanks in advance!

Hi Joseph,

We working in an environment to exploit it in a test, so sooner if possible I'll test it.

Manoj Iyer (manjo) on 2018-08-13

Changed in linux (Ubuntu):
assignee:	Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu Bionic):
assignee:	nobody → Canonical Kernel Team (canonical-kernel-team)

Andrew Cloke (andrew-cloke) on 2018-08-13

Changed in ubuntu-power-systems:
status:	Triaged → In Progress

Revision history for this message

bugproxy (bugproxy) wrote on 2018-08-20:

#3

------- Comment From <email address hidden> 2018-08-20 12:31 EDT-------
Joseph,

This a kind of test that needs some interventions in the kernels of host and guest, and maybe in the Qemu either to analysis the memory area if affected.

I believe just a sanity test with page size changing between host and guest will be enough to validate it.

I have re-built a kernel package with the patch from source and changing the PAGESIZE support to 4k, then the environment was running with 4k and the guest with 64k without problems.

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-08-27:

#4

Thanks for testing. I'll submit an SRU request.

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-08-31:

#5

https://lists.ubuntu.com/archives/kernel-team/2018-August/095103.html

description:

updated

Kleber Sacilotto de Souza (kleber-souza) on 2018-09-05

Changed in linux (Ubuntu Bionic):
status:	Triaged → Fix Committed

Frank Heimes (fheimes) on 2018-09-10

Changed in ubuntu-power-systems:
status:	In Progress → Fix Committed

Manoj Iyer (manjo) on 2018-09-10

Changed in linux (Ubuntu):
status:	Triaged → Fix Committed

Revision history for this message

Brad Figg (brad-figg) wrote on 2018-09-14:

#6

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

bugproxy (bugproxy) wrote on 2018-09-20:

#7

------- Comment From <email address hidden> 2018-09-19 22:01 EDT-------
Hi Canonical,

I tested the latest kernel 4.15.0-35 and 4.15.0-34 for comparison and both got similar results with a full stress-ng test by stress-ng in the GUEST and the HOST running the 4.15.0-35 kernel.
eg. command for stress:
$ stress-ng --all $(nproc) --vm-bytes 80% --aggressive --maximize --oomable --timeout 300 --verify --syslog --metrics --times

tags:

added: verification-done-bionic
removed: verification-needed-bionic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-10-01:

#8

Download full text (23.5 KiB)

This bug was fixed in the package linux - 4.15.0-36.39

---------------
linux (4.15.0-36.39) bionic; urgency=medium

* CVE-2018-14633
- iscsi target: Use hex2bin instead of a re-implementation

* CVE-2018-17182
- mm: get rid of vmacache_flush_all() entirely

linux (4.15.0-35.38) bionic; urgency=medium

* linux: 4.15.0-35.38 -proposed tracker (LP: #1791719)

  * device hotplug of vfio devices can lead to deadlock in vfio_pci_release
    (LP: #1792099)
    - SAUCE: vfio -- release device lock before userspace requests

  * L1TF mitigation not effective in some CPU and RAM combinations
    (LP: #1788563)
    - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
    - x86/speculation/l1tf: Fix off-by-one error when warning that system has too
      much RAM
    - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+

* CVE-2018-15594
- x86/paravirt: Fix spectre-v2 mitigations for paravirt guests

  * CVE-2017-5715 (Spectre v2 s390x)
    - KVM: s390: implement CPU model only facilities
    - s390: detect etoken facility
    - KVM: s390: add etoken support for guests
    - s390/lib: use expoline for all bcr instructions
    - s390: fix br_r1_trampoline for machines without exrl
    - SAUCE: s390: use expoline thunks for all branches generated by the BPF JIT

  * Ubuntu18.04.1: cpuidle: powernv: Fix promotion from snooze if next state
    disabled (performance) (LP: #1790602)
    - cpuidle: powernv: Fix promotion from snooze if next state disabled

  * Watchdog CPU:19 Hard LOCKUP when kernel crash was triggered (LP: #1790636)
    - powerpc: hard disable irqs in smp_send_stop loop
    - powerpc: Fix deadlock with multiple calls to smp_send_stop
    - powerpc: smp_send_stop do not offline stopped CPUs
    - powerpc/powernv: Fix opal_event_shutdown() called with interrupts disabled

  * Security fix: check if IOMMU page is contained in the pinned physical page
    (LP: #1785675)
    - vfio/spapr: Use IOMMU pageshift rather than pagesize
    - KVM: PPC: Check if IOMMU page is contained in the pinned physical page

  * Missing Intel GPU pci-id's (LP: #1789924)
    - drm/i915/kbl: Add KBL GT2 sku
    - drm/i915/whl: Introducing Whiskey Lake platform
    - drm/i915/aml: Introducing Amber Lake platform
    - drm/i915/cfl: Add a new CFL PCI ID.

* CVE-2018-15572
- x86/speculation: Protect against userspace-userspace spectreRSB

  * Support Power Management for Thunderbolt Controller (LP: #1789358)
    - thunderbolt: Handle NULL boot ACL entries properly
    - thunderbolt: Notify userspace when boot_acl is changed
    - thunderbolt: Use 64-bit DMA mask if supported by the platform
    - thunderbolt: Do not unnecessarily call ICM get route
    - thunderbolt: No need to take tb->lock in domain suspend/complete
    - thunderbolt: Use correct ICM commands in system suspend
    - thunderbolt: Add support for runtime PM

* random oopses on s390 systems using NVMe devices (LP: #1790480)
- s390/pci: fix out of bounds access during irq setup

  * [Bionic] Spectre v4 mitigation (Speculative Store Bypass Disable) support
    for arm64 using SMC firmware call to set a hardware chicken bit
    (LP: #1787993) // CVE-2018...

This bug was fixed in the package linux - 4.15.0-36.39

---------------
linux (4.15.0-36.39) bionic; urgency=medium

* CVE-2018-14633
    - iscsi target: Use hex2bin instead of a re-implementation

* CVE-2018-17182
    - mm: get rid of vmacache_flush_all() entirely

linux (4.15.0-35.38) bionic; urgency=medium

* linux: 4.15.0-35.38 -proposed tracker (LP: #1791719)

* device hotplug of vfio devices can lead to deadlock in vfio_pci_release
    (LP: #1792099)
    - SAUCE: vfio -- release device lock before userspace requests

* L1TF mitigation not effective in some CPU and RAM combinations
    (LP: #1788563)
    - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
    - x86/speculation/l1tf: Fix off-by-one error when warning that system has too
      much RAM
    - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+

* CVE-2018-15594
    - x86/paravirt: Fix spectre-v2 mitigations for paravirt guests

* CVE-2017-5715 (Spectre v2 s390x)
    - KVM: s390: implement CPU model only facilities
    - s390: detect etoken facility
    - KVM: s390: add etoken support for guests
    - s390/lib: use expoline for all bcr instructions
    - s390: fix br_r1_trampoline for machines without exrl
    - SAUCE: s390: use expoline thunks for all branches generated by the BPF JIT

* Ubuntu18.04.1: cpuidle: powernv: Fix promotion from snooze if next state
    disabled (performance) (LP: #1790602)
    - cpuidle: powernv: Fix promotion from snooze if next state disabled

* Watchdog CPU:19 Hard LOCKUP when kernel crash was triggered (LP: #1790636)
    - powerpc: hard disable irqs in smp_send_stop loop
    - powerpc: Fix deadlock with multiple calls to smp_send_stop
    - powerpc: smp_send_stop do not offline stopped CPUs
    - powerpc/powernv: Fix opal_event_shutdown() called with interrupts disabled

* Security fix: check if IOMMU page is contained in the pinned physical page
    (LP: #1785675)
    - vfio/spapr: Use IOMMU pageshift rather than pagesize
    - KVM: PPC: Check if IOMMU page is contained in the pinned physical page

* Missing Intel GPU pci-id's (LP: #1789924)
    - drm/i915/kbl: Add KBL GT2 sku
    - drm/i915/whl: Introducing Whiskey Lake platform
    - drm/i915/aml: Introducing Amber Lake platform
    - drm/i915/cfl: Add a new CFL PCI ID.

* CVE-2018-15572
    - x86/speculation: Protect against userspace-userspace spectreRSB

* Support Power Management for Thunderbolt Controller  (LP: #1789358)
    - thunderbolt: Handle NULL boot ACL entries properly
    - thunderbolt: Notify userspace when boot_acl is changed
    - thunderbolt: Use 64-bit DMA mask if supported by the platform
    - thunderbolt: Do not unnecessarily call ICM get route
    - thunderbolt: No need to take tb->lock in domain suspend/complete
    - thunderbolt: Use correct ICM commands in system suspend
    - thunderbolt: Add support for runtime PM

* random oopses on s390 systems using NVMe devices (LP: #1790480)
    - s390/pci: fix out of bounds access during irq setup

* [Bionic] Spectre v4 mitigation (Speculative Store Bypass Disable) support
    for arm64 using SMC firmware call to set a hardware chicken bit
    (LP: #1787993) // CVE-2018-3639 (arm64)
    - arm64: alternatives: Add dynamic patching feature
    - KVM: arm/arm64: Do not use kern_hyp_va() with kvm_vgic_global_state
    - KVM: arm64: Avoid storing the vcpu pointer on the stack
    - arm/arm64: smccc: Add SMCCC-specific return codes
    - arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1
    - arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2
    - arm64: Add ARCH_WORKAROUND_2 probing
    - arm64: Add 'ssbd' command-line option
    - arm64: ssbd: Add global mitigation state accessor
    - arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation
    - arm64: ssbd: Restore mitigation status on CPU resume
    - arm64: ssbd: Introduce thread flag to control userspace mitigation
    - arm64: ssbd: Add prctl interface for per-thread mitigation
    - arm64: KVM: Add HYP per-cpu accessors
    - arm64: KVM: Add ARCH_WORKAROUND_2 support for guests
    - arm64: KVM: Handle guest's ARCH_WORKAROUND_2 requests
    - arm64: KVM: Add ARCH_WORKAROUND_2 discovery through ARCH_FEATURES_FUNC_ID
    - [Config] ARM64_SSBD=y

* Reconcile hns3 SAUCE patches with upstream (LP: #1787477)
    - Revert "UBUNTU: SAUCE: net: hns3: Optimize PF CMDQ interrupt switching
      process"
    - Revert "UBUNTU: SAUCE: net: hns3: Fix for VF mailbox receiving unknown
      message"
    - Revert "UBUNTU: SAUCE: net: hns3: Fix for VF mailbox cannot receiving PF
      response"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix comments for
      hclge_get_ring_chain_from_mbx"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix for using wrong mask and
      shift in hclge_get_ring_chain_from_mbx"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix for reset_level default
      assignment probelm"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove unnecessary ring
      configuration operation while resetting"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix return value error in
      hns3_reset_notify_down_enet"
    - Revert "UBUNTU: SAUCE: net: hns3: Fix for phy link issue when using marvell
      phy driver"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: separate roce from nic when
      resetting"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: correct reset event status
      register"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: prevent to request reset
      frequently"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: reset net device with rtnl_lock"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: modify the order of initializeing
      command queue register"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: prevent sending command during
      global or core reset"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove the warning when clear
      reset cause"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix get_vector ops in
      hclgevf_main module"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix warning bug when doing lp
      selftest"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: Add configure for mac minimal
      frame size"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix for mailbox message truncated
      problem"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix for l4 checksum offload bug"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix for waterline not setting
      correctly"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix for mac pause not disable in
      pfc mode"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix tc setup when netdev is first
      up"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: Add SPDX tags to hns3 driver"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove unused struct member and
      definition"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix mislead parameter name"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: modify inconsistent bit mask
      macros"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: use decimal for bit offset
      macros"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix unreasonable code comments"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove extra space and brackets"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: standardize the handle of return
      value"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove some redundant
      assignments"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: fix unused function warning in VF
      driver"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: modify hnae_ to hnae3_"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: use dma_zalloc_coherent instead
      of kzalloc/dma_map_single"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: give default option while
      dependency HNS3 set"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove some unused members of
      some structures"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove a redundant
      hclge_cmd_csq_done"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: using modulo for cyclic counters
      in hclge_cmd_send"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: simplify hclge_cmd_csq_clean"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove some redundant
      assignments"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove useless code in
      hclge_cmd_send"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove unused
      hclge_ring_to_dma_dir"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: use lower_32_bits and
      upper_32_bits"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove back in struct hclge_hw"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: add unlikely for error check"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove the Redundant put_vector
      in hns3_client_uninit"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: print the ret value in error
      information"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: extraction an interface for state
      state init|uninit"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove unused head file in
      hnae3.c"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: add l4_type check for both ipv4
      and ipv6"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: add vector status check before
      free vector"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: rename the interface for
      init_client_instance and uninit_client_instance"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: remove hclge_get_vector_index
      from hclge_bind_ring_with_vector"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: RX BD information valid only in
      last BD except VLD bit and buffer size"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: add support for serdes loopback
      selftest"
    - net: hns3: Updates RX packet info fetch in case of multi BD
    - net: hns3: remove unused hclgevf_cfg_func_mta_filter
    - net: hns3: Fix for VF mailbox cannot receiving PF response
    - net: hns3: Fix for VF mailbox receiving unknown message
    - net: hns3: Optimize PF CMDQ interrupt switching process
    - net: hns3: remove hclge_get_vector_index from hclge_bind_ring_with_vector
    - net: hns3: rename the interface for init_client_instance and
      uninit_client_instance
    - net: hns3: add vector status check before free vector
    - net: hns3: add l4_type check for both ipv4 and ipv6
    - net: hns3: add unlikely for error check
    - net: hns3: remove unused head file in hnae3.c
    - net: hns3: extraction an interface for state init|uninit
    - net: hns3: print the ret value in error information
    - net: hns3: remove the Redundant put_vector in hns3_client_uninit
    - net: hns3: remove back in struct hclge_hw
    - net: hns3: use lower_32_bits and upper_32_bits
    - net: hns3: remove unused hclge_ring_to_dma_dir
    - net: hns3: remove useless code in hclge_cmd_send
    - net: hns3: remove some redundant assignments
    - net: hns3: simplify hclge_cmd_csq_clean
    - net: hns3: remove a redundant hclge_cmd_csq_done
    - net: hns3: remove some unused members of some structures
    - net: hns3: give default option while dependency HNS3 set
    - net: hns3: use dma_zalloc_coherent instead of kzalloc/dma_map_single
    - net: hns3: modify hnae_ to hnae3_
    - net: hns3: Fix tc setup when netdev is first up
    - net: hns3: Fix for mac pause not disable in pfc mode
    - net: hns3: Fix for waterline not setting correctly
    - net: hns3: Fix for l4 checksum offload bug
    - net: hns3: Fix for mailbox message truncated problem
    - net: hns3: Add configure for mac minimal frame size
    - net: hns3: Fix warning bug when doing lp selftest
    - net: hns3: Fix get_vector ops in hclgevf_main module
    - net: hns3: Remove the warning when clear reset cause
    - net: hns3: Prevent sending command during global or core reset
    - net: hns3: Modify the order of initializing command queue register
    - net: hns3: Reset net device with rtnl_lock
    - net: hns3: Prevent to request reset frequently
    - net: hns3: Correct reset event status register
    - net: hns3: Fix return value error in hns3_reset_notify_down_enet
    - net: hns3: remove unnecessary ring configuration operation while resetting
    - net: hns3: Fix for reset_level default assignment probelm
    - net: hns3: Fix for using wrong mask and shift in
      hclge_get_ring_chain_from_mbx
    - net: hns3: Fix comments for hclge_get_ring_chain_from_mbx
    - net: hns3: Remove some redundant assignments
    - net: hns3: Standardize the handle of return value
    - net: hns3: Remove extra space and brackets
    - net: hns3: Correct unreasonable code comments
    - net: hns3: Use decimal for bit offset macros
    - net: hns3: Modify inconsistent bit mask macros
    - net: hns3: Fix misleading parameter name
    - net: hns3: Remove unused struct member and definition
    - net: hns3: Add SPDX tags to HNS3 PF driver
    - net: hns3: Add support for serdes loopback selftest
    - net: hns3: Fix for phy link issue when using marvell phy driver
    - SAUCE: {topost} net: hns3: separate roce from nic when resetting

* CVE-2018-6555
    - SAUCE: irda: Only insert new objects into the global database via setsockopt

* CVE-2018-6554
    - SAUCE: irda: Fix memory leak caused by repeated binds of irda socket

* Bionic update: upstream stable patchset 2018-08-31 (LP: #1790188)
    - netfilter: nf_tables: fix NULL pointer dereference on
      nft_ct_helper_obj_dump()
    - blkdev_report_zones_ioctl(): Use vmalloc() to allocate large buffers
    - af_key: Always verify length of provided sadb_key
    - gpio: No NULL owner
    - KVM: X86: Fix reserved bits check for MOV to CR3
    - KVM: x86: introduce linear_{read,write}_system
    - KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and
      kvm_write_guest_virt_system
    - staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy
    - NFC: pn533: don't send USB data off of the stack
    - usbip: vhci_sysfs: fix potential Spectre v1
    - usb-storage: Add support for FL_ALWAYS_SYNC flag in the UAS driver
    - usb-storage: Add compatibility quirk flags for G-Technologies G-Drive
    - Input: xpad - add GPD Win 2 Controller USB IDs
    - phy: qcom-qusb2: Fix crash if nvmem cell not specified
    - usb: gadget: function: printer: avoid wrong list handling in printer_write()
    - usb: gadget: udc: renesas_usb3: disable the controller's irqs for
      reconnecting
    - serial: sh-sci: Stop using printk format %pCr
    - tty/serial: atmel: use port->name as name in request_irq()
    - serial: samsung: fix maxburst parameter for DMA transactions
    - serial: 8250: omap: Fix idling of clocks for unused uarts
    - vmw_balloon: fixing double free when batching mode is off
    - tty: pl011: Avoid spuriously stuck-off interrupts
    - kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access
    - Input: goodix - add new ACPI id for GPD Win 2 touch screen
    - crypto: caam - strip input zeros from RSA input buffer
    - crypto: caam - fix DMA mapping dir for generated IV
    - crypto: caam - fix IV DMA mapping and updating
    - crypto: caam/qi - fix IV DMA mapping and updating
    - crypto: caam - fix size of RSA prime factor q
    - crypto: vmx - Remove overly verbose printk from AES init routines
    - crypto: vmx - Remove overly verbose printk from AES XTS init
    - crypto: omap-sham - fix memleak
    - usb: typec: wcove: Remove dependency on HW FSM
    - usb: gadget: udc: renesas_usb3: fix double phy_put()
    - usb: gadget: udc: renesas_usb3: should remove debugfs
    - usb: gadget: udc: renesas_usb3: should call pm_runtime_enable() before add
      udc
    - usb: gadget: udc: renesas_usb3: should call devm_phy_get() before add udc
    - usb: gadget: udc: renesas_usb3: should fail if devm_phy_get() returns error

* Bionic update: upstream stable patchset 2018-08-29 (LP: #1789666)
    - scsi: sd_zbc: Avoid that resetting a zone fails sporadically
    - mmap: introduce sane default mmap limits
    - mmap: relax file size limit for regular files
    - btrfs: define SUPER_FLAG_METADUMP_V2
    - kconfig: Avoid format overflow warning from GCC 8.1
    - be2net: Fix error detection logic for BE3
    - bnx2x: use the right constant
    - dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()
    - enic: set DMA mask to 47 bit
    - ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
    - ip6_tunnel: remove magic mtu value 0xFFF8
    - ipmr: properly check rhltable_init() return value
    - ipv4: remove warning in ip_recv_error
    - ipv6: omit traffic class when calculating flow hash
    - isdn: eicon: fix a missing-check bug
    - kcm: Fix use-after-free caused by clonned sockets
    - netdev-FAQ: clarify DaveM's position for stable backports
    - net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy
    - net: metrics: add proper netlink validation
    - net/packet: refine check for priv area size
    - net: phy: broadcom: Fix bcm_write_exp()
    - net: usb: cdc_mbim: add flag FLAG_SEND_ZLP
    - packet: fix reserve calculation
    - qed: Fix mask for physical address in ILT entry
    - sctp: not allow transport timeout value less than HZ/5 for hb_timer
    - team: use netdev_features_t instead of u32
    - vhost: synchronize IOTLB message with dev cleanup
    - vrf: check the original netdevice for generating redirect
    - ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline
    - net: phy: broadcom: Fix auxiliary control register reads
    - net-sysfs: Fix memory leak in XPS configuration
    - virtio-net: correctly transmit XDP buff after linearizing
    - net/mlx4: Fix irq-unsafe spinlock usage
    - tun: Fix NULL pointer dereference in XDP redirect
    - virtio-net: correctly check num_buf during err path
    - net/mlx5e: When RXFCS is set, add FCS data into checksum calculation
    - virtio-net: fix leaking page for gso packet during mergeable XDP
    - rtnetlink: validate attributes in do_setlink()
    - cls_flower: Fix incorrect idr release when failing to modify rule
    - PCI: hv: Do not wait forever on a device that has disappeared
    - drm: set FMODE_UNSIGNED_OFFSET for drm files
    - l2tp: fix refcount leakage on PPPoL2TP sockets
    - mlxsw: spectrum: Forbid creation of VLAN 1 over port/LAG
    - net: ethernet: ti: cpdma: correct error handling for chan create
    - net: ethernet: davinci_emac: fix error handling in probe()
    - net: dsa: b53: Fix for brcm tag issue in Cygnus SoC
    - net : sched: cls_api: deal with egdev path only if needed

* Bionic update: upstream stable patchset 2018-08-24 (LP: #1788897)
    - fix io_destroy()/aio_complete() race
    - mm: fix the NULL mapping case in __isolate_lru_page()
    - objtool: Support GCC 8's cold subfunctions
    - objtool: Support GCC 8 switch tables
    - objtool: Detect RIP-relative switch table references
    - objtool: Detect RIP-relative switch table references, part 2
    - objtool: Fix "noreturn" detection for recursive sibling calls
    - xfs: convert XFS_AGFL_SIZE to a helper function
    - xfs: detect agfl count corruption and reset agfl
    - Input: synaptics - Lenovo Carbon X1 Gen5 (2017) devices should use RMI
    - Input: synaptics - add Lenovo 80 series ids to SMBus
    - Input: elan_i2c_smbus - fix corrupted stack
    - tracing: Fix crash when freeing instances with event triggers
    - tracing: Make the snapshot trigger work with instances
    - selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
    - cfg80211: further limit wiphy names to 64 bytes
    - drm/amd/powerplay: Fix enum mismatch
    - rtlwifi: rtl8192cu: Remove variable self-assignment in rf.c
    - platform/chrome: cros_ec_lpc: remove redundant pointer request
    - kbuild: clang: disable unused variable warnings only when constant
    - tcp: avoid integer overflows in tcp_rcv_space_adjust()
    - iio: ad7793: implement IIO_CHAN_INFO_SAMP_FREQ
    - iio:buffer: make length types match kfifo types
    - iio:kfifo_buf: check for uint overflow
    - iio: adc: select buffer for at91-sama5d2_adc
    - MIPS: lantiq: gphy: Drop reboot/remove reset asserts
    - MIPS: ptrace: Fix PTRACE_PEEKUSR requests for 64-bit FGRs
    - MIPS: prctl: Disallow FRE without FR with PR_SET_FP_MODE requests
    - scsi: scsi_transport_srp: Fix shost to rport translation
    - stm class: Use vmalloc for the master map
    - hwtracing: stm: fix build error on some arches
    - IB/core: Fix error code for invalid GID entry
    - mm/huge_memory.c: __split_huge_page() use atomic ClearPageDirty()
    - Revert "rt2800: use TXOP_BACKOFF for probe frames"
    - intel_th: Use correct device when freeing buffers
    - drm/psr: Fix missed entry in PSR setup time table.
    - drm/i915/lvds: Move acpi lid notification registration to registration phase
    - drm/i915: Disable LVDS on Radiant P845
    - drm/vmwgfx: Use kasprintf
    - drm/vmwgfx: Fix host logging / guestinfo reading error paths
    - nvme: fix extended data LBA supported setting
    - iio: hid-sensor-trigger: Fix sometimes not powering up the sensor after
      resume
    - x86/MCE/AMD: Define a function to get SMCA bank type
    - x86/mce/AMD: Pass the bank number to smca_get_bank_type()
    - x86/mce/AMD, EDAC/mce_amd: Enumerate Reserved SMCA bank type
    - x86/mce/AMD: Carve out SMCA get_block_address() code
    - x86/MCE/AMD: Cache SMCA MISC block addresses

* errors when scanning partition table of corrupted AIX disk (LP: #1787281)
    - partitions/aix: fix usage of uninitialized lv_info and lvname structures
    - partitions/aix: append null character to print data from disk

* tlbie master timeout checkstop (using NVidia/GPU) (LP: #1789772)
    - powerpc/mm/hugetlb: Update huge_ptep_set_access_flags to call
      __ptep_set_access_flags directly
    - powerpc/mm/radix: Move function from radix.h to pgtable-radix.c
    - powerpc/mm: Change function prototype
    - powerpc/mm/radix: Change pte relax sequence to handle nest MMU hang

* performance drop with ATS enabled (LP: #1788097)
    - powerpc/powernv: Fix concurrency issue with npu->mmio_atsd_usage

* [Regression] kernel crashdump fails on arm64 (LP: #1786878)
    - arm64: export memblock_reserve()d regions via /proc/iomem
    - drivers: acpi: add dependency of EFI for arm64
    - efi/arm: preserve early mapping of UEFI memory map longer for BGRT
    - efi/arm: map UEFI memory map even w/o runtime services enabled
    - arm64: acpi: fix alignment fault in accessing ACPI
    - [Config] CONFIG_ARCH_SUPPORTS_ACPI=y
    - arm64: fix ACPI dependencies
    - ACPI: fix menuconfig presentation of ACPI submenu

* TB 16 issue on Dell Lattitude 7490 with large amount of data (LP: #1785780)
    - r8152: disable RX aggregation on new Dell TB16 dock

* dell_wmi: Unknown key codes (LP: #1762385)
    - platform/x86: dell-wmi: Ignore new rfkill and fn-lock events

* Enable AMD PCIe MP2 for AMDI0011 (LP: #1773940)
    - SAUCE: i2c:amd I2C Driver based on PCI Interface for upcoming platform
    - SAUCE: i2c:amd move out pointer in union i2c_event_base
    - SAUCE: i2c:amd Depends on ACPI
    - [Config] i2c: CONFIG_I2C_AMD_MP2=y on x86

* r8169 no internet after suspending (LP: #1779817)
    - r8169: restore previous behavior to accept BIOS WoL settings
    - r8169: don't use MSI-X on RTL8168g
    - r8169: don't use MSI-X on RTL8106e

* Fix Intel Cannon Lake LPSS I2C input clock (LP: #1789790)
    - mfd: intel-lpss: Fix Intel Cannon Lake LPSS I2C input clock

* Microphone cannot be detected with front panel audio combo jack on HP Z8-G4
    machine (LP: #1789145)
    - ALSA: hda/realtek - Fix HP Headset Mic can't record

* Tango platform uses __initcall without further checks (LP: #1787945)
    - [Config] disable ARCH_TANGO

* [18.10 FEAT] Add kernel config option "CONFIG_SCLP_OFB" (LP: #1787898)
    - [Config] CONFIG_SCLP_OFB=y for s390x

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Mon, 24 Sep 2018 16:08:41 +0200

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Andrew Cloke (andrew-cloke) on 2018-10-08

Changed in linux (Ubuntu):
status:	Fix Committed → Fix Released
Changed in ubuntu-power-systems:
status:	Fix Committed → Fix Released

Revision history for this message

Frank Heimes (fheimes) wrote on 2018-10-08:

#9

That already in the current cosmic kernel:
$ git log --oneline | grep "Check if IOMMU page is contained in the pinned physical page"
76fa497 KVM: PPC: Check if IOMMU page is contained in the pinned physical page
$ git tag --contains 76fa497
Ubuntu-4.18.0-7.8
Ubuntu-4.18.0-8.9
Ubuntu-4.18.0-9.10
v4.18
So can be marked as Fix Released for cosmic.

Brad Figg (brad-figg) on 2019-07-24

tags:

added: cscc

Ubuntu
linux package

Security fix: check if IOMMU page is contained in the pinned physical page

Bug Description

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
The Ubuntu-power-systems project	Fix Released	Critical	Canonical Kernel Team
linux (Ubuntu)	Fix Released	Critical	Canonical Kernel Team
Bionic	Fix Released	Critical	Canonical Kernel Team

Ubuntulinux package

Security fix: check if IOMMU page is contained in the pinned physical page

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package