Ubuntu
linux package

regression: between 4.15.0-45 and 4.15.0-50 - i915 vmalloc_fault

Bug #1834177 reported by Eta Meta on 2019-06-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

From the logs:
Jun 25 11:14:21 machine-name kernel: ------------[ cut here ]------------
Jun 25 11:14:21 machine-name kernel: kernel BUG at /build/linux-H3Eec1/linux-4.15.0/arch/x86/mm/fault.c:268!
Jun 25 11:14:21 machine-name kernel: invalid opcode: 0000 [#1] SMP PTI
Jun 25 11:14:21 machine-name kernel: Modules linked in: i915(+) video i2c_algo_bit crc32_pclmul drm_kms_helper syscopyarea sysfillrect psmouse ahci sysimgblt e1000e fb_sys_fops libahci drm ptp pps_core wmi
Jun 25 11:14:21 machine-name kernel: CPU: 1 PID: 168 Comm: systemd-udevd Not tainted 4.15.0-52-generic #56-Ubuntu
Jun 25 11:14:21 machine-name kernel: Hardware name: Hewlett-Packard HP Compaq 8200 Elite SFF PC/1495, BIOS J01 v02.15 11/10/2011
Jun 25 11:14:21 machine-name kernel: EIP: vmalloc_fault+0x229/0x240
Jun 25 11:14:21 machine-name kernel: EFLAGS: 00010086 CPU: 1
Jun 25 11:14:21 machine-name kernel: EAX: 027b0000 EBX: c5e20e28 ECX: fe0000f3 EDX: 00000000
Jun 25 11:14:21 machine-name kernel: ESI: f8a78000 EDI: fe000000 EBP: f550fc08 ESP: f550fbec
Jun 25 11:14:21 machine-name kernel: DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Jun 25 11:14:21 machine-name kernel: CR0: 80050033 CR2: f8a78000 CR3: 356b2000 CR4: 000406f0
Jun 25 11:14:21 machine-name kernel: Call Trace:
Jun 25 11:14:21 machine-name kernel: ? __do_page_fault+0x510/0x510
Jun 25 11:14:21 machine-name kernel: __do_page_fault+0x39d/0x510
Jun 25 11:14:21 machine-name kernel: ? __do_page_fault+0x510/0x510
Jun 25 11:14:21 machine-name kernel: do_page_fault+0x27/0xf0
Jun 25 11:14:21 machine-name kernel: ? __do_page_fault+0x510/0x510
Jun 25 11:14:21 machine-name kernel: common_exception+0x130/0x136
Jun 25 11:14:21 machine-name kernel: EIP: i915_check_vgpu+0x11/0xb0 [i915]
Jun 25 11:14:21 machine-name kernel: EFLAGS: 00010286 CPU: 1
Jun 25 11:14:21 machine-name kernel: EAX: f57d8000 EBX: f57d8000 ECX: f550fcb4 EDX: f8a00000
Jun 25 11:14:21 machine-name kernel: ESI: 00000000 EDI: f57d83f8 EBP: f550fcb8 ESP: f550fcac
Jun 25 11:14:21 machine-name kernel: DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Jun 25 11:14:21 machine-name kernel: ? pci_conf1_read+0xbb/0xf0
Jun 25 11:14:21 machine-name kernel: intel_uncore_init+0x15/0x5c0 [i915]
Jun 25 11:14:21 machine-name kernel: i915_driver_load+0x456/0xcc0 [i915]
Jun 25 11:14:21 machine-name kernel: ? acpi_dev_found+0x6c/0x80
Jun 25 11:14:21 machine-name kernel: ? i915_pci_remove+0x20/0x20 [i915]
Jun 25 11:14:21 machine-name kernel: i915_pci_probe+0x3a/0x70 [i915]
Jun 25 11:14:21 machine-name kernel: pci_device_probe+0xc7/0x160
Jun 25 11:14:21 machine-name kernel: driver_probe_device+0x2af/0x440
Jun 25 11:14:21 machine-name kernel: __driver_attach+0x99/0xe0
Jun 25 11:14:21 machine-name kernel: ? driver_probe_device+0x440/0x440
Jun 25 11:14:21 machine-name kernel: bus_for_each_dev+0x5a/0xa0
Jun 25 11:14:21 machine-name kernel: driver_attach+0x19/0x20
Jun 25 11:14:21 machine-name kernel: ? driver_probe_device+0x440/0x440
Jun 25 11:14:21 machine-name kernel: bus_add_driver+0x187/0x230
Jun 25 11:14:21 machine-name kernel: ? 0xf8951000
Jun 25 11:14:21 machine-name kernel: driver_register+0x56/0xd0
Jun 25 11:14:21 machine-name kernel: ? 0xf8951000
Jun 25 11:14:21 machine-name kernel: __pci_register_driver+0x3a/0x40
Jun 25 11:14:21 machine-name kernel: i915_init+0x51/0x56 [i915]
Jun 25 11:14:21 machine-name kernel: do_one_initcall+0x49/0x174
Jun 25 11:14:21 machine-name kernel: ? _cond_resched+0x17/0x40
Jun 25 11:14:21 machine-name kernel: ? kmem_cache_alloc_trace+0x165/0x1d0
Jun 25 11:14:21 machine-name kernel: ? do_init_module+0x21/0x1ec
Jun 25 11:14:21 machine-name kernel: ? do_init_module+0x21/0x1ec
Jun 25 11:14:21 machine-name kernel: do_init_module+0x50/0x1ec
Jun 25 11:14:21 machine-name kernel: load_module+0x1588/0x1ab0
Jun 25 11:14:21 machine-name kernel: ? ima_post_read_file+0xb4/0xc0
Jun 25 11:14:21 machine-name kernel: ? security_kernel_post_read_file+0x62/0x70
Jun 25 11:14:21 machine-name kernel: SyS_finit_module+0x8a/0xe0
Jun 25 11:14:21 machine-name kernel: do_fast_syscall_32+0x7f/0x200
Jun 25 11:14:21 machine-name kernel: entry_SYSENTER_32+0x6b/0xbe
Jun 25 11:14:21 machine-name kernel: EIP: 0xb7f4bd09
Jun 25 11:14:21 machine-name kernel: EFLAGS: 00000296 CPU: 1
Jun 25 11:14:21 machine-name kernel: EAX: ffffffda EBX: 00000013 ECX: b7d5da15 EDX: 00000000
Jun 25 11:14:21 machine-name kernel: ESI: 01f2c530 EDI: 01f17d50 EBP: 01f11800 ESP: bfec3c4c
Jun 25 11:14:21 machine-name kernel: DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
Jun 25 11:14:21 machine-name kernel: Code: cf 89 7d ec 8b 45 ec 0f ac d0 0c 89 c2 8d 04 80 c1 ea 11 c1 e2 04 8b 92 40 32 eb c5 83 e2 f8 8d 04 c2 39 45 e4 0f 84 d0 fe ff ff <0f> 0b 90 8d 74 26 00 83 c4 10 b8 ff ff ff ff 5b 5e 5f 5d c3 8d
Jun 25 11:14:21 machine-name kernel: EIP: vmalloc_fault+0x229/0x240 SS:ESP: 0068:f550fbec
Jun 25 11:14:21 machine-name kernel: ---[ end trace fc80bb0be413797b ]---

After this, Xorg will unload modeset and use fbdev instead.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-52-generic 4.15.0-52.56
ProcVersionSignature: Ubuntu 4.15.0-52.56-generic 4.15.18
Uname: Linux 4.15.0-52-generic i686
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: i386
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CurrentDesktop: GNOME
Date: Tue Jun 25 12:23:12 2019
HibernationDevice: RESUME=UUID=1b857197-e601-497b-b773-025fbe39d2db
InstallationDate: Installed on 2013-09-16 (2107 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release i386 (20130424)
IwConfig:
lo no wireless extensions.

eth0 no wireless extensions.
MachineType: Hewlett-Packard HP Compaq 8200 Elite SFF PC
ProcFB: 0 VESA VGA
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-52-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash vt.handoff=1
RelatedPackageVersions:
linux-restricted-modules-4.15.0-52-generic N/A
linux-backports-modules-4.15.0-52-generic N/A
linux-firmware 1.173.6
RfKill:

SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 11/10/2011
dmi.bios.vendor: Hewlett-Packard
dmi.bios.version: J01 v02.15
dmi.board.asset.tag: CZC2141GVS
dmi.board.name: 1495
dmi.board.vendor: Hewlett-Packard
dmi.chassis.asset.tag: CZC2141GVS
dmi.chassis.type: 6
dmi.chassis.vendor: Hewlett-Packard
dmi.modalias: dmi:bvnHewlett-Packard:bvrJ01v02.15:bd11/10/2011:svnHewlett-Packard:pnHPCompaq8200EliteSFFPC:pvr:rvnHewlett-Packard:rn1495:rvr:cvnHewlett-Packard:ct6:cvr:
dmi.product.family: 103C_53307F G=D
dmi.product.name: HP Compaq 8200 Elite SFF PC
dmi.sys.vendor: Hewlett-Packard

Tags:

CVE References

2017-5753

Revision history for this message

Eta Meta (etameta) wrote on 2019-06-25:

AlsaInfo.txt Edit (3.8 KiB, text/plain; charset="utf-8")
CRDA.txt Edit (454 bytes, text/plain; charset="utf-8")
CurrentDmesg.txt Edit (53.3 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (2.7 KiB, text/plain; charset="utf-8")
Lspci.txt Edit (10.8 KiB, text/plain; charset="utf-8")
Lsusb.txt Edit (390 bytes, text/plain; charset="utf-8")
ProcCpuinfo.txt Edit (4.0 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.0 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (310 bytes, text/plain; charset="utf-8")
ProcInterrupts.txt Edit (2.5 KiB, text/plain; charset="utf-8")
ProcModules.txt Edit (2.9 KiB, text/plain; charset="utf-8")
PulseList.txt Edit (13.3 KiB, text/plain; charset="utf-8")
UdevDb.txt Edit (114.8 KiB, text/plain; charset="utf-8")

Revision history for this message

Eta Meta (etameta) wrote on 2019-06-25:

I've found this to happen with these kernel versions:

linux-image-4.15.0-50-generic
linux-image-4.15.0-52-generic

Whereas it does NOT happen with linux-image-4.15.0-45-generic

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2019-06-25: Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status:	New → Confirmed

TJ (tj) on 2019-06-25

summary:

- kernel bug causes i915 modesetting to not work
+ regression: between 4.15.0-45 and 4.15.0-50 - i915 vmalloc_fault

Revision history for this message

TJ (tj) wrote on 2019-06-25:

Looks like this is the likely candidate:

commit 7fa1a35564b270e940111c31828e553bff8f063b
Author: Gustavo A. R. Silva <email address hidden>
Date: Thu Aug 2 22:40:19 2018 -0500

drm/i915/kvmgt: Fix potential Spectre v1

info.index can be indirectly controlled by user-space, hence leading
to a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/gpu/drm/i915/gvt/kvmgt.c:1232 intel_vgpu_ioctl() warn:
potential spectre issue 'vgpu->vdev.region' [r]

Fix this by sanitizing info.index before indirectly using it to index
vgpu->vdev.region

    Notice that given that speculation windows are large, the policy is
    to kill the speculation on the first load and not worry if it can be
    completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

    Cc: <email address hidden>
    Signed-off-by: Gustavo A. R. Silva <email address hidden>
    Signed-off-by: Zhenyu Wang <email address hidden>

CVE-2017-5753

    (cherry picked from commit de5372da605d3bca46e3102bab51b7e1c0e0a6f6)
    Signed-off-by: Juerg Haefliger <email address hidden>
    Acked-by: Stefan Bader <email address hidden>
    Acked-by: Kleber Sacilotto de Souza <email address hidden>
    Signed-off-by: Stefan Bader <email address hidden>

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

regression: between 4.15.0-45 and 4.15.0-50 - i915 vmalloc_fault

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package