[UBUNTU 20.04] s390x/pci: do not allow to create more pci functions than configured via CONFIG_PCI_NR_FUNCTIONS

Bug #1874057 reported by bugproxy on 2020-04-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Medium
Canonical Kernel Team
linux (Ubuntu)
Status tracked in Groovy
Focal
Undecided
Canonical Kernel Team
Groovy
Undecided
Canonical Kernel Team

Bug Description

SRU Justification:
==================

[Impact]

* PCI Functions with UIDs >128 are currently not accounted correctly in the s390x/pci (zPCI) code.

* Furthermore, the code allows that more than CONFIG_PCI_NR_FUNCTIONS are created.

* This can lead to issues with data structures which were only allocated for CONFIG_PCI_NR_FUNCTIONS.

[Fix]

* https://launchpadlibrarian.net/478235080/0001-s390-pci-Fix-zpci_alloc_domain-over-allocation.patch

[Test Case]

* Set the kernel parameter CONFIG_PCI_NR_FUNCTIONS to a specific (reasonablly low) number.

* And check if more PCI functions can be created than specified by CONFIG_PCI_NR_FUNCTIONS (e.g. using a RoCE adapter) and watch for kernel message 'Adding PCI function ... failed'

[Regression Potential]

* There is regression potential can be considered as low, since:

* the zPCI cards are less wide spread than for example ccw adapters on s390x

* the fix got already upstream accepted in 5.7, hence upstream reviewed, too

* the modifications span just two files and both are s390x arch specific

[Other Info]

* the above patch-file is based on commit 969ae01bab2fe938b4c8324836038b5ac1c78fac ("s390/pci: Fix zpci_alloc_domain() over allocation"), but this backport was needed for getting this applied to focal master-next

* and this patch got upstream accepted with kernel v5.7-rc1, hence on the long term it should be in 'gorilla'

__________

PCI Functions with UIDs >128 are currently not accounted correctly in the s390x/pci code. Furthermore, the code allows that more than CONFIG_PCI_NR_FUNCTIONS are created. This can lead to issues with data structures which were only allocated for CONFIG_PCI_NR_FUNCTIONS.

This has been fixed in the following upstream commit:

969ae01bab2fe938b4c8324836038b5ac1c78fac
("s390/pci: Fix zpci_alloc_domain() over allocation")

bugproxy (bugproxy) on 2020-04-21
tags: added: architecture-s39064 bugnameltc-184167 severity-medium targetmilestone-inin2004
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
summary: - s390x/pci: do not allow to create more pci functions than configured via
- CONFIG_PCI_NR_FUNCTIONS
+ [UBUNTU 20.04] s390x/pci: do not allow to create more pci functions than
+ configured via CONFIG_PCI_NR_FUNCTIONS

------- Comment From <email address hidden> 2020-04-21 09:56 EDT-------
PCI Functions with UIDs >128 are currently not accounted correctly in the s390x/pci code. Furthermore, the code allows that more than CONFIG_PCI_NR_FUNCTIONS are created. This can lead to issues with data structures which were only allocated for CONFIG_PCI_NR_FUNCTIONS.

This has been fixed in the following upstream commit:

969ae01bab2fe938b4c8324836038b5ac1c78fac ("s390/pci: Fix zpci_alloc_domain() over allocation")

Frank Heimes (fheimes) wrote :

Patch just landed on 5.7:
git tag --contains 969ae01bab2f | grep ^v
v5.7-rc1
v5.7-rc2

description: updated
Changed in ubuntu-z-systems:
importance: Undecided → Medium
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
Frank Heimes (fheimes) wrote :
Download full text (5.0 KiB)

The mentioned commit from 5.7 does not simply apply to focal master-next:

cherry-pick says:

Auto-merging arch/s390/pci/pci.c
CONFLICT (content): Merge conflict in arch/s390/pci/pci.c
Auto-merging arch/s390/include/asm/pci.h
warning: inexact rename detection was skipped due to too many files.
warning: you may want to set your merge.renamelimit variable to at least 2342 and retry the command.
error: could not apply 969ae01bab2f... s390/pci: Fix zpci_alloc_domain() over allocation
hint: after resolving the conflicts, mark the corrected paths
hint: with 'git add <paths>' or 'git rm <paths>'
hint: and commit the result with 'git commit'

with status:

On branch master-next
Your branch is ahead of 'origin/master-next' by 2 commits.
  (use "git push" to publish your local commits)

You are currently cherry-picking commit 969ae01bab2f.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
 modified: arch/s390/include/asm/pci.h

Unmerged paths:
  (use "git add <file>..." to mark resolution)
 both modified: arch/s390/pci/pci.c

and the git diff is:

diff --cc arch/s390/pci/pci.c
index 6105b1b6e49b,2b90a90aa81d..000000000000
--- a/arch/s390/pci/pci.c
+++ b/arch/s390/pci/pci.c
@@@ -39,11 -40,12 +39,12 @@@
  static LIST_HEAD(zpci_list);
  static DEFINE_SPINLOCK(zpci_list_lock);

- static DECLARE_BITMAP(zpci_domain, ZPCI_NR_DEVICES);
+ static DECLARE_BITMAP(zpci_domain, ZPCI_DOMAIN_BITMAP_SIZE);
  static DEFINE_SPINLOCK(zpci_domain_lock);
+ static unsigned int zpci_num_domains_allocated;

  #define ZPCI_IOMAP_ENTRIES \
 - min(((unsigned long) ZPCI_NR_DEVICES * PCI_STD_NUM_BARS / 2), \
 + min(((unsigned long) ZPCI_NR_DEVICES * PCI_BAR_COUNT / 2), \
            ZPCI_IOMAP_MAX_ENTRIES)

  static DEFINE_SPINLOCK(zpci_iomap_lock);
@@@ -606,59 -608,22 +607,63 @@@ void pcibios_disable_device(struct pci_
        zpci_debug_exit_device(zdev);
  }

 +#ifdef CONFIG_HIBERNATE_CALLBACKS
 +static int zpci_restore(struct device *dev)
 +{
 + struct pci_dev *pdev = to_pci_dev(dev);
 + struct zpci_dev *zdev = to_zpci(pdev);
 + int ret = 0;
 +
 + if (zdev->state != ZPCI_FN_STATE_ONLINE)
 + goto out;
 +
 + ret = clp_enable_fh(zdev, ZPCI_NR_DMA_SPACES);
 + if (ret)
 + goto out;
 +
 + zpci_map_resources(pdev);
 + zpci_register_ioat(zdev, 0, zdev->start_dma, zdev->end_dma,
 + (u64) zdev->dma_table);
 +
 +out:
 + return ret;
 +}
 +
 +static int zpci_freeze(struct device *dev)
 +{
 + struct pci_dev *pdev = to_pci_dev(dev);
 + struct zpci_dev *zdev = to_zpci(pdev);
 +
 + if (zdev->state != ZPCI_FN_STATE_ONLINE)
 + return 0;
 +
 + zpci_unregister_ioat(zdev, 0);
 + zpci_unmap_resources(pdev);
 + return clp_disable_fh(zdev);
 +}
 +
 +struct dev_pm_ops pcibios_pm_ops = {
 + .thaw_noirq = zpci_restore,
 + .freeze_noirq = zpci_freeze,
 + .restore_noirq = zpci_restore,
 + .poweroff_noirq = zpci_freeze,
 +};
 +#endi...

Read more...

------- Comment on attachment From <email address hidden> 2020-04-22 04:30 EDT-------

Sorry, I totally forgot that the final patch version came after the power management removal which screwed up the context. Otherwise there would only have been a trivial constant rename.

Frank Heimes (fheimes) wrote :

Okay, that backport applies flawlessly - thanks!

Frank Heimes (fheimes) on 2020-04-23
Changed in ubuntu-z-systems:
status: New → Triaged
Frank Heimes (fheimes) wrote :

Kernel SRU request submitted:
https://lists.ubuntu.com/archives/kernel-team/2020-April/thread.html#109402
Changing status to 'In Progress'.

description: updated
Frank Heimes (fheimes) on 2020-04-28
Changed in linux (Ubuntu):
status: New → In Progress
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Frank Heimes (fheimes) wrote :

With the patch applied the compile complains with:
...
  CC mm/vmalloc.o
^[[01m^[[K/home/ubuntu/focal-lp1874057/arch/s390/pci/pci.c:^[[m^[[K In function ‘^[[01m^[[Kzpci_alloc_domain^[[m^[[K’:
^[[01m^[[K/home/ubuntu/focal-lp1874057/arch/s390/pci/pci.c:668:4:^[[m^[[K ^[[01;31m^[[Kerror: ^[[m^[[Kimplicit declaration of function ‘^[[01m^[[Kupdate_uid_checking^[[m^[[K’ [^[[01;31m^[[K-Werror=implicit-function-declaration^[[m^[[K]
  668 | ^[[01;31m^[[Kupdate_uid_checking^[[m^[[K(false);
      | ^[[01;31m^[[K^~~~~~~~~~~~~~~~~~~^[[m^[[K
  CC mm/process_vm_access.o
  CC security/apparmor/lib.o
cc1: some warnings being treated as errors
make[4]: *** [/home/ubuntu/focal-lp1874057/scripts/Makefile.build:273: arch/s390/pci/pci.o] Error 1
make[3]: *** [/home/ubuntu/focal-lp1874057/scripts/Makefile.build:522: arch/s390/pci] Error 2
make[2]: *** [/home/ubuntu/focal-lp1874057/Makefile:1719: arch/s390] Error 2

I double-checked with compiling the focal master-next tree w/o the patch, which works fine.

------- Comment on attachment From <email address hidden> 2020-05-04 09:52 EDT-------

Oh thank you for your patience, I totally screwed up the backport patch
as I accidentally included some code from the next commit

7a11c67a1ff9b0231eaaaa6a28294776d55b569a ("s390/pci: Improve handling of unset UID")

Actually that now applies cleanly on top and I think we might
want to include that as well, escpecially since it will also simplify
the backporting of the multi-function patch series.

Frank Heimes (fheimes) on 2020-05-05
description: updated
Frank Heimes (fheimes) wrote :

Kernel SRU request resubmitted as v2:
https://lists.ubuntu.com/archives/kernel-team/2020-May/thread.html#109579
Status still 'In Progress'.

Frank Heimes (fheimes) on 2020-05-13
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Frank Heimes (fheimes) on 2020-05-13
Changed in linux (Ubuntu Groovy):
status: Fix Committed → In Progress
Changed in linux (Ubuntu Focal):
status: New → In Progress
Changed in ubuntu-z-systems:
status: Fix Committed → In Progress
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Frank Heimes (fheimes) on 2020-05-14
Changed in linux (Ubuntu Focal):
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu Groovy):
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
bugproxy (bugproxy) on 2020-05-20
tags: added: verification-done-focal
removed: verification-needed-focal

------- Comment From <email address hidden> 2020-05-20 08:49 EDT-------
Verified by IBM

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.4.0-37.41

---------------
linux (5.4.0-37.41) focal; urgency=medium

  * CVE-2020-0543
    - SAUCE: x86/speculation/spectre_v2: Exclude Zhaoxin CPUs from SPECTRE_V2
    - SAUCE: x86/cpu: Add a steppings field to struct x86_cpu_id
    - SAUCE: x86/cpu: Add 'table' argument to cpu_matches()
    - SAUCE: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
      mitigation
    - SAUCE: x86/speculation: Add SRBDS vulnerability and mitigation documentation
    - SAUCE: x86/speculation: Add Ivy Bridge to affected list

 -- Marcelo Henrique Cerri <email address hidden> Wed, 03 Jun 2020 11:24:23 -0300

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released

All autopkgtests for the newly accepted linux-oracle-5.4 (5.4.0-1019.19~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-oracle-5.4

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.4.0-42.46

---------------
linux (5.4.0-42.46) focal; urgency=medium

  * focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069)

  * linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
    - SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux (5.4.0-41.45) focal; urgency=medium

  * focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * CVE-2019-19642
    - kernel/relay.c: handle alloc_percpu returning NULL in relay_open

  * CVE-2019-16089
    - SAUCE: nbd_genl_status: null check for nla_nest_start

  * CVE-2020-11935
    - aufs: do not call i_readcount_inc()

  * ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
    kernel (LP: #1826848)
    - selftests: net: ip_defrag: ignore EPERM

  * Update lockdown patches (LP: #1884159)
    - SAUCE: acpi: disallow loading configfs acpi tables when locked down

  * seccomp_bpf fails on powerpc (LP: #1885757)
    - SAUCE: selftests/seccomp: fix ptrace tests on powerpc

  * Introduce the new NVIDIA 418-server and 440-server series, and update the
    current NVIDIA drivers (LP: #1881137)
    - [packaging] add signed modules for the 418-server and the 440-server
      flavours

 -- Khalid Elmously <email address hidden> Thu, 09 Jul 2020 19:50:26 -0400

Changed in linux (Ubuntu Groovy):
status: In Progress → Fix Released
Frank Heimes (fheimes) on 2020-07-28
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released

------- Comment From <email address hidden> 2020-07-28 02:37 EDT-------
IBM bugzilla status-> closed, Fix Released with focal

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers