[UBUNTU 21.04] s390/pci: vfio-pci mmio being disabled erroneously

Bug #1907265 reported by bugproxy on 2020-12-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
High
Skipper Bug Screeners
linux (Ubuntu)
Status tracked in Hirsute
Focal
Medium
Frank Heimes
Groovy
Medium
Unassigned
Hirsute
Medium
Unassigned

Bug Description

Description: s390/pci: vfio-pci mmio being disabled erroneously
Symptom: PCI virtual functions passed through via vfio-pci are unusable
Problem: The fix for CVE-2020-12888 'abafbc551fdd vfio-pci: Invalidate
               mmaps and block MMIO access on disabled memory' introduced an
               issue which prevented PCI Virtual Functions from being passed-
               through via vfio-pci as VFs are not allowed to have the
               PCI_COMMAND_MEMORY bit enabled per spec. This issue was
               initially thought to be fixed via 'ebfa440ce38b vfio/pci: Fix
               SR-IOV VF handling with MMIO blocking' which removes the
               PCI_COMMAND_MEMORY requirement for VFs but this did not solve
               the issue for virtual functions on s390 that are first passed
               through to an LPAR without their associated physical function
               as they are not identified as VFs in the traditional sense
               (there is no PF available to the host kernel to link to). As a
               result, when passing these devices through to a guest via
               vfio-pci, these devices do not trigger the check added by
               ebfa440ce38b which results in MMIO access from the guest being
               blocked because the PCI_COMMAND_MEMORY bit is off.
Solution: Identify devices beyond traditional linked VFs that vfio must
               consider memory-enabled.
Reproduction: Pass a PCI Virtual Function to a qemu-kvm guest via vfio-pci
Upstream-ID: 12856e7acde4702b7c3238c15fcba86ff6aa507f
               08b6e22b850c28b6032da1e4d767a33116e23dfb
               515ecd5368f1510152fa4f9b9ce55b66ac56c334

These patches need to be applied for 20.10 and 20.04.
The git-commits will apply cleanly on the dedicated kernels.

Manx thx

CVE References

bugproxy (bugproxy) on 2020-12-08
tags: added: architecture-s39064 bugnameltc-190039 severity-high targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes) on 2020-12-08
Changed in ubuntu-z-systems:
importance: Undecided → High
status: New → Triaged
Frank Heimes (fheimes) wrote :

The the patches/commits needed were upstream accepted with 5.10:
12856e7acde4 "PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY"
08b6e22b850c "s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY"
515ecd5368f1 "vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn"
I'm updating the Hirsute entry to In Progress, since 5.10 will soon migrate to the Hirsute archive.

Changed in linux (Ubuntu Hirsute):
status: New → In Progress
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in linux (Ubuntu Focal):
assignee: nobody → Frank Heimes (fheimes)
Changed in linux (Ubuntu Groovy):
assignee: nobody → Frank Heimes (fheimes)
Frank Heimes (fheimes) wrote :

The patches are as follows:
60877c26d6ed "PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY"
f87c055c0321 "s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY"
97011440b167 "vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn"
already part of groovy, starting with Ubuntu-5.8.0-30.32.
And since we are already at level:
linux-generic | 5.8.0.31.36 | groovy-updates | s390x
I'm closing the groovy entry as Fix Released.

Changed in linux (Ubuntu Groovy):
status: New → Fix Released
assignee: Frank Heimes (fheimes) → nobody
Frank Heimes (fheimes) wrote :

The patches are also partly in focal:
fb5c915cdd37 "PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY"
23af8153d85e "vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn"
They came in 'Focal update: v5.4.73 upstream stable release' LP 1902115.

However, 08b6e22b850c "vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn" is missing.
I checked all other upstream stable bugs for focal, this one is not addressed.

Hence this ticket boils down to cherry picking 08b6e22b850c "s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY" into focal master-next.

Changed in linux (Ubuntu Focal):
status: New → In Progress
Frank Heimes (fheimes) wrote :

A kernel test build based on focal master-next completed and is shared here:
https://people.canonical.com/~fheimes/lp1907265/

------- Comment From <email address hidden> 2020-12-08 17:39 EDT-------
Thanks! I tested the provided focal build and was able to verify that it resolves the issue.

Re: groovy -- Sorry, my mistake I was not looking at the latest versions of groovy/focal when listing which patches needed backporting. I did also just now verify your assertion that this issue is already resolved in the latest groovy as well, so thanks again.

Frank Heimes (fheimes) on 2020-12-09
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Frank Heimes (fheimes) wrote :

Thx Matthew for the quick test.

I've now submitted the kernel SRU for the remaining fix for focal:
https://lists.ubuntu.com/archives/kernel-team/2020-December/thread.html#115495
and changed the status to 'In Progress' for focal.

Stefan Bader (smb) on 2020-12-14
Changed in linux (Ubuntu Groovy):
importance: Undecided → Medium
Changed in linux (Ubuntu Hirsute):
importance: Undecided → Medium
Changed in linux (Ubuntu Focal):
importance: Undecided → Medium
bugproxy (bugproxy) on 2020-12-15
tags: added: targetmilestone-inin2104
removed: targetmilestone-inin---
Ian (ian-may) on 2020-12-17
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Frank Heimes (fheimes) on 2020-12-17
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-02-05 05:41 EDT-------
focal build successfully tested.

Frank Heimes (fheimes) wrote :

thx, I'm adjusting the tag accordingly

tags: added: verification-done-focal
removed: verification-needed-focal
Frank Heimes (fheimes) wrote :

Now that kernel 5.10 landed in hirsute's release pocket:
linux-generic | 5.10.0.14.16 | hirsute
the 'hirsute' part can be updated to 'Fix Released".

Changed in linux (Ubuntu Hirsute):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (60.8 KiB)

This bug was fixed in the package linux - 5.4.0-66.74

---------------
linux (5.4.0-66.74) focal; urgency=medium

  * focal/linux: 5.4.0-66.74 -proposed tracker (LP: #1913152)

  * Add support for selective build of special drivers (LP: #1912789)
    - [Packaging] Add support for ODM drivers
    - [Packaging] Turn on ODM support for amd64

  * Packaging resync (LP: #1786013)
    - update dkms package versions
    - update dkms package versions

  * Introduce the new NVIDIA 460-server series and update the 460 series
    (LP: #1913200)
    - [Config] dkms-versions -- drop NVIDIA 435 455 and 440-server
    - [Config] dkms-versions -- add the 460-server nvidia driver

  * Enable mute and micmute LED on HP EliteBook 850 G7 (LP: #1910102)
    - ALSA: hda/realtek: Enable mute and micmute LED on HP EliteBook 850 G7

  * SYNA30B4:00 06CB:CE09 Mouse on HP EliteBook 850 G7 not working at all
    (LP: #1908992)
    - HID: multitouch: Enable multi-input for Synaptics pointstick/touchpad device

  * HD Audio Device PCI ID for the Intel Cometlake-R platform (LP: #1912427)
    - SAUCE: ALSA: hda: Add Cometlake-R PCI ID

  * switch to an autogenerated nvidia series based core via dkms-versions
    (LP: #1912803)
    - [Packaging] nvidia -- use dkms-versions to define versions built
    - [Packaging] update-version-dkms -- maintain flags fields
    - [Config] dkms-versions -- add transitional/skip information for nvidia
      packages

  * udpgro.sh in net from ubuntu_kernel_selftests seems not reflecting sub-test
    result (LP: #1908499)
    - selftests: fix the return value for UDP GRO test

  * qede: Kubernetes Internal DNS Failure due to QL41xxx NIC not supporting IPIP
    tx csum offload (LP: #1909062)
    - qede: fix offload for IPIP tunnel packets

  * Use DCPD to control HP DreamColor panel (LP: #1911001)
    - SAUCE: drm/dp: Another HP DreamColor panel brigntness fix

  * kvm: Windows 2k19 with Hyper-v role gets stuck on pending hypervisor
    requests on cascadelake based kvm hosts (LP: #1911848)
    - KVM: x86: Set KVM_REQ_EVENT if run is canceled with req_immediate_exit set

  * Ubuntu 20.10 four needed fixes to 'Add driver for Mellanox Connect-IB
    adapters' (LP: #1905574)
    - net/mlx5: Fix a race when moving command interface to polling mode

  * Fix right sounds and mute/micmute LEDs for HP ZBook Fury 15/17 G7 Mobile
    Workstation (LP: #1910561)
    - ALSA: hda/realtek: fix right sounds and mute/micmute LEDs for HP machines

  * Ubuntu 20.04 - multicast counter is not increased in ip -s (LP: #1901842)
    - net/mlx5e: Fix multicast counter not up-to-date in "ip -s"

  * eeh-basic.sh in powerpc from ubuntu_kernel_selftests timeout with 5.4 P8 /
    P9 (LP: #1882503)
    - selftests/powerpc/eeh: disable kselftest timeout setting for eeh-basic

  * DMI entry syntax fix for Pegatron / ByteSpeed C15B (LP: #1910639)
    - Input: i8042 - unbreak Pegatron C15B

  * CVE-2020-29372
    - mm: check that mm is still valid in madvise()

  * update ENA driver, incl. new ethtool stats (LP: #1910291)
    - net: ena: Change WARN_ON expression in ena_del_napi_in_range()
    - net: ena: ethtool: convert stat_offset to 64 bit resolution
    - net: ena: eth...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Frank Heimes (fheimes) on 2021-02-23
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-02-24 05:15 EDT-------
IBM Bugzilla status->closed, Fix Released for all requested distros

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers