Ubuntu
linux package

[UBUNTU 20.04] mlx5 driver crashes on accessing device attributes during recovery

Bug #1987287 reported by bugproxy on 2022-08-22

This bug affects 1 person

	Status	Importance	Assigned to
Ubuntu on IBM z Systems	Fix Released	High	Skipper Bug Screeners
linux (Ubuntu)	Invalid	Undecided	Unassigned
Focal	Fix Released	Medium	Canonical Kernel Team

Bug Description

SRU Justification:
------------------

[Impact]

* If the mlx5 driver is reloading while the recovery flow is happening,
   and if it receives new commands before the command interface is up
   again, this can lead to null pointer that tries to access non-
   initialized command structures.

* So it's required to avoid processing commands before the command
interface is up again.

* This is accomplished by a new cmdif state that helps to avoid
processing commands while cmdif is not ready.

[Fix]

* backport of f7936ddd35d8 f7936ddd35d8b849daf0372770c7c9dbe7910fca "net/mlx5: Avoid processing commands before cmdif is ready"

[Test Plan]

* An Ubuntu Server for s390x 18.04 or 20.04 LPAR or z/VM installation
is needed that has Mellanox cards (RoCE Express 2.1) assigned,
configured and enabled and that runs a 5.4 kernel (on bionic hwe-5.4).

* Now trigger a recovery (guess that can be done at the Support Element)
and reload the driver at the same time.

* Make sure the module/driver mlx5 is loaded and in use
(otherwise it can't be removed/unloaded).

* Now remove/unload the module with:
   sudo modprobe -r mlx5
   and (re-)load it again with:
   sudo modprobe mlx5

* Due to the lack of RoCE Express 2.1 hardware,
IBM needs to do the verification.

[Where problems could occur]

* In case there is an issue with 'cmdif' it might not have the correct
   interface state, which:
   - either might lead to the fact that commands are not properly blocked
     and the situation is similar like before
   - or the commands may get always blocked,
     which render the hardware useless
   - or might block in wrong situation,
     which will cause unexpected issues and broken behavior.

* Since the patch got upstream accepted with v5.7-rc7 it's
not new to the kernel, was already part of groovy (and above)
and is therefor already in use by newer Ubuntu releases.

[Other Info]

* Since the patch is upstream since v5.7-rc7,
it's already included in jammy and kinetic.

* Since the upstream patch incl. the line:
   Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox
   Connect-IB adapters") it looks to me that it was forgotten
   to mark the patch for upstream stable updates.

* Such SRUs for focal's 5.4 will automatically land in bionic's
hwe-5.4, too. But since this was especially requested for
bionic's hwe-5.4, I wanted to mention this here.
__________

We recently got a bug report for systems running Ubuntu 20.04 that were
crashing with backtraces pointing at the mlx5 driver's handling of mlx5_ethtool_get_link_ksettings()
when this is called through the sysfs (going through ethtool might have different checks).
I managed to find a reliable way to reproduce the issue that I believe isn't tied to IBM Z at all.

The procedure to reproduce is as follows. I created a script to read
the sysfs attributes for the link's speed and duplex mode in a loop:

#!/usr/bin/env bash

if [ $# -lt 1 ]; then
echo "Usage: $0 <netif>"
exit 1
fi

while true; do
cat /sys/class/net/$1/duplex > /dev/null
cat /sys/class/net/$1/speed > /dev/null
done

Executed with:

# ./script.sh enP10p0s0

I ran this in one bash session and then in another one I triggered a PCI reset with
the follwoing command where one needs to replace <dev> with the PCI address of the NIC:

echo 1 > /sys/bus/pci/devices/<dev>/reset

Then first I got a lot of the following messages:

mlx5_core 0010:00:00.0 enP16p0s0: mlx5e_ethtool_get_link_ksettings: query port ptys failed: -5

And then as the mlx5 driver's recovery kicks in the oops as below:

[ 659.103947] mlx5_core 0010:00:00.0: wait vital counter value 0x7b399f after 1 iterations
[ 659.103947] mlx5_core 0010:00:00.0: mlx5_pci_resume was called
[ 659.103966] mlx5_core 0010:00:00.0: firmware version: 14.32.1010
[ 659.104169] Unable to handle kernel pointer dereference in virtual kernel address space
[ 659.104171] Failing address: 0000000000000000 TEID: 0000000000000483
[ 659.104172] Fault in home space mode while using kernel ASCE.
[ 659.104173] AS:000000003d29c007 R3:00000000fffd0007 S:00000000fffd5800 P:000000000000003d
[ 659.104200] Oops: 0004 ilc:2 [#1] SMP
[ 659.104202] Modules linked in: s390_trng ism smc pnet chsc_sch eadm_sch vfio_ccw vfio_mdev mdev vfio_iommu_type1 vfio sch_fq_codel drm drm_panel_orientation_quirks i2c_core ip_tables x_tables btrfs zstd_compress zlib_deflate raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 linear mlx5_ib dm_service_time pkey zcrypt crc32_vx_s390 ib_uverbs ghash_s390 ib_core qeth_l2 prng aes_s390 des_s390 nvme libdes sha3_512_s390 sha3_256_s390 sha512_s390 sha256_s390 sha1_s390 sha_common mlx5_core tls mlxfw ptp nvme_core pps_core dasd_eckd_mod dasd_mod zfcp scsi_transport_fc qeth qdio ccwgroup scsi_dh_emc scsi_dh_rdac scsi_dh_alua dm_multipath
[ 659.104232] CPU: 6 PID: 438216 Comm: cat Not tainted 5.4.0-124-generic #140-Ubuntu
[ 659.104233] Hardware name: IBM 3931 XYZ XXXX (LPAR)
[ 659.104234] Krnl PSW : 0404c00180000000 000000003bfa661e (__queue_work+0xfe/0x520)
[ 659.104241] R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
[ 659.104242] Krnl GPRS: 000000003c291570 0000000000000000 0000000000000007 000000007fffffff
[ 659.104243] 00000000e2fe46e0 0000000fffffffe0 0000000000000006 000000003d039588
[ 659.104244] 0000000000000000 0000000000000000 00000000e2fe46e0 00000000bfb3e000
[ 659.104245] 00000000e194c400 000003e007d6fb78 000000003bfa6602 000003e007d6f860
[ 659.104251] Krnl Code: 000000003bfa6612: a77400e5 brc 7,000000003bfa67dc
                          000000003bfa6616: 582003ac l %r2,940
                         #000000003bfa661a: a7180000 lhi %r1,0
                         >000000003bfa661e: ba129000 cs %r1,%r2,0(%r9)
                          000000003bfa6622: a77401a7 brc 7,000000003bfa6970
                          000000003bfa6626: e310b0180012 lt %r1,24(%r11)
                          000000003bfa662c: a78400ff brc 8,000000003bfa682a
                          000000003bfa6630: c0040000004b brcl 0,000000003bfa66c6
[ 659.104261] Call Trace:
[ 659.104263] ([<0000000000000000>] 0x0)
[ 659.104265] [<000000003bfa6aa2>] queue_work_on+0x62/0x70
[ 659.104329] [<000003ff80a2920a>] cmd_exec+0x4ea/0x840 [mlx5_core]
[ 659.104349] [<000003ff80a29680>] mlx5_cmd_exec+0x40/0x70 [mlx5_core]
[ 659.104369] [<000003ff80a334a8>] mlx5_core_access_reg+0x108/0x150 [mlx5_core]
[ 659.104387] [<000003ff80a3354e>] mlx5_query_port_ptys+0x5e/0x70 [mlx5_core]
[ 659.104407] [<000003ff80a5b928>] mlx5e_ethtool_get_link_ksettings+0x58/0x460 [mlx5_core]
[ 659.104410] [<000000003c662a68>] duplex_show+0x78/0xe0
[ 659.104414] [<000000003c538ecc>] dev_attr_show+0x2c/0x70
[ 659.104417] [<000000003c293386>] sysfs_kf_seq_show+0xa6/0x150
[ 659.104420] [<000000003c207470>] seq_read+0xe0/0x4f0
[ 659.104422] [<000000003c1d4cf4>] vfs_read+0x94/0x160
[ 659.104423] [<000000003c1d4ea8>] ksys_read+0x68/0x100
[ 659.104426] [<000000003c7f2034>] system_call+0xd8/0x2c8
[ 659.104427] Last Breaking-Event-Address:
[ 659.104428] [<000000003bfa65d6>] __queue_work+0xb6/0x520
[ 659.104430] ---[ end trace 9fc1a6358b456876 ]---

Digging into the code and git history I found the following upstream commit added in v5.7
which besides being part of the 5.6.x stable patches somehow didn't make it into
the 5.4.x stable queue nor Ubuntu 20.04, possibly because there is a (trivial) merge conflict:

commit f7936ddd35d8b849daf0372770c7c9dbe7910fca
Author: Eran Ben Elisha <email address hidden>
Date: Thu Mar 19 21:43:13 2020 +0200

net/mlx5: Avoid processing commands before cmdif is ready

    When driver is reloading during recovery flow, it can't get new commands
    till command interface is up again. Otherwise we may get to null pointer
    trying to access non initialized command structures.

Add cmdif state to avoid processing commands while cmdif is not ready.

    Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
    Signed-off-by: Eran Ben Elisha <email address hidden>
    Signed-off-by: Moshe Shemesh <email address hidden>
    Signed-off-by: Saeed Mahameed <email address hidden>

With a quick backport onto 5.4.0-124.140 (patch attached below) the issue is gone
and the system no longer crashes but instead recovers successfully. I believe the
crash we saw is then exactly the null pointer access mentioned in the commit description.

== Comment: #4 - Niklas Schnelle - 2022-08-22 06:41:41 ==
There was only a trivial merge conflict where the context
of the struct decleration changed.

See original description

Tags:

CVE References

2022-3176

Revision history for this message

bugproxy (bugproxy) wrote on 2022-08-22: Backport of upstream commit to 5.4.0-124.140

Backport of upstream commit to 5.4.0-124.140 Edit (4.5 KiB, text/plain)

Default Comment by Bridge

tags:	added: architecture-s3903164 bugnameltc-199463 severity-high targetmilestone-inin---
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → linux (Ubuntu)

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-08-22:

The patch mentioned is upstream since kernel v5.7-rc7,
hence it's only needed for focal (already incl. in jammy and kinetic).

Changed in ubuntu-z-systems:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
importance:	Undecided → High
Changed in linux (Ubuntu):
status:	New → Invalid
Changed in linux (Ubuntu Focal):
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in linux (Ubuntu):
assignee:	Skipper Bug Screeners (skipper-screen-team) → nobody

Revision history for this message

bugproxy (bugproxy) wrote on 2022-08-22: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-08-22 11:48 EDT-------
@Canonical:
As the problem occurred in the Cloud environment running on a 18.04 HWE kernel, we need to make sure that the fix will also be included there.

With adding to focal, will the patch land in 18.04 HWE kernel as well or do we need to open an additional separate bug / launchpad entry for the 18.04 HWE kernel?

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-08-22:

Yes, if it get it incl. in the focal 5.4 (GA), it will automatically find it's way into the bionic hwe-5.4 as well.

Revision history for this message

bugproxy (bugproxy) wrote on 2022-08-30:

------- Comment From <email address hidden> 2022-08-30 12:28 EDT-------
@Canonical, I'd like to know that when will the fix be back ported to hwe-5.4 kernel? Will it be a new hotpatch like this one ? https://launchpad.net/~canonical-support-eng/+archive/ubuntu/sf334332 or something else. Thanks so much. Sorry I am not familiar with the process, and just like to know how can I include the fix in our cloud environment. Thanks.

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-08-30:

Hello 'nafeiy', we indeed wanted to pick this up in the next days.
Just notice that this is a development bug, opened at the Launchpad bug tracking system, that is mainly used for development.

We will usually produce a patched 20.04/focal/5.4 test kernel, that we make a available via a so called PPA (a special repository).
It will take then some steps in our SRU cycle until this patched kernel gets released.
These are the upcoming kernel Service Release Cycles (SRUs): https://kernel.ubuntu.com/

This 5.4 kernel will then be migrated by our kernel team to 18.04/bionic/hwe-5.4.
But in this case we may also create a dedicated hwe-5.4 test kernel for bionic for you, to save you some time.

The process for hotfixes is a different.

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-08-31:

Test kernels are now available in the following PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1987287
(20.04/focal 5.4 as well as 18.04.5/bionic hwe-5.4)

Frank Heimes (fheimes) on 2022-08-31

description:

updated

Frank Heimes (fheimes) on 2022-09-01

description:

updated

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-09-01:

Kernel SRU request submitted for focal:
https://lists.ubuntu.com/archives/kernel-team/2022-September/thread.html#132957
changing status to 'In Progress'.

Changed in linux (Ubuntu Focal):
status:	New → In Progress
Changed in ubuntu-z-systems:
status:	New → In Progress
Changed in linux (Ubuntu Focal):
assignee:	Skipper Bug Screeners (skipper-screen-team) → Canonical Kernel Team (canonical-kernel-team)

Revision history for this message

bugproxy (bugproxy) wrote on 2022-09-05:

------- Comment From <email address hidden> 2022-09-05 08:55 EDT-------
(In reply to comment #16)
> Hello 'nafeiy', we indeed wanted to pick this up in the next days.
> Just notice that this is a development bug, opened at the Launchpad bug
> tracking system, that is mainly used for development.
>
> We will usually produce a patched 20.04/focal/5.4 test kernel, that we make
> a available via a so called PPA (a special repository).
> It will take then some steps in our SRU cycle until this patched kernel gets
> released.
> These are the upcoming kernel Service Release Cycles (SRUs):
> https://kernel.ubuntu.com/
>
> This 5.4 kernel will then be migrated by our kernel team to
> 18.04/bionic/hwe-5.4.
> But in this case we may also create a dedicated hwe-5.4 test kernel for
> bionic for you, to save you some time.
>
> The process for hotfixes is a different.

Hi Frank, I tested the provided PPA kernel "5.4.0-126-generic #142~lp1987287-Ubuntu" with the reset while reading duplex/speed test from the original report.
It worked as expected no crash and a clean recovery. Thanks!

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-09-05:

#10

Many thx, Niklas!

Stefan Bader (smb) on 2022-09-14

Changed in linux (Ubuntu Focal):
importance:	Undecided → Medium
status:	In Progress → Fix Committed

Frank Heimes (fheimes) on 2022-09-14

Changed in ubuntu-z-systems:
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-09-22:

#11

This bug is awaiting verification that the linux/5.4.0-128.144 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message

bugproxy (bugproxy) wrote on 2022-09-26:

#12

------- Comment From <email address hidden> 2022-09-26 04:01 EDT-------
@(In reply to comment #21)
> This bug is awaiting verification that the linux/5.4.0-128.144 kernel in
> -proposed solves the problem. Please test the kernel and update this bug
> with the results. If the problem is solved, change the tag
> 'verification-needed-focal' to 'verification-done-focal'. If the problem
> still exists, change the tag 'verification-needed-focal' to
> 'verification-failed-focal'.
>
> If verification is not done by 5 working days from today, this fix will be
> dropped from the source code, and this bug will be closed.
>
> See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
> enable and use -proposed. Thank you!

@Niklas Schnelle , I also tested this fix on our development mzone, it works. So please go ahead to next step. Thanks.

root@dal1-qz2-sr3-rk196-s12:/home/sysop# uname -a
Linux dal1-qz2-sr3-rk196-s12 5.4.0-125-generic #141~18.04.1~lp1987287-Ubuntu SMP Wed Aug 31 08:38:45 UTC 2022 s390x s390x s390x GNU/Linux

It works after we include this lp1987287 fix.

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-09-26:

#13

Thx for testing!
The further process is already in place and on a high level (just dates) described here:
https://kernel.ubuntu.com/
So this fix is now incl. in the kernel SRU cycle "2022.09.19".
Means the updated kernel that incl. the fix will soon (ideally today) land in the '-proposed' pocket of the archive (and will be installable by everyone who has '-proposed' enabled.
And if no significant issues arise during the "Bug verification & Regression testing" phase, it will be released on '10-Oct'.
That is the currently plan (however, highly severe and critical fixes and CVE have the power to overrule this planned schedule, but this fortunately does not happen very often).

Revision history for this message

bugproxy (bugproxy) wrote on 2022-09-26:

#14

------- Comment From <email address hidden> 2022-09-26 05:58 EDT-------
(In reply to comment #23)
> Thx for testing!
> The further process is already in place and on a high level (just dates)
> described here:
> https://kernel.ubuntu.com/
> So this fix is now incl. in the kernel SRU cycle "2022.09.19".
> Means the updated kernel that incl. the fix will soon (ideally today) land
> in the '-proposed' pocket of the archive (and will be installable by
> everyone who has '-proposed' enabled.
> And if no significant issues arise during the "Bug verification & Regression
> testing" phase, it will be released on '10-Oct'.
> That is the currently plan (however, highly severe and critical fixes and
> CVE have the power to overrule this planned schedule, but this fortunately
> does not happen very often).

I confirmed this works as expected now on 5.4.0-128-generic from proposed.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-10-10:

#15

Download full text (19.8 KiB)

This bug was fixed in the package linux - 5.4.0-128.144

---------------
linux (5.4.0-128.144) focal; urgency=medium

* focal/linux: 5.4.0-128.144 -proposed tracker (LP: #1990152)

* CVE-2022-3176
- io_uring: disable polling pollfree files

  * ip/nexthop: fix default address selection for connected nexthop
    (LP: #1988809)
    - selftests/net: test nexthop without gw

  * ip/nexthop: fix default address selection for connected nexthop
    (LP: #1988809) // icmp_redirect.sh in ubuntu_kernel_selftests failed on
    Jammy 5.15.0-49.55 (LP: #1990124)
    - ip: fix triggering of 'icmp redirect'

linux (5.4.0-127.143) focal; urgency=medium

* focal/linux: 5.4.0-127.143 -proposed tracker (LP: #1989892)

* Packaging resync (LP: #1786013)
- debian/dkms-versions -- update from kernel-versions (main/2022.09.19)

  * [UBUNTU 20.04] mlx5 driver crashes on accessing device attributes during
    recovery (LP: #1987287)
    - net/mlx5: Avoid processing commands before cmdif is ready

  * Focal update: v5.4.210 upstream stable release (LP: #1989230)
    - thermal: Fix NULL pointer dereferences in of_thermal_ functions
    - ACPI: video: Force backlight native for some TongFang devices
    - ACPI: video: Shortening quirk list by identifying Clevo by board_name only
    - ACPI: APEI: Better fix to avoid spamming the console with old error logs
    - bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()
    - selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads
    - bpf: Test_verifier, #70 error message updates for 32-bit right shift
    - KVM: Don't null dereference ops->destroy
    - selftests: KVM: Handle compiler optimizations in ucall
    - media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls
    - macintosh/adb: fix oob read in do_adb_query() function
    - x86/speculation: Add RSB VM Exit protections
    - x86/speculation: Add LFENCE to RSB fill sequence
    - Linux 5.4.210

This bug was fixed in the package linux - 5.4.0-128.144

---------------
linux (5.4.0-128.144) focal; urgency=medium

* focal/linux: 5.4.0-128.144 -proposed tracker (LP: #1990152)

* CVE-2022-3176
    - io_uring: disable polling pollfree files

* ip/nexthop: fix default address selection for connected nexthop
    (LP: #1988809)
    - selftests/net: test nexthop without gw

linux (5.4.0-127.143) focal; urgency=medium

* focal/linux: 5.4.0-127.143 -proposed tracker (LP: #1989892)

* Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2022.09.19)

* [UBUNTU 20.04] mlx5 driver crashes on accessing device attributes during
    recovery (LP: #1987287)
    - net/mlx5: Avoid processing commands before cmdif is ready

* Focal update: v5.4.209 upstream stable release (LP: #1989228)
    - Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
    - ntfs: fix use-after-free in ntfs_ucsncmp()
    - s390/archrandom: prevent CPACF trng invocations in interrupt context
    - tcp: Fix data-races around sysctl_tcp_dsack.
    - tcp: Fix a data-race around sysctl_tcp_app_win.
    - tcp: Fix a data-race around sysctl_tcp_adv_win_scale.
    - tcp: Fix a data-race around sysctl_tcp_frto.
    - tcp: Fix a data-race around sysctl_tcp_nometrics_save.
    - ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS)
    - ice: do not setup vlan for loopback VSI
    - scsi: ufs: host: Hold reference returned by of_parse_phandle()
    - tcp: Fix a data-race around sysctl_tcp_limit_output_bytes.
    - tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
    - net: ping6: Fix memleak in ipv6_renew_options().
    - ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr
    - igmp: Fix data-races around sysctl_igmp_qrv.
    - net: sungem_phy: Add of_node_put() for reference returned by of_get_parent()
    - tcp: Fix a data-race around sysctl_tcp_min_tso_segs.
    - tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen.
    - tcp: Fix a data-race around sysctl_tcp_autocorking.
    - tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit.
    - Documentation: fix sctp_wmem in ip-sysctl.rst
    - tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns.
    - tcp: Fix a data-race around sysctl_tcp_comp_sack_nr.
    - i40e: Fix interface init with MSI interrupts (no MSI-X)
    - sctp: fix sleep in atomic context bug in timer handlers
    - virtio-net: fix the race between refill work and close
    - perf symbol: Correct address for bss symbols
    - sfc: disable softirqs for ptp TX
    - sctp: leave the err path free in sctp_stream_init to sctp_stream_free
    - ARM: crypto: comment out gcc warning that breaks clang builds
    - mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle.
    - scsi: core: Fix race between handling STS_RESOURCE and completion
    - Linux 5.4.209

* Focal update: v5.4.208 upstream stable release (LP: #1988225)
    - pinctrl: stm32: fix optional IRQ support to gpios
    - riscv: add as-options for modules with assembly compontents
    - mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication
    - lockdown: Fix kexec lockdown bypass with ima policy
    - xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE
    - PCI: hv: Fix multi-MSI to allow more than one MSI vector
    - PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI
    - PCI: hv: Reuse existing IRTE allocation in compose_msi_msg()
    - PCI: hv: Fix interrupt mapping for multi-MSI
    - serial: mvebu-uart: correctly report configured baudrate value
    - xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in
      xfrm_bundle_lookup()
    - power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe
    - pinctrl: ralink: Check for null return of devm_kcalloc
    - perf/core: Fix data race between perf_event_set_output() and
      perf_mmap_close()
    - igc: Reinstate IGC_REMOVED logic and implement it properly
    - ip: Fix data-races around sysctl_ip_no_pmtu_disc.
    - ip: Fix data-races around sysctl_ip_fwd_use_pmtu.
    - ip: Fix data-races around sysctl_ip_nonlocal_bind.
    - ip: Fix a data-race around sysctl_fwmark_reflect.
    - tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept.
    - tcp: Fix data-races around sysctl_tcp_mtu_probing.
    - tcp: Fix data-races around sysctl_tcp_base_mss.
    - tcp: Fix data-races around sysctl_tcp_min_snd_mss.
    - tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor.
    - tcp: Fix a data-race around sysctl_tcp_probe_threshold.
    - tcp: Fix a data-race around sysctl_tcp_probe_interval.
    - i2c: cadence: Change large transfer count reset logic to be unconditional
    - net: stmmac: fix dma queue left shift overflow issue
    - net/tls: Fix race in TLS device down flow
    - igmp: Fix data-races around sysctl_igmp_llm_reports.
    - igmp: Fix a data-race around sysctl_igmp_max_memberships.
    - tcp: Fix data-races around sysctl_tcp_syncookies.
    - tcp: Fix data-races around sysctl_tcp_reordering.
    - tcp: Fix data-races around some timeout sysctl knobs.
    - tcp: Fix a data-race around sysctl_tcp_notsent_lowat.
    - tcp: Fix a data-race around sysctl_tcp_tw_reuse.
    - tcp: Fix data-races around sysctl_max_syn_backlog.
    - tcp: Fix data-races around sysctl_tcp_fastopen.
    - iavf: Fix handling of dummy receive descriptors
    - i40e: Fix erroneous adapter reinitialization during recovery process
    - ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero
    - gpio: pca953x: only use single read/write for No AI mode
    - be2net: Fix buffer overflow in be_get_module_eeprom
    - ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh.
    - udp: Fix a data-race around sysctl_udp_l3mdev_accept.
    - tcp: Fix data-races around sysctl knobs related to SYN option.
    - tcp: Fix a data-race around sysctl_tcp_early_retrans.
    - tcp: Fix data-races around sysctl_tcp_recovery.
    - tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts.
    - tcp: Fix data-races around sysctl_tcp_slow_start_after_idle.
    - tcp: Fix a data-race around sysctl_tcp_retrans_collapse.
    - tcp: Fix a data-race around sysctl_tcp_stdurg.
    - tcp: Fix a data-race around sysctl_tcp_rfc1337.
    - tcp: Fix data-races around sysctl_tcp_max_reordering.
    - spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA
      transfers
    - mm/mempolicy: fix uninit-value in mpol_rebind_policy()
    - bpf: Make sure mac_header was set before using it
    - dlm: fix pending remove if msg allocation fails
    - ima: remove the IMA_TEMPLATE Kconfig option
    - [Config] updateconfigs for IMA_TEMPLATE
    - locking/refcount: Define constants for saturation and max refcount values
    - locking/refcount: Ensure integer operands are treated as signed
    - locking/refcount: Remove unused refcount_*_checked() variants
    - locking/refcount: Move the bulk of the REFCOUNT_FULL implementation into the
      <linux/refcount.h> header
    - locking/refcount: Improve performance of generic REFCOUNT_FULL code
    - locking/refcount: Move saturation warnings out of line
    - locking/refcount: Consolidate REFCOUNT_{MAX,SATURATED} definitions
    - locking/refcount: Consolidate implementations of refcount_t
    - [Config] updateconfigs for REFCOUNT_FULL
    - x86: get rid of small constant size cases in raw_copy_{to,from}_user()
    - x86/uaccess: Implement macros for CMPXCHG on user addresses
    - mmap locking API: initial implementation as rwsem wrappers
    - x86/mce: Deduplicate exception handling
    - bitfield.h: Fix "type of reg too small for mask" test
    - ALSA: memalloc: Align buffer allocations in page size
    - Bluetooth: Add bt_skb_sendmsg helper
    - Bluetooth: Add bt_skb_sendmmsg helper
    - Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg
    - Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg
    - Bluetooth: Fix passing NULL to PTR_ERR
    - Bluetooth: SCO: Fix sco_send_frame returning skb->len
    - Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks
    - tty: drivers/tty/, stop using tty_schedule_flip()
    - tty: the rest, stop using tty_schedule_flip()
    - tty: drop tty_schedule_flip()
    - tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push()
    - tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()
    - x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm()
    - Linux 5.4.208

* Focal update: v5.4.207 upstream stable release (LP: #1988219)
    - ALSA: hda - Add fixup for Dell Latitidue E5430
    - ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model
    - ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671
    - ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221
    - ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop
    - xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue
    - tracing/histograms: Fix memory leak problem
    - net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale
      pointer
    - ip: fix dflt addr selection for connected nexthop
    - ARM: 9213/1: Print message about disabled Spectre workarounds only once
    - ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction
    - wifi: mac80211: fix queue selection for mesh/OCB interfaces
    - cgroup: Use separate src/dst nodes when preloading css_sets for migration
    - drm/panfrost: Fix shrinker list corruption by madvise IOCTL
    - nilfs2: fix incorrect masking of permission flags for symlinks
    - Revert "evm: Fix memleak in init_desc"
    - sched/rt: Disable RT_RUNTIME_SHARE by default
    - ext4: fix race condition between ext4_write and ext4_convert_inline_data
    - ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count
    - ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle
    - ARM: 9210/1: Mark the FDT_FIXED sections as shareable
    - drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector()
    - ima: Fix a potential integer overflow in ima_appraise_measurement
    - ASoC: sgtl5000: Fix noise on shutdown/remove
    - net: stmmac: dwc-qos: Disable split header for Tegra194
    - inetpeer: Fix data-races around sysctl.
    - net: Fix data-races around sysctl_mem.
    - cipso: Fix data-races around sysctl.
    - icmp: Fix data-races around sysctl.
    - ipv4: Fix a data-race around sysctl_fib_sync_mem.
    - ARM: dts: at91: sama5d2: Fix typo in i2s1 node
    - ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero
    - drm/i915/gt: Serialize TLB invalidates with GT resets
    - icmp: Fix a data-race around sysctl_icmp_ratelimit.
    - icmp: Fix a data-race around sysctl_icmp_ratemask.
    - raw: Fix a data-race around sysctl_raw_l3mdev_accept.
    - ipv4: Fix data-races around sysctl_ip_dynaddr.
    - net: ftgmac100: Hold reference returned by of_get_child_by_name()
    - sfc: fix use after free when disabling sriov
    - seg6: fix skb checksum evaluation in SRH encapsulation/insertion
    - seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors
    - seg6: bpf: fix skb checksum in bpf_push_seg6_encap()
    - sfc: fix kernel panic when creating VF
    - mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE
    - virtio_mmio: Add missing PM calls to freeze/restore
    - virtio_mmio: Restore guest page size on resume
    - netfilter: br_netfilter: do not skip all hooks with 0 priority
    - cpufreq: pmac32-cpufreq: Fix refcount leak bug
    - platform/x86: hp-wmi: Ignore Sanitization Mode event
    - net: tipc: fix possible refcount leak in tipc_sk_create()
    - NFC: nxp-nci: don't print header length mismatch on i2c error
    - nvme: fix regression when disconnect a recovering ctrl
    - net: sfp: fix memory leak in sfp_probe()
    - ASoC: ops: Fix off by one in range control validation
    - ASoC: wm5110: Fix DRE control
    - ASoC: cs47l15: Fix event generation for low power mux control
    - ASoC: madera: Fix event generation for OUT1 demux
    - ASoC: madera: Fix event generation for rate controls
    - irqchip: or1k-pic: Undefine mask_ack for level triggered hardware
    - x86: Clear .brk area at early boot
    - soc: ixp4xx/npe: Fix unused match warning
    - ARM: dts: stm32: use the correct clock source for CEC on stm32mp151
    - signal handling: don't use BUG_ON() for debugging
    - USB: serial: ftdi_sio: add Belimo device ids
    - usb: typec: add missing uevent when partner support PD
    - usb: dwc3: gadget: Fix event pending check
    - tty: serial: samsung_tty: set dma burst_size to 1
    - serial: 8250: fix return error code in serial8250_request_std_resource()
    - serial: stm32: Clear prev values before setting RTS delays
    - serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle
    - can: m_can: m_can_tx_handler(): fix use after free of skb
    - Linux 5.4.207

* Focal update: v5.4.206 upstream stable release (LP: #1988215)
    - Linux 5.4.206

* Focal update: v5.4.205 upstream stable release (LP: #1988214)
    - esp: limit skb_page_frag_refill use to a single page
    - mm/slub: add missing TID updates on slab deactivation
    - can: bcm: use call_rcu() instead of costly synchronize_rcu()
    - can: grcan: grcan_probe(): remove extra of_node_get()
    - can: gs_usb: gs_usb_open/close(): fix memory leak
    - usbnet: fix memory leak in error case
    - net: rose: fix UAF bug caused by rose_t0timer_expiry
    - iommu/vt-d: Fix PCI bus rescan device hot add
    - fbdev: fbmem: Fix logo center image dx issue
    - video: of_display_timing.h: include errno.h
    - powerpc/powernv: delay rng platform device creation until later in boot
    - can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info
    - can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression
    - can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits
    - xfs: remove incorrect ASSERT in xfs_rename
    - ARM: meson: Fix refcount leak in meson_smp_prepare_cpus
    - pinctrl: sunxi: a83t: Fix NAND function name for some pins
    - pinctrl: sunxi: sunxi_pconf_set: use correct offset
    - ARM: at91: pm: use proper compatible for sama5d2's rtc
    - ARM: at91: pm: use proper compatibles for sam9x60's rtc and rtt
    - ibmvnic: Properly dispose of all skbs during a failover.
    - selftests: forwarding: fix flood_unicast_test when h2 supports
      IFF_UNICAST_FLT
    - selftests: forwarding: fix learning_test when h1 supports IFF_UNICAST_FLT
    - selftests: forwarding: fix error message in learning_test
    - i2c: cadence: Unregister the clk notifier in error path
    - dmaengine: imx-sdma: Allow imx8m for imx7 FW revs
    - misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer
    - misc: rtsx_usb: use separate command and response buffers
    - misc: rtsx_usb: set return value in rsp_buf alloc err path
    - dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo
    - ida: don't use BUG_ON() for debugging
    - dmaengine: pl330: Fix lockdep warning about non-static key
    - dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly
    - dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate
    - dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate
    - Linux 5.4.205

* Focal update: v5.4.204 upstream stable release (LP: #1988212)
    - ipv6: take care of disable_policy when restoring routes
    - nvdimm: Fix badblocks clear off-by-one error
    - powerpc/prom_init: Fix kernel config grep
    - powerpc/bpf: Fix use of user_pt_regs in uapi
    - dm raid: fix accesses beyond end of raid member array
    - dm raid: fix KASAN warning in raid5_add_disks
    - s390/archrandom: simplify back to earlier design and initialize earlier
    - SUNRPC: Fix READ_PLUS crasher
    - net: rose: fix UAF bugs caused by timer handler
    - net: usb: ax88179_178a: Fix packet receiving
    - virtio-net: fix race between ndo_open() and virtio_device_ready()
    - selftests/net: pass ipv6_args to udpgso_bench's IPv6 TCP test
    - net: tun: unlink NAPI from device on destruction
    - net: tun: stop NAPI when detaching queues
    - RDMA/qedr: Fix reporting QP timeout attribute
    - linux/dim: Fix divide by 0 in RDMA DIM
    - usbnet: fix memory allocation in helpers
    - net: ipv6: unexport __init-annotated seg6_hmac_net_init()
    - caif_virtio: fix race between virtio_device_ready() and ndo_open()
    - PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events
    - s390: remove unneeded 'select BUILD_BIN2C'
    - netfilter: nft_dynset: restore set element counter when failing to update
    - net/sched: act_api: Notify user space if any actions were flushed before
      error
    - net: bonding: fix possible NULL deref in rlb code
    - net: bonding: fix use-after-free after 802.3ad slave unbind
    - nfc: nfcmrvl: Fix irq_of_parse_and_map() return value
    - NFC: nxp-nci: Don't issue a zero length i2c_master_read()
    - net: tun: avoid disabling NAPI twice
    - xen/gntdev: Avoid blocking in unmap_grant_pages()
    - hwmon: (ibmaem) don't call platform_device_del() if platform_device_add()
      fails
    - net: dsa: bcm_sf2: force pause link settings
    - sit: use min
    - ipv6/sit: fix ipip6_tunnel_get_prl return value
    - rseq/selftests,x86_64: Add rseq_offset_deref_addv()
    - selftests/rseq: remove ARRAY_SIZE define from individual tests
    - selftests/rseq: introduce own copy of rseq uapi header
    - selftests/rseq: Remove useless assignment to cpu variable
    - selftests/rseq: Remove volatile from __rseq_abi
    - selftests/rseq: Introduce rseq_get_abi() helper
    - selftests/rseq: Introduce thread pointer getters
    - selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35
    - selftests/rseq: Fix ppc32: wrong rseq_cs 32-bit field pointer on big endian
    - selftests/rseq: Fix ppc32 missing instruction selection "u" and "x" for
      load/store
    - selftests/rseq: Fix ppc32 offsets by using long rather than off_t
    - selftests/rseq: Fix warnings about #if checks of undefined tokens
    - selftests/rseq: Remove arm/mips asm goto compiler work-around
    - selftests/rseq: Fix: work-around asm goto compiler bugs
    - selftests/rseq: x86-64: use %fs segment selector for accessing rseq thread
      area
    - selftests/rseq: x86-32: use %gs segment selector for accessing rseq thread
      area
    - selftests/rseq: Change type of rseq_offset to ptrdiff_t
    - xen/blkfront: fix leaking data in shared pages
    - xen/netfront: fix leaking data in shared pages
    - xen/netfront: force data bouncing when backend is untrusted
    - xen/blkfront: force data bouncing when backend is untrusted
    - xen/arm: Fix race in RB-tree based P2M accounting
    - net: usb: qmi_wwan: add Telit 0x1060 composition
    - net: usb: qmi_wwan: add Telit 0x1070 composition
    - clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from
      ixp4xx_timer_setup()
    - Linux 5.4.204

-- Stefan Bader <stefan.bader@canonical.com>  Tue, 20 Sep 2022 11:19:18 +0200

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Frank Heimes (fheimes) on 2022-10-10

Changed in ubuntu-z-systems:
status:	Fix Committed → Fix Released

bugproxy (bugproxy) on 2022-10-10

tags:

added: targetmilestone-inin2004
removed: targetmilestone-inin---

Revision history for this message

bugproxy (bugproxy) wrote on 2022-11-14:

#16

------- Comment From <email address hidden> 2022-11-14 10:41 EDT-------
*** Bug 200496 has been marked as a duplicate of this bug. ***

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-12-15:

#17

This bug is awaiting verification that the linux-xilinx-zynqmp/5.4.0-1020.24 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-xilinx-zynqmp verification-needed-focal

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-12-15:

#18

This bug was not opened against linux-xilinx-zynqmp.
So I'm updating the verification tag just to unblock the further process.

tags:

added: verification-done-focal
removed: verification-needed-focal

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Backport of upstream commit to 5.4.0-124.140 Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

[UBUNTU 20.04] mlx5 driver crashes on accessing device attributes during recovery

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package