Linux: insufficient shootdown for paging-structure caches
Bug #1798897 reported by
Tyler Hicks
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Tyler Hicks | ||
Cosmic |
Fix Released
|
High
|
Unassigned | ||
Disco |
Fix Released
|
High
|
Unassigned |
Bug Description
https:/
[Impact]
Paging structure caches are not always flushed as part of a TLB shootdown operation on x86.
[Test Case]
Ideally, we'd be able to use the test case described in the Project Zero bug report. However, it depends on certain processor features as well as custom kernel changes to make the proof-of-concept more likely to be successful.
Instead, I think we're limited to simple boot testing and then will need to rely on our regular SRU testing.
[Regression Potential]
Considerable since the changes are in mm/ but these three patches have been released in the upstream linux-stable trees for a while now.
CVE References
description: | updated |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
tags: | added: cscc |
To post a comment you must log in.
This issue is already fixed in the Cosmic kernel (which means that "D" is also fixed). The Bionic kernel needs these patches:
db7ddef301128da d394f1c0f77027f 86ee9a4edb ("mm: move tlb_table_flush to tlb_flush_ mmu_free" ) 30f91465f4a085d 7a90901c57 ("mm/tlb: Remove tlb_remove_table() non-concurrent condition") ec046a5cba90188 e612352806 ("mm/tlb, x86/mm: Support invalidating TLB caches for RCU_TABLE_FREE")
a6f572084fbee8b
d86564a2f085b79
Older releases are not affected.