Ubuntu
linux package

[Ubuntu] qdio: reset old sbal_state flags

  1. Bionic (18.04)
  2. Bug #1801686
Bug #1801686 reported by bugproxy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Canonical Kernel Team
linux (Ubuntu)
Fix Released
Undecided
Canonical Kernel
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned
Disco
Fix Released
Undecided
Canonical Kernel

Bug Description

== SRU Justification ==

Description: qdio: reset old sbal_state flags

Symptom:
   af_iucv socket using HiperSockets may stall.
Problem:
   When allocating a new AOB fails, handle_outbound() is
still capable of transmitting the selected buffer
(just without async completion).
But if a previous transfer on this queue slot used
async completion, its sbal_state flags field is still set
to QDIO_OUTBUF_STATE_FLAG_PENDING.
So when the upper layer driver sees this stale flag, it
expects an async completion that never happens.
Solution:
   Unconditionally clear the buffer's flags field.

== Fix ==

64e03ff72623b8c2ea89ca3cb660094e019ed4ae ("s390/qdio: reset old sbal_state flags")

== Regression Potential ==

Low, because:
- s390x only
- further limited to qeth driver (OSA Express networking)
- changes are limited to two files and 6 lines
   - arch/s390/include/asm/qdio.h b/arch/s390/include/asm/qdio.h
   - drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
- error was identified at IBM/customer, fix was created there and tested upfront
- (changes are upstream in 4.20 (according to bug description,
   but in 4.19 according to 'git tag'),
   hence will make it automatically into 'disco')

== Test Case ==

Test case / reproduction:
Error inject and then simulate out-of-memory situation.

__________

Description: qdio: reset old sbal_state flags

Symptom: af_iucv socket using HiperSockets may stall.

Problem: When allocating a new AOB fails, handle_outbound() is
              still capable of transmitting the selected buffer
              (just without async completion).
              But if a previous transfer on this queue slot used
              async completion, its sbal_state flags field is still set
              to QDIO_OUTBUF_STATE_FLAG_PENDING.
              So when the upper layer driver sees this stale flag, it
              expects an async completion that never happens.

Solution: Unconditionally clear the buffer's flags field.

Reproduction: Error inject, simulating out-of-memory.

kernel 4.20
Upstream-ID: 64e03ff72623b8c2ea89ca3cb660094e019ed4ae

Canonical , please provide this fix for all Releases in Service....
Ubuntu 18.10, 18.04 and 16.04

See original description

CVE References

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-172877 severity-high targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Dimitri John Ledkov (xnox)
Changed in linux (Ubuntu Disco):
assignee: Skipper Bug Screeners (skipper-screen-team) → Canonical Kernel (canonical-kernel)
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Frank Heimes (fheimes)
description: updated
description: updated
Revision history for this message
Frank Heimes (fheimes) wrote :

SRU submitted:

[SRU][Cosmic][Bionic][Xenial][PATCH 0/1] Fixes for LP1801686 [v2]
https://lists.ubuntu.com/archives/kernel-team/2018-November/096507.html

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
importance: Undecided → High
status: New → Triaged
Revision history for this message
Khaled El Mously (kmously) wrote :

This patch already exists in Xenial as 75443f02ecfdd7c8e998063f9371f046126a21d5 which was part
of the update to 4.4.154
This patch already exists in Cosmic as 0f4772f38723c41bf79c8ca1f58a00723e900749 which was part
of the update to 4.18.6

Marking both those releases as "Fixed release"

Changed in linux (Ubuntu Bionic):
status: New → Fix Committed
Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
Changed in linux (Ubuntu Cosmic):
status: New → Fix Committed
Revision history for this message
Khaled El Mously (kmously) wrote :

*Correction, I meant "Fix committed"

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Triaged → Fix Committed
Revision history for this message
Stefan Bader (smb) wrote :

Already in Ubuntu-4.18.0-8.9.

Changed in linux (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu Disco):
status: New → Fix Released
Revision history for this message
Stefan Bader (smb) wrote :

Already included in Ubuntu-4.4.0-138.164 in updates/security.

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2018-11-22 03:57 EDT-------
Fix verified upfront on upstream by IBM

Revision history for this message
Frank Heimes (fheimes) wrote :

Adjusting tags according to comment #9.

tags: added: verification-done-bionic
removed: verification-needed-bionic
bugproxy (bugproxy)
tags: added: targetmilestone-inin1810
removed: targetmilestone-inin---
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.1 KiB)

This bug was fixed in the package linux - 4.15.0-42.45

---------------
linux (4.15.0-42.45) bionic; urgency=medium

  * linux: 4.15.0-42.45 -proposed tracker (LP: #1803592)

  * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
    - KVM: s390: reset crypto attributes for all vcpus
    - KVM: s390: vsie: simulate VCPU SIE entry/exit
    - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART
    - KVM: s390: refactor crypto initialization
    - s390: vfio-ap: base implementation of VFIO AP device driver
    - s390: vfio-ap: register matrix device with VFIO mdev framework
    - s390: vfio-ap: sysfs interfaces to configure adapters
    - s390: vfio-ap: sysfs interfaces to configure domains
    - s390: vfio-ap: sysfs interfaces to configure control domains
    - s390: vfio-ap: sysfs interface to view matrix mdev matrix
    - KVM: s390: interface to clear CRYCB masks
    - s390: vfio-ap: implement mediated device open callback
    - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl
    - s390: vfio-ap: zeroize the AP queues
    - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
    - KVM: s390: Clear Crypto Control Block when using vSIE
    - KVM: s390: vsie: Do the CRYCB validation first
    - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
    - KVM: s390: vsie: Allow CRYCB FORMAT-2
    - KVM: s390: vsie: allow CRYCB FORMAT-1
    - KVM: s390: vsie: allow CRYCB FORMAT-0
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
    - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
    - KVM: s390: device attrs to enable/disable AP interpretation
    - KVM: s390: CPU model support for AP virtualization
    - s390: doc: detailed specifications for AP virtualization
    - KVM: s390: fix locking for crypto setting error path
    - KVM: s390: Tracing APCB changes
    - s390: vfio-ap: setup APCB mask using KVM dedicated function
    - s390/zcrypt: Add ZAPQ inline function.
    - s390/zcrypt: Review inline assembler constraints.
    - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
    - s390/zcrypt: fix ap_instructions_available() returncodes
    - s390/zcrypt: remove VLA usage from the AP bus
    - s390/zcrypt: Remove deprecated ioctls.
    - s390/zcrypt: Remove deprecated zcrypt proc interface.
    - s390/zcrypt: Support up to 256 crypto adapters.
    - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module.

  * Bypass of mount visibility through userns + mount propagation (LP: #1789161)
    - mount: Retest MNT_LOCKED in do_umount
    - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts

  * CVE-2018-18955: nested user namespaces with more than five extents
    incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955
    - userns: also map extents in the reverse map to kernel IDs

  * kdump fail due to an IRQ storm (LP: #1797990)
    - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
    - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
    - SAUCE: x86/quirks: Scan all busses for early PCI quirks

 -- Thadeu Lima de Souza Cascardo <email address hidden> Thu, 15 Nov 2018 17:01:46 ...

Read more...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-12-03 11:01 EDT-------
IBM Bugzilla status -> closed, Fix Released with Xenial, Bionic, Cosmic and Disco

Brad Figg (brad-figg)
tags: added: cscc
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.