Xenial update to 4.4.144 stable release

Bug #1791080 reported by Stefan Bader on 2018-09-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Stefan Bader

Bug Description

    SRU Justification

       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The 4.4.144 upstream stable
       patch set is now available. It should be included in the Ubuntu
       kernel as well.



       The following patches from the 4.4.144 stable release shall be applied:

Stefan Bader (smb) on 2018-09-06
tags: added: kernel-stable-tracking-bug
Changed in linux (Ubuntu Xenial):
assignee: nobody → Stefan Bader (smb)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu):
status: New → Invalid
Stefan Bader (smb) wrote :

This upstream stable update contains the backport for CVE-2018-3639 (x86) aka Spectre v4/SSB.
* x86/cpufeatures: Add CPUID_7_EDX CPUID leaf
  The upstream stable patch adds two previously unknown
  feature bits for word 18 which I added with a SAUCE
* x86/cpufeatures: Add Intel feature bits for Speculation
  -> skip, no change
* x86/cpufeatures: Add AMD feature bits for Speculation
  -> skip, no change
* x86/msr: Add definitions for new speculation control
  -> skip, no change
* x86/pti: Do not enable PTI on CPUs which are not
  vulnerable to Meltdown
  -> skip, no change
* x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early
  Spectre v2 microcodes
  -> skip, we have actually reverted this at some point
* x86/speculation: Add basic IBPB (Indirect Branch
  Prediction Barrier) support
  -> Picked in reduced form (only adding definition for
     indirect_branch_prediction_barrier(). Not sure this
     will be needed in the end.
* x86/cpufeatures: Clean up Spectre v2 related CPUID
  -> Mostly can be skipped. Only picking up a small change
     to indirect_branch_prediction_barrier() which is still
     not used.
  Not picking up the firmware blacklist code.
* x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature
  bits on Intel
  -> skipped, no change

Stefan Bader (smb) wrote :

Continue Spectre v4 review:
* x86/speculation: Update Speculation Control microcode
  -> skip, we do not carry the blacklist
* x86/speculation: Correct Speculation Control
  microcode blacklist again
  -> skip, again firmware blacklist
* x86/speculation: Clean up various Spectre related
  -> pick, adjusted to match intended goals (low risk
     as this is only removing line breaks or updating
* x86/speculation: Add <asm/msr-index.h> dependency
  -> skip, no change
* x86/spectre_v2: Don't check microcode versions when
  running under hypervisors
  -> skip, we do not check for bad microcode versions
* x86/speculation: Use IBRS if available before calling
  into firmware
  -> pick, adapted to current environment. We already
     had alternative_msr_write() ported.

Stefan Bader (smb) wrote :

Continue Spectre v4 review:
* x86/speculation: Remove Skylake C2 from Speculation
  Control microcode blacklist
  -> skip, ignore blacklist
* selftest/seccomp: Fix the flag name
  -> skip, no change
* x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS when
  running under Xen
  -> pick, context
* x86/nospec: Simplify alternative_msr_write()
  -> skip, no change
* x86/bugs: Concentrate bug detection into a separate
  -> skip, no change
* x86/bugs: Concentrate bug reporting into a separate
  -> skip, no change (silly patches with near identical
     summary lines)
* x86/bugs: Read SPEC_CTRL MSR during boot and re-use
  reserved bits
  -> skip, but added SAUCE patch to adjust the following
     inline functions to their final upstream stable form
     (as in 4.4.154)
     - indirect_branch_prediction_barrier(),
     - firmware_restrict_branch_speculation_start(),
     - firmware_restrict_branch_speculation_end()
* x86/bugs, KVM: Support the combination of guest and
  host IBRS
  -> skip, no change
* x86/cpu: Rename Merrifield2 to Moorefield
  -> skip, no change
* x86/cpu/intel: Add Knights Mill to Intel family
  -> skip, no change
* x86/bugs: Expose /sys/../spec_store_bypass
  -> skip, add sauce (Initially dropped Knights Mill
     because it was undefined but later added definition
     but not not updated the no ssb array.
* x86/cpufeatures: Add X86_FEATURE_RDS
  -> skip, no change

Stefan Bader (smb) wrote :
Download full text (3.5 KiB)

Continue Spectre v4 review:
* x86/bugs: Provide boot parameters for the
  spec_store_bypass_disable mitigation
  -> skip, no change
* x86/bugs/intel: Set proper CPU features and setup RDS
  -> skip, no change but note that we keep using
     ibrs_inuse() instead of the feature bit.
* x86/bugs: Whitelist allowed SPEC_CTRL MSR values
  -> skip, no change
* x86/bugs/AMD: Add support to disable RDS on Fam[15,
  16, 17]h if requested
  -> skip, no change
* x86/speculation: Create spec-ctrl.h to avoid include
  -> skip, no change
* prctl: Add speculation control prctls
  -> skip, no change
* x86/process: Optimize TIF checks in __switch_to_xtra()
  -> skip, no change
* x86/process: Correct and optimize TIF_BLOCKSTEP switch
  -> pick, no change
* x86/process: Optimize TIF_NOTSC switch
  -> pick, context
* x86/process: Allow runtime control of Speculative
  Store Bypass
  -> skip, no change
* x86/speculation: Add prctl for Speculative Store
  Bypass mitigation
  -> skip, no change
* nospec: Allow getting/setting on non-current task
  -> skip, no change
* proc: Provide details on speculation flaw mitigations
  -> skip, no change
* seccomp: Enable speculation flaw mitigations
  -> skip, no change
* prctl: Add force disable speculation
  -> skip, no change
  -> skip, no change
* seccomp: Add filter flag to opt-out of SSB mitigation
  -> skip, no change
* seccomp: Move speculation migitation control to arch
  -> skip, no change
* x86/speculation: Make "seccomp" the default mode for
  Speculative Store Bypass
  -> skip, no change
* x86/bugs: Rename _RDS to _SSBD
  -> skip, no change
* proc: Use underscores for SSBD in 'status'
  -> skip, no change
* Documentation/spec_ctrl: Do some minor cleanups
  -> skip, no change
* x86/bugs: Fix __ssb_select_mitigation() return type
  -> skip, no change
* x86/bugs: Make cpu_show_common() static
  -> skip, no change
* x86/bugs: Fix the parameters alignment and missing
  -> skip, no change
* x86/cpu: Make alternative_msr_write work for 32-bit
  -> skip, no change
* x86/speculation: Use synthetic bits for
  -> skip, no change
* x86/cpufeatures: Disentangle MSR_SPEC_CTRL
  enumeration from IBRS
  -> skip, no change
* x86/cpufeatures: Disentangle SSBD enumeration
  -> skip, no change
* x86/cpu/AMD: Fix erratum 1076 (CPB bit)
  -> pick and revert previous version
  The upstream commit does this by adding the
  Zen specific init function.
* x86/cpufeatures: Add FEATURE_ZEN
  -> pick, partial
  The bit is already define in a previous patch.
  Likely needs proper revert sequence later.
* x86/speculation: Handle HT correctly on AMD
  -> skip, no change
* x86/bugs, KVM: Extend speculation control for
  -> skip, no change
* x86/speculation: Add virtualized speculative store
  bypass disable support
  -> skip, no change
* x86/speculation: Rework
  -> skip, no change
* x86/bugs: Unify x86_spec_ctrl_{set_guest,
  -> skip, no change
* Expose x86_spec_ctrl_base directly
  -> skip, no change
* x86/bugs: Remove x86_spec_ctrl_set()
  -> skip, no change
* x86/bugs: Rework spec_ctrl base and...


Stefan Bader (smb) wrote :

Remaining non Spectre v4 import:
* block: do not use interruptible wait anywhere
  -> pick, context

Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (9.6 KiB)

This bug was fixed in the package linux - 4.4.0-137.163

linux (4.4.0-137.163) xenial; urgency=medium

  * CVE-2018-14633
    - iscsi target: Use hex2bin instead of a re-implementation

  * CVE-2018-17182
    - mm: get rid of vmacache_flush_all() entirely

linux (4.4.0-136.162) xenial; urgency=medium

  * linux: 4.4.0-136.162 -proposed tracker (LP: #1791745)

  * CVE-2017-5753
    - bpf: properly enforce index mask to prevent out-of-bounds speculation
    - Revert "UBUNTU: SAUCE: bpf: Use barrier_nospec() instead of osb()"
    - Revert "bpf: prevent speculative execution in eBPF interpreter"

  * L1TF mitigation not effective in some CPU and RAM combinations
    (LP: #1788563) // CVE-2018-3620 // CVE-2018-3646
    - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
    - x86/speculation/l1tf: Fix off-by-one error when warning that system has too
      much RAM
    - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+

  * CVE-2018-15594
    - x86/paravirt: Fix spectre-v2 mitigations for paravirt guests

  * Xenial update to 4.4.144 stable release (LP: #1791080)
    - KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in
    - x86/MCE: Remove min interval polling limitation
    - fat: fix memory allocation failure handling of match_strdup()
    - ALSA: rawmidi: Change resized buffers atomically
    - ARC: mm: allow mprotect to make stack mappings executable
    - mm: memcg: fix use after free in mem_cgroup_iter()
    - ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns
    - ipv6: fix useless rol32 call on hash
    - lib/rhashtable: consider param->min_size when setting initial table size
    - net/ipv4: Set oif in fib_compute_spec_dst
    - net: phy: fix flag masking in __set_phy_supported
    - ptp: fix missing break in switch
    - tg3: Add higher cpu clock for 5762.
    - net: Don't copy pfmemalloc flag in __copy_skb_header()
    - skbuff: Unconditionally copy pfmemalloc in __skb_clone()
    - xhci: Fix perceived dead host due to runtime suspend race with event handler
    - x86/paravirt: Make native_save_fl() extern inline
    - SAUCE: Add missing CPUID_7_EDX defines
    - SAUCE: x86/speculation: Expose indirect_branch_prediction_barrier()
    - x86/pti: Mark constant arrays as __initconst
    - x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs
    - x86/entry/64/compat: Clear registers for compat syscalls, to reduce
      speculation attack surface
    - x86/speculation: Clean up various Spectre related details
    - x86/speculation: Fix up array_index_nospec_mask() asm constraint
    - x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
    - x86/mm: Factor out LDT init from context init
    - x86/mm: Give each mm TLB flush generation a unique ID
    - SAUCE: x86/speculation: Use Indirect Branch Prediction Barrier in context
    - x86/speculation: Use IBRS if available before calling into firmware
    - x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
    - selftest/seccomp: Fix the seccomp(2) signature
    - xen: set cpu capabilities from xen_start_kernel()
    - x86/amd: d...


Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers