Ubuntu
linux package

Potential memory corruption with capi adapters

  1. Zesty (17.04)
  2. Bug #1681469
Bug #1681469 reported by bugproxy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Committed
Undecided
Unassigned
Yakkety
Fix Released
Undecided
Unassigned
Zesty
Fix Committed
Undecided
Unassigned
Artful
Fix Released
Undecided
Unassigned

Bug Description

== Comment: #0 - Frederic Barrat <email address hidden> - 2017-04-10 04:44:01 ==

---Problem Description---
Memory corruption can be seen when using a capi adapter. It can happen if the host process allocates/frees/reallocates memory areas used by the the capi adapter.
Some TLB invalidations may not be propagated to the capi adapter, causing the corruption.

Contact Information = <email address hidden>

---uname output---
Linux garri 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:05:15 UTC 2017 ppc64le ppc64le ppc64le GNU/Linux

---Additional Hardware Info---
capi card needed, with the AFU image used by libdonut development

Machine Type = Tuleta

---Debugger---
A debugger is not configured

---Steps to Reproduce---
 Run libdonut in a loop, until corruption is seen. Host process will dump core

Stack trace output:
 no

Oops output:
 no

System Dump Info:
  The system is not configured to capture a system dump.

*Additional Instructions for <email address hidden>:
-Attach sysctl -a output output to the bug.

== Comment: #1 - Frederic Barrat <email address hidden> - 2017-04-10 04:45:19 ==
Fix is already upstream:

commit 88b1bf7268f56887ca88eb09c6fb0f4fc970121a
Author: Frederic Barrat <email address hidden>
Date: Wed Mar 29 19:19:42 2017 +0200

    powerpc/mm: Add missing global TLB invalidate if cxl is active

Could it be backported to the 16.04 LTS release, as well as 17.04? Thanks

CVE References

bugproxy (bugproxy)
tags: added: architecture-ppc64le bugnameltc-153279 severity-high targetmilestone-inin16045
Changed in ubuntu:
assignee: nobody → Taco Screen team (taco-screen-team)
affects: ubuntu → linux (Ubuntu)
bugproxy (bugproxy)
tags: added: severity-critical
removed: severity-high
Revision history for this message
Michael Hohnbaum (hohnbaum) wrote : Re: [Bug 1681469] [NEW] Potential memory corruption with capi adapters

Leann,

Critical bug to add to the Kernel Team's queue.

                   Michael

On 04/10/2017 07:49 AM, Launchpad Bug Tracker wrote:
> bugproxy (bugproxy) has assigned this bug to you for Ubuntu:
>
> == Comment: #0 - Frederic Barrat <email address hidden> -
> 2017-04-10 04:44:01 ==
>
> ---Problem Description---
> Memory corruption can be seen when using a capi adapter. It can happen if the host process allocates/frees/reallocates memory areas used by the the capi adapter.
> Some TLB invalidations may not be propagated to the capi adapter, causing the corruption.
>
> Contact Information = <email address hidden>
>
> ---uname output---
> Linux garri 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:05:15 UTC 2017 ppc64le ppc64le ppc64le GNU/Linux
>
> ---Additional Hardware Info---
> capi card needed, with the AFU image used by libdonut development
>
>
> Machine Type = Tuleta
>
> ---Debugger---
> A debugger is not configured
>
> ---Steps to Reproduce---
> Run libdonut in a loop, until corruption is seen. Host process will dump core
>
>
> Stack trace output:
> no
>
> Oops output:
> no
>
> System Dump Info:
> The system is not configured to capture a system dump.
>
> *Additional Instructions for <email address hidden>:
> -Attach sysctl -a output output to the bug.
>
> == Comment: #1 - Frederic Barrat <email address hidden> - 2017-04-10 04:45:19 ==
> Fix is already upstream:
>
> commit 88b1bf7268f56887ca88eb09c6fb0f4fc970121a
> Author: Frederic Barrat <email address hidden>
> Date: Wed Mar 29 19:19:42 2017 +0200
>
> powerpc/mm: Add missing global TLB invalidate if cxl is active
>
>
> Could it be backported to the 16.04 LTS release, as well as 17.04?
> Thanks
>
> ** Affects: ubuntu
> Importance: Undecided
> Assignee: Taco Screen team (taco-screen-team)
> Status: New
>
>
> ** Tags: architecture-ppc64le bugnameltc-153279 severity-high targetmilestone-inin16045

--
Michael Hohnbaum
OIL Program Manager
Power (ppc64el) Development Project Manager
Canonical, Ltd.

Revision history for this message
Tim Gardner (timg-tpi) wrote :

https://lists.ubuntu.com/archives/kernel-team/2017-April/083582.html

Changed in linux (Ubuntu Xenial):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Changed in linux (Ubuntu Yakkety):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Changed in linux (Ubuntu Zesty):
assignee: Taco Screen team (taco-screen-team) → Tim Gardner (timg-tpi)
status: New → In Progress
Revision history for this message
Stefan Bader (smb) wrote :

Actually 4.4.60 upstream included this for Xenial.

Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Yakkety):
status: In Progress → Fix Committed
Seth Forshee (sforshee)
Changed in linux (Ubuntu Zesty):
status: In Progress → Fix Committed
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-yakkety' to 'verification-done-yakkety'. If the problem still exists, change the tag 'verification-needed-yakkety' to 'verification-failed-yakkety'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-yakkety
bugproxy (bugproxy)
tags: added: verification-done-yakkety
removed: verification-needed-yakkety
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.8.0-52.55

---------------
linux (4.8.0-52.55) yakkety; urgency=low

  * linux: 4.8.0-52.55 -proposed tracker (LP: #1686976)

  * CVE-2017-7477: macsec: avoid heap overflow in skb_to_sgvec (LP: #1685892)
    - macsec: avoid heap overflow in skb_to_sgvec
    - macsec: dynamically allocate space for sglist

  * net/ipv4: original ingress device index set as the loopback interface.
    (LP: #1683982)
    - net: fix incorrect original ingress device index in PKTINFO

  * Touchpad not working correctly after kernel upgrade (LP: #1662589)
    - Input: ALPS - fix V8+ protocol handling (73 03 28)

  * ifup service of network device stay active after driver stop (LP: #1672144)
    - net: use net->count to check whether a netns is alive or not

  * [Hyper-V] mkfs regression in kernel 4.4+ (LP: #1682215)
    - block: relax check on sg gap

  * Potential memory corruption with capi adapters (LP: #1681469)
    - powerpc/mm: Add missing global TLB invalidate if cxl is active

  * [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and
    image (LP: #1650058)
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT
      transitions
    - net/mlx4_core: Avoid command timeouts during VF driver device shutdown

 -- Stefan Bader <email address hidden> Fri, 28 Apr 2017 12:17:12 +0200

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Brad Figg (brad-figg)
tags: added: cscc
Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu):
assignee: Tim Gardner (timg-tpi) → nobody
Changed in linux (Ubuntu Xenial):
assignee: Tim Gardner (timg-tpi) → nobody
Changed in linux (Ubuntu Yakkety):
assignee: Tim Gardner (timg-tpi) → nobody
Changed in linux (Ubuntu Zesty):
assignee: Tim Gardner (timg-tpi) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.