cifs set_oplock buffer overflow in strcat

Bug #1824981 reported by Christoph Probst
38
This bug affects 4 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Christoph Probst
Bionic
Fix Released
High
Guilherme G. Piccoli
Cosmic
Won't Fix
High
Guilherme G. Piccoli
Disco
Fix Released
High
Guilherme G. Piccoli
Eoan
Fix Released
High
Christoph Probst

Bug Description

[Impact]

* We got reports of a kernel crash in cifs module with the following signature:

detected buffer overflow in strcat
kernel BUG at <...>/lib/string.c:1052!
invalid opcode: 0000 [#1] SMP PTI
RIP: 0010:fortify_panic+0x13/0x1f
Call Trace:
 smb21_set_oplock_level+0xde/0x190 [cifs]
 smb3_set_oplock_level+0x22/0x90 [cifs]
 smb2_set_fid+0x76/0xb0 [cifs]
 cifs_new_fileinfo+0x268/0x3c0 [cifs]
 ? smb2_get_lease_key+0x40/0x40 [cifs]
 ? cifs_new_fileinfo+0x268/0x3c0 [cifs]
 cifs_open+0x57c/0x8d0 [cifs]
 do_dentry_open+0x1fe/0x320
[...]

* By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow.

* By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches.

[Test case]

* Unfortunately we cannot reproduce the issue. The patch proposed here was
validated by us with xfstests (instructions followed from
https://wiki.samba.org/index.php/Xfstesting-cifs) and fio.

* Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch.

[Regression potential]

* The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential.

Revision history for this message
Christoph Probst (christophprobst) wrote :
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1824981

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: bionic
Revision history for this message
Christoph Probst (christophprobst) wrote : Re: cifs related buffer overflow in strcat

System is firewalled so apport-collect wouldn't work. Relevant details should already be included in the bug report.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
summary: - cifs related buffer overflow in strcat
+ cifs set_oplock overflow in strcat
summary: - cifs set_oplock overflow in strcat
+ cifs set_oplock buffer overflow in strcat
Revision history for this message
You-Sheng Yang (vicamo) wrote :

Seems there is already a discussion thread on Linux-CIFS: https://lore.kernel.org<email address hidden>/T/

Revision history for this message
Kai-Heng Feng (kaihengfeng) wrote :
Revision history for this message
Christoph Probst (christophprobst) wrote :

I tried Ubuntu kernel "4.18.0-17-generic #18~18.04.1-Ubuntu". Crashed the same way on high load as the 4.15.0-47 does.

Now testing 4.15.0-48 from Kai-Heng.

Still haven't found the trigger for that bug. Seems to be load related - we're having five servers each running many threads reading/writing gigabytes of data to the share. There might be even 100+ processes trying to set a lock one the same file at the same time. Seems to get better if we reduce the number of parallel threads.

Revision history for this message
Christoph Probst (christophprobst) wrote :

Here are some details from proc what is happening on our servers. Both running 4.15.0-47-generic.

server13 / uptime 2 days
# cat /proc/fs/cifs/Stats
Resources in use
CIFS Session: 1
Share (unique mount targets): 2
SMB Request/Response Buffer: 1 Pool size: 5
SMB Small Req/Resp Buffer: 1 Pool size: 30
Operations (MIDs): 0

7 session 14 share reconnects
Total vfs operations: 7223031 maximum at one time: 102

1) \\server\share
SMBs: 13497286
Negotiates: 0 sent 0 failed
SessionSetups: 0 sent 0 failed
Logoffs: 0 sent 0 failed
TreeConnects: 502 sent 0 failed
TreeDisconnects: 0 sent 0 failed
Creates: 0 sent 466291 failed
Closes: 0 sent 2 failed
Flushes: 0 sent 0 failed
Reads: 0 sent 19 failed
Writes: 0 sent 0 failed
Locks: 0 sent 0 failed
IOCTLs: 0 sent 0 failed
Cancels: 0 sent 0 failed
Echos: 0 sent 0 failed
QueryDirectories: 0 sent 14011 failed
ChangeNotifies: 0 sent 0 failed
QueryInfos: 0 sent 0 failed
SetInfos: 0 sent 0 failed
OplockBreaks: 0 sent 16 failed

server15 / uptime 5 days
# cat /proc/fs/cifs/Stats
Resources in use
CIFS Session: 1
Share (unique mount targets): 2
SMB Request/Response Buffer: 1 Pool size: 5
SMB Small Req/Resp Buffer: 1 Pool size: 30
Operations (MIDs): 0

1 session 2 share reconnects
Total vfs operations: 118861442 maximum at one time: 52

1) \\server\share
SMBs: 122017565
Negotiates: 0 sent 0 failed
SessionSetups: 0 sent 0 failed
Logoffs: 0 sent 0 failed
TreeConnects: 19970 sent 0 failed
TreeDisconnects: 0 sent 0 failed
Creates: 0 sent 738187 failed
Closes: 0 sent 0 failed
Flushes: 0 sent 0 failed
Reads: 0 sent 41 failed
Writes: 0 sent 0 failed
Locks: 0 sent 0 failed
IOCTLs: 0 sent 0 failed
Cancels: 0 sent 0 failed
Echos: 0 sent 0 failed
QueryDirectories: 0 sent 9776 failed
ChangeNotifies: 0 sent 0 failed
QueryInfos: 0 sent 0 failed
SetInfos: 0 sent 0 failed
OplockBreaks: 0 sent 3301 failed

Revision history for this message
Christoph Probst (christophprobst) wrote :
Download full text (3.5 KiB)

New variant of kernel bug appeard in both 4.18.0-17 (package manager) and in 4.15.0-48 (provided by @kaihengfeng). System didn't crash (compared to "buffer overflow in strcat" where cifs can't recover). Have seen this one twice, both within 3-7 hours after reboot.

Apr 22 17:28:23 Linux version 4.15.0-48-generic (root@bionic) (gcc version 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)) #51~lp1824981 SMP Thu Apr 18 17:30:16 UTC 20
19 (Ubuntu 4.15. .18)
[...]
Apr 22 23:40:47 BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
Apr 22 23:40:47 IP: smb2_push_mandatory_locks+0x104/0x3b0 [cifs]
Apr 22 23:40:47 PGD 0 P4D 0
Apr 22 23:40:47 Oops: 0000 [#1] SMP PTI
Apr 22 23:40:47 Modules linked in: [...]
Apr 22 23:40:47 CPU: 78 PID: 44260 Comm: kworker/78:1 Not tainted 4.15.0-48-generic #51~lp1824981
Apr 22 23:40:47 Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 1.3.7 02/08/2018
Apr 22 23:40:47 Workqueue: cifsoplockd cifs_oplock_break [cifs]
Apr 22 23:40:47 RIP: 0010:smb2_push_mandatory_locks+0x104/0x3b0 [cifs]
Apr 22 23:40:47 RSP: 0018:ffffa779e81f7de0 EFLAGS: 00010246
Apr 22 23:40:47 RAX: 0000000000000000 RBX: ffff9bddf145ab18 RCX: ffffdc6c8d3d0c00
Apr 22 23:40:47 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9baa0f430000
Apr 22 23:40:47 RBP: ffffa779e81f7e30 R08: 0000000000027f20 R09: ffffdc6c8d3d0c00
Apr 22 23:40:47 R10: 0000000000000002 R11: ffff9baa0f420000 R12: 0000000000000aaa
Apr 22 23:40:47 R13: ffff9bddf145ab18 R14: ffff9bddf145ab00 R15: ffff9bb9870e1e00
Apr 22 23:40:47 FS: 0000000000000000(0000) GS:ffff9bb6411c0000(0000) knlGS:0000000000000000
Apr 22 23:40:47 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr 22 23:40:47 CR2: 0000000000000038 CR3: 0000004367a0a004 CR4: 00000000007606e0
Apr 22 23:40:47 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Apr 22 23:40:47 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Apr 22 23:40:47 PKRU: 55555554
Apr 22 23:40:47 Call Trace:
Apr 22 23:40:47 cifs_oplock_break+0x125/0x3f0 [cifs]
Apr 22 23:40:47 process_one_work+0x1de/0x410
Apr 22 23:40:47 worker_thread+0x32/0x410
Apr 22 23:40:47 kthread+0x121/0x140
Apr 22 23:40:47 ? process_one_work+0x410/0x410
Apr 22 23:40:47 ? kthread_create_worker_on_cpu+0x70/0x70
Apr 22 23:40:47 ret_from_fork+0x35/0x40
Apr 22 23:40:47 Code: [...]
Apr 22 23:40:47 RIP: smb2_push_mandatory_locks+0x104/0x3b0 [cifs] RSP: ffffa779e81f7de0
Apr 22 23:40:47 CR2: 0000000000000038
Apr 22 23:40:47 ---[ end trace f5366d81972abce8 ]---
[full details see kernel.log attached]

# cat /proc/fs/cifs/Stats
Resources in use
CIFS Session: 1
Share (unique mount targets): 2
SMB Request/Response Buffer: 1 Pool size: 5
SMB Small Req/Resp Buffer: 1 Pool size: 30
Operations (MIDs): 0

0 session 0 share reconnects
Total vfs operations: 13063177 maximum at one time: 38

1) \\server\share
SMBs: 25616550
Negotiates: 0 sent 0 failed
SessionSetups: 0 sent 0 failed
Logoffs: 0 sent 0 failed
TreeConnects: 9916 sent 0 failed
TreeDisconnects: 0 sent 0 failed
Creates: 0 sent 151514 ...

Read more...

Revision history for this message
Kai-Heng Feng (kaihengfeng) wrote :

Does this also happen on 4.18.0-17?
Apr 22 23:40:47 BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
Apr 22 23:40:47 IP: smb2_push_mandatory_locks+0x104/0x3b0 [cifs]

Revision history for this message
Christoph Probst (christophprobst) wrote :
Download full text (4.0 KiB)

Yes, it happend once with 4.18.0-17 (see kernel.log below) and once with 4.15.0-48. Haven't seen this one on 4.15.0-46-generic or 4.15.0-47-generic before.

Apr 17 18:51:53 Linux version 4.18.0-17-generic (buildd@lgw01-amd64-021) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 (Ubuntu 4.18.0-17.18~18.04.1-generic 4.18.20)
Apr 17 18:51:53 Command line: BOOT_IMAGE=/boot/vmlinuz-4.18.0-17-generic root=UUID=7d58d6b0-bdf2-4a7b-bfde-d28a5ea498f6 ro
[...]
Apr 17 21:01:31 CIFS VFS: error -95 on ioctl to get interface list
[...]
Apr 17 21:43:48 perf: interrupt took too long (6290 > 6260), lowering kernel.perf_event_max_sample_rate to 31750
Apr 17 21:57:28 BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
Apr 17 21:57:28 PGD 0 P4D 0
Apr 17 21:57:28 Oops: 0000 [#1] SMP PTI
Apr 17 21:57:28 CPU: 13 PID: 21224 Comm: kworker/13:2 Not tainted 4.18.0-17-generic #18~18.04.1-Ubuntu
Apr 17 21:57:28 Hardware name: Dell Inc. PowerEdge R900/0X947H, BIOS 1.2.0 11/11/2010
Apr 17 21:57:28 Workqueue: cifsoplockd cifs_oplock_break [cifs]
Apr 17 21:57:28 RIP: 0010:smb2_push_mandatory_locks+0xd5/0x5d0 [cifs]
Apr 17 21:57:28 Code: b0 49 39 c6 0f 84 2d 01 00 00 c7 45 c4 00 00 00 00 [...]
Apr 17 21:57:28 RSP: 0018:ffff9f6d481d7de8 EFLAGS: 00010246
Apr 17 21:57:28 RAX: 0000000000000000 RBX: ffff94016f151798 RCX: ffffe793bfc47c00
Apr 17 21:57:28 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9401711f0000
Apr 17 21:57:28 RBP: ffff9f6d481d7e38 R08: 0000000000028160 R09: ffffe793bfc47c00
Apr 17 21:57:28 R10: 0000000000000002 R11: ffff9401711e0000 R12: 0000000000000aaa
Apr 17 21:57:28 R13: ffff94016f151798 R14: ffff94016f151780 R15: ffff94016e435e00
Apr 17 21:57:28 FS: 0000000000000000(0000) GS:ffff94017f140000(0000) knlGS:0000000000000000
Apr 17 21:57:28 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr 17 21:57:28 CR2: 0000000000000038 CR3: 0000000fdb406000 CR4: 00000000000006e0
Apr 17 21:57:28 Call Trace:
Apr 17 21:57:28 ? cifs_revalidate_mapping+0x45/0x90 [cifs]
Apr 17 21:57:28 cifs_oplock_break+0x124/0x410 [cifs]
Apr 17 21:57:28 process_one_work+0x1fd/0x3f0
Apr 17 21:57:28 worker_thread+0x34/0x410
Apr 17 21:57:28 kthread+0x121/0x140
Apr 17 21:57:28 ? process_one_work+0x3f0/0x3f0
Apr 17 21:57:28 ? kthread_create_worker_on_cpu+0x70/0x70
Apr 17 21:57:28 ret_from_fork+0x35/0x40
Apr 17 21:57:28 Modules linked in: ipmi_si mpt3sas raid_class mptctl mptbase arc4 md4 cmac nls_utf8 cifs ccm fscache nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c iptable_filter bpfilter dell_rbu binfmt_misc ipmi_ssif radeon ttm drm_kms_helper coretemp drm i2c_algo_bit fb_sys_fops syscopyarea sysfillrect gpio_ich kvm lpc_ich input_leds joydev sysimgblt ipmi_devintf irqbypass sch_fq_codel serio_raw dcdbas ipmi_msghandler mac_hid i7300_edac bonding lp parport ip_tables x_tables autofs4 ses enclosure scsi_transport_sas hid_generic usbhid hid psmouse bnx2 megaraid_sas pata_acpi [last unloaded: ipmi_si]
Apr 17 21:57:28 CR2: 0000000000000038
Apr 17 21:57:28 ---[ end trace 6742ba53428dc499 ]---
Apr 17 21:57:28 RIP: 0010:smb2_push_mandatory_locks+0xd5/0x5d0 [cifs]
Ap...

Read more...

Revision history for this message
Christoph Probst (christophprobst) wrote :

The "NULL pointer dereference" bug create state D pocesses waiting in call_rwsem_down_write_failed.

[ +0.000341] genesplicer D 0 53349 52579 0x80000000
[ +0.000362] Call Trace:
[ +0.000346] __schedule+0x291/0x8a0
[ +0.000348] ? mempool_free+0x2f/0x90
[ +0.000347] schedule+0x2c/0x80
[ +0.000356] rwsem_down_write_failed+0x169/0x360
[ +0.000344] ? is_size_safe_to_change+0x3c/0xd0 [cifs]
[ +0.000339] call_rwsem_down_write_failed+0x17/0x30
[ +0.000336] ? call_rwsem_down_write_failed+0x17/0x30
[ +0.000332] down_write+0x2d/0x40
[ +0.000331] cifs_new_fileinfo+0xc3/0x3a0 [cifs]
[ +0.000332] cifs_open+0x3db/0x8d0 [cifs]
[ +0.000329] do_dentry_open+0x1c2/0x310
[ +0.000360] ? cifs_uncached_writev_complete+0x3f0/0x3f0 [cifs]
[ +0.000340] ? do_dentry_open+0x1c2/0x310
[ +0.000337] ? __inode_permission+0x5b/0x160
[ +0.000342] ? cifs_uncached_writev_complete+0x3f0/0x3f0 [cifs]
[ +0.000353] vfs_open+0x4f/0x80
[ +0.000334] path_openat+0x66e/0x1770
[ +0.000335] do_filp_open+0x9b/0x110
[ +0.000331] ? __check_object_size+0xaf/0x1b0
[ +0.000332] do_sys_open+0x1bb/0x2c0
[ +0.000329] ? do_sys_open+0x1bb/0x2c0
[ +0.000327] SyS_openat+0x14/0x20
[ +0.000325] do_syscall_64+0x73/0x130
[ +0.000352] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ +0.000338] RIP: 0033:0x14620e613c8e
[ +0.000333] RSP: 002b:00007ffcc83c3d30 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ +0.000344] RAX: ffffffffffffffda RBX: 000055e697d33260 RCX: 000014620e613c8e
[ +0.000356] RDX: 0000000000000000 RSI: 00007ffcc83c41c0 RDI: 00000000ffffff9c
[ +0.000338] RBP: 000055e6965d798b R08: 0000000000000000 R09: 0000000000000000
[ +0.000338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008
[ +0.000337] R13: 000055e6965d798b R14: 0000000000000000 R15: 0000000000000000

Revision history for this message
Christoph Probst (christophprobst) wrote :

Actually there is one waiting in state flush_work, one in call_rwsem_down_read_failed and 12 in call_rwsem_down_write_failed.

The "flush_work" task call trace

 genesplicer D 0 53332 52566 0x00000000
 Call Trace:
  __schedule+0x291/0x8a0
  ? __switch_to_asm+0x40/0x70
  ? get_work_pool+0x40/0x40
  schedule+0x2c/0x80
  schedule_timeout+0x1cf/0x350
  ? sched_clock+0x9/0x10
  ? sched_clock+0x9/0x10
  ? sched_clock_cpu+0x11/0xb0
  ? get_work_pool+0x40/0x40
  wait_for_completion+0xba/0x140
  ? wake_up_q+0x80/0x80
  flush_work+0x126/0x1e0
  ? worker_detach_from_pool+0xa0/0xa0
  __cancel_work_timer+0x131/0x1b0
  cancel_work_sync+0x10/0x20
  cifsFileInfo_put+0x1ab/0x400 [cifs]
  cifs_close+0x1e/0x40 [cifs]
  ? cifs_close+0x1e/0x40 [cifs]
  __fput+0xea/0x220
  ____fput+0xe/0x10
  task_work_run+0x9d/0xc0
  exit_to_usermode_loop+0xc0/0xd0
  do_syscall_64+0x115/0x130
  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
 RIP: 0033:0x14f9e4ecf947
 RSP: 002b:00007ffe591c9898 EFLAGS: 00000206 ORIG_RAX: 0000000000000003
 RAX: 0000000000000000 RBX: 000056367a99e260 RCX: 000014f9e4ecf947
 RDX: 000014f9e51a6760 RSI: 0000000000000001 RDI: 000000000000000b
 RBP: 000014f9e51a72a0 R08: 000014f9e53c14c0 R09: 0000000000000000
 R10: 000014f9e4f5dcc0 R11: 0000000000000206 R12: 0000000000000000
 R13: 00007ffe592be0a0 R14: 0000000000000000 R15: 0000000000000000

Revision history for this message
Christoph Probst (christophprobst) wrote :

4.15.0.47-generic
kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052!
Crashes system (requires hard reboot or SysRQ+b)

4.18.0-17-generic
kernel BUG at /build/linux-hwe-4PejID/linux-hwe-4.18.0/lib/string.c:1052!
Crashes system (requires hard reboot or SysRQ+b)

4.15.0-48-generic #51~lp1824981
BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
Crashes processes (State D) (solved by manual reboot)

4.15.0-48-generic #51-Ubuntu
BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
Crashes processes (State D) (solved by manual reboot)

Initial issue seems to bee solved by 4.15.0-48. Still having the NULL pointer dereference.

Revision history for this message
Christoph Probst (christophprobst) wrote :
Download full text (5.9 KiB)

Oh no. Had a strcat buffer overflow with 4.15.0-48-generic. Issue is NOT solved.

Apr 29 19:29:00 kernel: [78713.491646] detected buffer overflow in strcat
Apr 29 19:29:00 kernel: [78713.491685] ------------[ cut here ]------------
Apr 29 19:29:00 kernel: [78713.491686] kernel BUG at /build/linux-fkZVDM/linux-4.15.0/lib/string.c:1052!
Apr 29 19:29:00 kernel: [78713.491709] invalid opcode: 0000 [#1] SMP PTI
Apr 29 19:29:00 kernel: [78713.491721] Modules linked in: ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs mpt3sas raid_class scsi_transport_sas mptctl mptbase cmac arc4 md4 nls_utf8 cifs ccm fscache dell_rbu bonding nls_iso8859_1 intel_rapl skx_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm joydev input_leds dell_smbios irqbypass dcdbas intel_cstate intel_rapl_perf ipmi_ssif wmi_bmof dell_wmi_descriptor shpchp mei_me lpc_ich ipmi_si ipmi_devintf ipmi_msghandler mei mac_hid acpi_power_meter sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear hid_generic crct10dif_pclmul mgag200 crc32_pclmul i2c_algo_bit
Apr 29 19:29:00 kernel: [78713.491911] ghash_clmulni_intel usbhid ttm pcbc drm_kms_helper aesni_intel syscopyarea hid sysfillrect aes_x86_64 bnx2x crypto_simd sysimgblt glue_helper ptp fb_sys_fops cryptd pps_core uas drm mdio ahci megaraid_sas usb_storage libcrc32c libahci wmi
Apr 29 19:29:00 kernel: [78713.491975] CPU: 24 PID: 2242 Comm: perl Not tainted 4.15.0-48-generic #51-Ubuntu
Apr 29 19:29:00 kernel: [78713.491993] Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018
Apr 29 19:29:00 kernel: [78713.492014] RIP: 0010:fortify_panic+0x13/0x22
Apr 29 19:29:00 kernel: [78713.492027] RSP: 0018:ffffbb8b35b07940 EFLAGS: 00010286
Apr 29 19:29:00 kernel: [78713.492041] RAX: 0000000000000022 RBX: 0000000000000004 RCX: 0000000000000000
Apr 29 19:29:00 kernel: [78713.492058] RDX: 0000000000000000 RSI: ffff91acc0b16498 RDI: ffff91acc0b16498
Apr 29 19:29:00 kernel: [78713.492074] RBP: ffffbb8b35b07940 R08: 0000000000000000 R09: 0000000000000681
Apr 29 19:29:00 kernel: [78713.492090] R10: ffffbb8b35b079f0 R11: 00000000ffffffff R12: ffff91a0d3461e50
Apr 29 19:29:00 kernel: [78713.492106] R13: 0000000000000001 R14: 0000000000000003 R15: ffff91c0acd1ac00
Apr 29 19:29:00 kernel: [78713.492123] FS: 000014ed8f19ffc0(0000) GS:ffff91acc0b00000(0000) knlGS:0000000000000000
Apr 29 19:29:00 kernel: [78713.492141] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr 29 19:29:00 kernel: [78713.492155] CR2: 000014ed8e3ff110 CR3: 0000000423a5c001 CR4: 00000000007606e0
Apr 29 19:29:00 kernel: [78713.492171] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Apr 29 19:29:00 kernel: [78713.492187] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Apr 29 19:29:00 kernel: [78713.492203] PKRU: 55555554
Apr 29 19:29:00 kernel: [78713.492210] Call Trace:
Apr 29 19:29:00 kernel: [78713.492241] smb21_set_oplock_level+0x147/0x1a0 [cifs]
Apr 29 19:29:00 kernel: [78713.492265] smb3_set_oplock_level+...

Read more...

Revision history for this message
Christoph Probst (christophprobst) wrote :
Download full text (6.5 KiB)

And now a crash with the special 4.15.0-48-generic #51~lp1824981 kernel. So the buffer overflow is NOT fixed with any 4.15 or 4.18 kernel currently available with Ubuntu.

We started some IO-intense tasks lately that didn't run the last 2 weeks. That seems to be the trigger for the bug buffer overflow.

We're consider to switch to NFS or store more data locally to workaround that issue. Recommendations and alternatives welcome. I've seend that there are some cifs related patches for 5.1RC7 - are those gonna be backportet to 4.x-generic?

Apr 30 00:57:23 kernel: [106134.709084] detected buffer overflow in strcat
Apr 30 00:57:23 kernel: [106134.709123] ------------[ cut here ]------------
Apr 30 00:57:23 kernel: [106134.709124] kernel BUG at /home/ubuntu/Sources/linux-lp1824981/lib/string.c:1052!
Apr 30 00:57:23 kernel: [106134.709149] invalid opcode: 0000 [#1] SMP PTI
Apr 30 00:57:23 kernel: [106134.709162] Modules linked in: cmac(E) arc4(E) md4(E) nls_utf8(E) cifs(E) ccm(E) fscache(E) ufs(E) qnx4(E) hfsplus(E) hfs(E) minix(E) ntfs(E) msdos(E) jfs(E) xfs(E) cpuid(E) mpt3sas raid_class scsi_transport_sas mptctl mptbase dell_rbu bonding nls_iso8859_1 intel_rapl skx_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass input_leds joydev dell_smbios dcdbas ipmi_ssif dell_wmi_descriptor intel_cstate intel_rapl_perf wmi_bmof ipmi_si ipmi_devintf mei_me shpchp mac_hid mei lpc_ich acpi_power_meter ipmi_msghandler sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear
Apr 30 00:57:23 kernel: [106134.709360] hid_generic crct10dif_pclmul mgag200 crc32_pclmul usbhid i2c_algo_bit ghash_clmulni_intel ttm pcbc drm_kms_helper hid uas syscopyarea bnx2x sysfillrect aesni_intel usb_storage sysimgblt aes_x86_64 ptp fb_sys_fops crypto_simd pps_core glue_helper mdio ahci megaraid_sas cryptd drm libcrc32c libahci wmi
Apr 30 00:57:23 kernel: [106134.709444] CPU: 36 PID: 23957 Comm: perl Tainted: G E 4.15.0-48-generic #51~lp1824981
Apr 30 00:57:23 kernel: [106134.709466] Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018
Apr 30 00:57:23 kernel: [106134.709491] RIP: 0010:fortify_panic+0x13/0x22
Apr 30 00:57:23 kernel: [106134.709504] RSP: 0018:ffffac87f5ba7940 EFLAGS: 00010286
Apr 30 00:57:23 kernel: [106134.709519] RAX: 0000000000000022 RBX: 0000000000000004 RCX: 0000000000000000
Apr 30 00:57:23 kernel: [106134.709537] RDX: 0000000000000000 RSI: ffff90fc00c96498 RDI: ffff90fc00c96498
Apr 30 00:57:23 kernel: [106134.709555] RBP: ffffac87f5ba7940 R08: 0000000000000000 R09: 00000000000006a5
Apr 30 00:57:23 kernel: [106134.709572] R10: ffffac87f5ba79f0 R11: 00000000ffffffff R12: ffff9123571e6408
Apr 30 00:57:23 kernel: [106134.709591] R13: 0000000000000001 R14: 0000000000000003 R15: ffff90fbf676da00
Apr 30 00:57:23 kernel: [106134.709609] FS: 000014abed58dfc0(0000) GS:ffff90fc00c80000(0000) knlGS:0000000000000000
Apr 30 00:57:23 kernel: [106134.709629] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr ...

Read more...

Revision history for this message
Christoph Probst (christophprobst) wrote :
Download full text (5.6 KiB)

We installed the latest upstream kernel 5.1.0-050100rc7-generic (Ubuntu version from https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.1-rc7/) with still triggers a NULL pointer dereference from cifsoplockd.

I was hoping "CIFS: keep FileInfo handle live during oplock break"[1] might fix our issue, but it didn't.

[1] https://git.samba.org/?p=sfrench/cifs-2.6.git;a=commit;h=b98749cac4a695f084a5ff076f4510b23e353ecd

May 1 14:50:47 kernel: [ 4248.964694] BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
May 1 14:50:47 kernel: [ 4248.964758] #PF error: [normal kernel read fault]
May 1 14:50:47 kernel: [ 4248.964792] PGD 0 P4D 0
May 1 14:50:47 kernel: [ 4248.964815] Oops: 0000 [#1] SMP PTI
May 1 14:50:47 kernel: [ 4248.964844] CPU: 29 PID: 3884 Comm: kworker/29:2 Not tainted 5.1.0-050100rc7-generic #201904282131
May 1 14:50:47 kernel: [ 4248.964902] Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 1.3.7 02/08/2018
May 1 14:50:47 kernel: [ 4248.964999] Workqueue: cifsoplockd cifs_oplock_break [cifs]
May 1 14:50:47 kernel: [ 4248.965081] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x580 [cifs]
May 1 14:50:47 kernel: [ 4248.965124] Code: 48 89 45 b0 4c 39 e0 0f 84 1f 03 00 00 c7 45 c8 00 00 00 00 4d 8b 6c 24 10 49 8b 5c 24 18 4d 8d 5c 24 18 49 8b 85 90 00 00 00 <48> 8b 40 38 48 89 45 d0 4c 39 db 0f 84 99 00 00 00 4c 89 65 c0 4c
May 1 14:50:47 kernel: [ 4248.965242] RSP: 0018:ffffb2718e983de0 EFLAGS: 00010283
May 1 14:50:47 kernel: [ 4248.965279] RAX: 0000000000000000 RBX: ffff8b44edd83c58 RCX: 0000000000000000
May 1 14:50:47 kernel: [ 4248.965327] RDX: 0000000000001000 RSI: 0000000000000000 RDI: ffff8b5f00006b80
May 1 14:50:47 kernel: [ 4248.965374] RBP: ffffb2718e983e30 R08: ffff8b8eff5a81a0 R09: ffff8b5f00006b80
May 1 14:50:47 kernel: [ 4248.965421] R10: fffffb2efddf7680 R11: ffff8b44edd83c58 R12: ffff8b44edd83c40
May 1 14:50:47 kernel: [ 4248.965468] R13: ffff8b8b4a6d1000 R14: ffff8b4461428990 R15: ffff8b8eefbe0000
May 1 14:50:47 kernel: [ 4248.965517] FS: 0000000000000000(0000) GS:ffff8b8eff580000(0000) knlGS:0000000000000000
May 1 14:50:47 kernel: [ 4248.965570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
May 1 14:50:47 kernel: [ 4248.965609] CR2: 0000000000000038 CR3: 000000581d80e006 CR4: 00000000007606e0
May 1 14:50:47 kernel: [ 4248.965657] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
May 1 14:50:47 kernel: [ 4248.965704] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
May 1 14:50:47 kernel: [ 4248.965751] PKRU: 55555554
May 1 14:50:47 kernel: [ 4248.965772] Call Trace:
May 1 14:50:47 kernel: [ 4248.965843] cifs_oplock_break+0x131/0x430 [cifs]
May 1 14:50:47 kernel: [ 4248.965883] process_one_work+0x20f/0x410
May 1 14:50:47 kernel: [ 4248.965915] worker_thread+0x34/0x400
May 1 14:50:47 kernel: [ 4248.965944] kthread+0x120/0x140
May 1 14:50:47 kernel: [ 4248.965970] ? process_one_work+0x410/0x410
May 1 14:50:47 kernel: [ 4248.966002] ? __kthread_parkme+0x70/0x70
May 1 14:50:47 kernel: [ 4248.966034] ret_from_fork+0x35/0x40
May 1 14:50:47 kernel: [ 4248.966063] Modules linked in: binfmt_misc mpt3sas raid_class scsi_transport_sas mptctl...

Read more...

Revision history for this message
Christoph Probst (christophprobst) wrote :

There is now a kernel patch for cifs that is supposed to fix the buffer overflow in strcat.

Details see https://patchwork.kernel.org/patch/10931327/

An alternative workaround is to downgrade the connection to SMB2 (mount option vers=2.0) as the bug only affects SMB2.1 and SMB3 code.

Regarding the second issue (BUG: unable to handle kernel NULL pointer dereference at 0000000000000038) it is likely that it is triggered by a racecondition aswell, which isn't yet fixed.

Changed in linux (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Christoph Probst (christophprobst) wrote :

From: Steve French <email address hidden>
Date: Tue, 7 May 2019 11:13:34 -0500
merged into cifs-2.6.git for-next

Changed in linux (Ubuntu):
assignee: nobody → Christoph Probst (christophprobst)
status: Fix Committed → Fix Released
Revision history for this message
Kai-Heng Feng (kaihengfeng) wrote :

Sorry for not following up here, I've been quite busy recently.

So there are two bugs here - the first one, strcat overflow, is solved by my test kernel or by your patch.

Though I am not sure it's totally correct, I'll raise my concern on mailing list.

The second bug, null pointer dereference, requires more investigation.

Revision history for this message
Christoph Probst (christophprobst) wrote :

Yes, there are two issues that got mixed up in this single bug report.

1) strcat

Imho there are not many ways strcat could overflow in that single function. My patch (especially the strncpy()) should fix the buffer overflow and thereby my inititial issue.

Your solution still had that strcat overflow (see #15).

2) null pointer dereference (and everything else)

Pavel already wrote "The patch itself is fine but I think we have a bigger problem here".

https://patchwork.kernel.org/patch/10931327/#22623923

Regarding your patch: You only used mutex_lock() in smb21_set_oplock_level(). What about other functions changing (or removing) that locked cinode. Does the kernel protect against this or has mutex_lock() to be used in any function operating on cinode?

tags: added: sts
Changed in linux (Ubuntu Eoan):
status: Fix Released → Fix Committed
Changed in linux (Ubuntu Disco):
status: New → In Progress
Changed in linux (Ubuntu Cosmic):
status: New → In Progress
Changed in linux (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Guilherme G. Piccoli (gpiccoli)
Changed in linux (Ubuntu Cosmic):
assignee: nobody → Guilherme G. Piccoli (gpiccoli)
Changed in linux (Ubuntu Disco):
assignee: nobody → Guilherme G. Piccoli (gpiccoli)
Changed in linux (Ubuntu Eoan):
importance: Undecided → High
Changed in linux (Ubuntu Disco):
importance: Undecided → High
Changed in linux (Ubuntu Bionic):
importance: Undecided → High
Changed in linux (Ubuntu Cosmic):
importance: Undecided → High
Revision history for this message
Guilherme G. Piccoli (gpiccoli) wrote :

Hi Christoph, thank you very much for your work in this LP! Both the debug part and finally your patch. I was looking the same set of issues in parallel, with another user that reported the same crashes.

So, regarding your question in comment #15 ("are those gonna be backportet to 4.x-generic?"), I've just nominated this LP for all series with kernels 4.15+, given we had no reports for previous series. That said, we're going to backport your patch as soon some more validation tests are finished. I'm planning to use this LP only for the strcat issue.

There's another LP for the smb2_push_mandatory_locks() crash: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1795659

I suggest you to add yourself in that bug, so we can follow-up the discussion there regarding this 2nd crash. There's a candidate patch for the smb2_push_mandatory_locks() issue, you already mentioned it here: b98749cac4a ("CIFS: keep FileInfo handle live during oplock break").

It's unfortunate that you said testing v5.1-rc7 didn't fix that crash - I've discussed this smb2_push_mandatory_locks() crash with Steve and Pavel (from Microsoft) in a private thread and they suggested me exactly this patch in order to fix the issue.

Could you test the kernel https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.2-rc1/ (which includes your strcat patch) and see if it still reproduces the smb2_push_mandatory_locks() crash?
Would be really helpful for us. You can comment the testing in the other LP (# 1795659), if possible.

Cheers,

Guilherme

Changed in linux (Ubuntu Cosmic):
status: In Progress → Won't Fix
description: updated
description: updated
description: updated
Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released
Revision history for this message
Guilherme G. Piccoli (gpiccoli) wrote :
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Disco):
status: In Progress → Fix Committed
Brad Figg (brad-figg)
tags: added: cscc
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-disco
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Guilherme G. Piccoli (gpiccoli) wrote :

I've validated the -proposed kernel for Bionic (4.15.0-56) using the xfstests suite mentioned in the description - couldn't validate Disco yet due to its respin (we need to wait until 5.0.0-24 in order to validate in Disco).The same amount of tests failed in both cases, and no significant performance impact was noticed.

Cheers,

Guilherme

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Revision history for this message
Christoph Probst (christophprobst) wrote :

Hi Guilherme,

I haven't been able to verify the patch as we modified our computing pipeline to remove load from the cifs share. I might be able to create a test setup but this will take some time.

Thank you for your support to get the patch into the Ubuntu kernels. I subscribed to #1795659 as you recommended.

Cheers,
Christoph

Revision history for this message
Guilherme G. Piccoli (gpiccoli) wrote :

You're very welcome Christoph, thanks for the patch!
I've verified that with Bionic, but facing some non-related issues with Disco kernel (5.x).

Cheers,

Guilherme

Revision history for this message
Connor Kuehl (connork) wrote :

Hi Guilherme,

Apologies if I missed it, but could you elaborate on the issues you're experiencing with the Disco kernel that are preventing you from verifying this fix? I saw in an earlier comment you were waiting for 5.0.0-24 but that kernel should be available in -updates now.

Thanks,

Connor

Revision history for this message
granjerox (granjerox) wrote :

I've just faced this crash

UptoDate

me@nuc:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic

Aug 10 16:14:47 nuc kernel: [12755.073641] detected buffer overflow in strcat
Aug 10 16:14:47 nuc kernel: [12755.073660] ------------[ cut here ]------------
Aug 10 16:14:47 nuc kernel: [12755.073662] kernel BUG at /build/linux-hwe-zHO4ZF/linux-hwe-5.0.0/lib/string.c:1073!
Aug 10 16:14:47 nuc kernel: [12755.073669] invalid opcode: 0000 [#1] SMP PTI
Aug 10 16:14:47 nuc kernel: [12755.073673] CPU: 1 PID: 3135 Comm: deluged Not tainted 5.0.0-23-generic #24~18.04.1-Ubuntu
Aug 10 16:14:47 nuc kernel: [12755.073675] Hardware name: /D54250WYK, BIOS WYLPT10H.86A.0047.2018.0303.1725 03/03/2018
Aug 10 16:14:47 nuc kernel: [12755.073682] RIP: 0010:fortify_panic+0x13/0x22
Aug 10 16:14:47 nuc kernel: [12755.073685] Code: 4c 89 e2 e8 b1 98 00 00 42 c6 04 20 00 48 89 d8 5b 41 5c 5d c3 0f 0b 55 48 89 fe 48 c7 c7 20 38 fb 86 48 89 e5 e8 72 5c 6e ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 55 31 c9 48 89 fa 48
Aug 10 16:14:47 nuc kernel: [12755.073687] RSP: 0000:ffffb17381e779e0 EFLAGS: 00010282
Aug 10 16:14:47 nuc kernel: [12755.073690] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000
Aug 10 16:14:47 nuc kernel: [12755.073692] RDX: 0000000000000000 RSI: ffff973e5b896448 RDI: ffff973e5b896448
Aug 10 16:14:47 nuc kernel: [12755.073694] RBP: ffffb17381e779e0 R08: 000000000000033e R09: ffffffff8776f698
Aug 10 16:14:47 nuc kernel: [12755.073696] R10: ffffb17381e77a90 R11: ffffb17381e77850 R12: ffff973dd6d15db0
Aug 10 16:14:47 nuc kernel: [12755.073698] R13: 00000000d33f5410 R14: 0000000000000000 R15: ffff973dd0dac200
Aug 10 16:14:47 nuc kernel: [12755.073701] FS: 00007ff3b0fd1700(0000) GS:ffff973e5b880000(0000) knlGS:0000000000000000
Aug 10 16:14:47 nuc kernel: [12755.073703] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Aug 10 16:14:47 nuc kernel: [12755.073705] CR2: 00007ff3ad44f000 CR3: 000000011abf0003 CR4: 00000000001606e0
Aug 10 16:14:47 nuc kernel: [12755.073707] Call Trace:
Aug 10 16:14:47 nuc kernel: [12755.073746] smb21_set_oplock_level+0x147/0x1a0 [cifs]
Aug 10 16:14:47 nuc kernel: [12755.073778] smb3_set_oplock_level+0x22/0x90 [cifs]
Aug 10 16:14:47 nuc kernel: [12755.073807] smb2_set_fid+0x76/0xb0 [cifs]
Aug 10 16:14:47 nuc kernel: [12755.073834] cifs_new_fileinfo+0x259/0x390 [cifs]
Aug 10 16:14:47 nuc kernel: [12755.073862] ? smb2_close_file+0x20/0x20 [cifs]
Aug 10 16:14:47 nuc kernel: [12755.073887] ? cifs_new_fileinfo+0x259/0x390 [cifs]

Revision history for this message
granjerox (granjerox) wrote :

My server was pretty unstable until I've installed latest mainline kernel 5.2.8-050208-generic and now it seems to work fine. The problems started when I changed from kerneel linux-image-unsigned-4.18.12-041812-generic to linux-image-generic-hwe-18.04 (5.0.0.23.80).

Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

Hi @granjerox,

The fix for this bug is available in Bionic linux-hwe-18.04 version 5.0.0-25.26, which is currently in -proposed. This package is scheduled to be published in -updates soon (during the next few days). In the meantime, the fixed kernel can be installed by enabling the -proposed pocket, as described in comment #24.

Revision history for this message
granjerox (granjerox) wrote :

Thanks @Kleber. I've just done it. I'll report any issue.

Revision history for this message
Guilherme G. Piccoli (gpiccoli) wrote :

Hi @granjerox, thanks for your report! Let us know how the test with -proposed goes.
And thanks Kleber for the comment/advice here!

@connork, I've filled a new LP with the bug I've found, thanks for the attention: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1839849

Cheers,

Guilherme

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-25.26

---------------
linux (5.0.0-25.26) disco; urgency=medium

  * CVE-2019-1125
    - x86/cpufeatures: Carve out CQM features retrieval
    - x86/cpufeatures: Combine word 11 and 12 into a new scattered features word
    - x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
    - x86/speculation: Enable Spectre v1 swapgs mitigations
    - x86/entry/64: Use JMP instead of JMPQ
    - x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS

 -- Kleber Sacilotto de Souza <email address hidden> Thu, 01 Aug 2019 12:04:35 +0200

Changed in linux (Ubuntu Disco):
status: Fix Committed → Fix Released
Revision history for this message
granjerox (granjerox) wrote :

So far so good. No crahes since upgrade,

nuc:~$ uname -a
Linux nuc 5.0.0-25-generic #26~18.04.1-Ubuntu SMP Thu Aug 1 13:51:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

nuc:~$ uptime
 11:40:24 up 22:12, 2 users, load average: 6,64, 6,65, 6,48
pagraher@nuc:~$

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (171.3 KiB)

This bug was fixed in the package linux - 4.15.0-58.64

---------------
linux (4.15.0-58.64) bionic; urgency=medium

  * unable to handle kernel NULL pointer dereference at 000000000000002c (IP:
    iget5_locked+0x9e/0x1f0) (LP: #1838982)
    - Revert "ovl: set I_CREATING on inode being created"
    - Revert "new primitive: discard_new_inode()"

linux (4.15.0-57.63) bionic; urgency=medium

  * CVE-2019-1125
    - x86/cpufeatures: Carve out CQM features retrieval
    - x86/cpufeatures: Combine word 11 and 12 into a new scattered features word
    - x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
    - x86/speculation: Enable Spectre v1 swapgs mitigations
    - x86/entry/64: Use JMP instead of JMPQ
    - x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS

  * Packaging resync (LP: #1786013)
    - update dkms package versions

linux (4.15.0-56.62) bionic; urgency=medium

  * bionic/linux: 4.15.0-56.62 -proposed tracker (LP: #1837626)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log
    - [Packaging] update helper scripts

  * CVE-2019-2101
    - media: uvcvideo: Fix 'type' check leading to overflow

  * hibmc-drm Causes Unreadable Display for Huawei amd64 Servers (LP: #1762940)
    - [Config] Set CONFIG_DRM_HISI_HIBMC to arm64 only
    - SAUCE: Make CONFIG_DRM_HISI_HIBMC depend on ARM64

  * Bionic: support for Solarflare X2542 network adapter (sfc driver)
    (LP: #1836635)
    - sfc: make mem_bar a function rather than a constant
    - sfc: support VI strides other than 8k
    - sfc: add Medford2 (SFC9250) PCI Device IDs
    - sfc: improve PTP error reporting
    - sfc: update EF10 register definitions
    - sfc: populate the timer reload field
    - sfc: update MCDI protocol headers
    - sfc: support variable number of MAC stats
    - sfc: expose FEC stats on Medford2
    - sfc: expose CTPIO stats on NICs that support them
    - sfc: basic MCDI mapping of 25/50/100G link speeds
    - sfc: support the ethtool ksettings API properly so that 25/50/100G works
    - sfc: add bits for 25/50/100G supported/advertised speeds
    - sfc: remove tx and MCDI handling from NAPI budget consideration
    - sfc: handle TX timestamps in the normal data path
    - sfc: add function to determine which TX timestamping method to use
    - sfc: use main datapath for HW timestamps if available
    - sfc: only enable TX timestamping if the adapter is licensed for it
    - sfc: MAC TX timestamp handling on the 8000 series
    - sfc: on 8000 series use TX queues for TX timestamps
    - sfc: only advertise TX timestamping if we have the license for it
    - sfc: simplify RX datapath timestamping
    - sfc: support separate PTP and general timestamping
    - sfc: support second + quarter ns time format for receive datapath
    - sfc: support Medford2 frequency adjustment format
    - sfc: add suffix to large constant in ptp
    - sfc: mark some unexported symbols as static
    - sfc: update MCDI protocol headers
    - sfc: support FEC configuration through ethtool
    - sfc: remove ctpio_dmabuf_start from stats
    - sfc: stop the TX queue before pushing new buffers

  * [18.04 FEAT] zKVM: Add hardwar...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.