This bug was fixed in the package linux - 4.15.0-50.54
---------------
linux (4.15.0-50.54) bionic; urgency=medium
* CVE-2018-12126 // CVE-2018-12127 // CVE-2018-12130
- Documentation/l1tf: Fix small spelling typo
- x86/cpu: Sanitize FAM6_ATOM naming
- kvm: x86: Report STIBP on GET_SUPPORTED_CPUID
- locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a
new <linux/bits.h> file
- tools include: Adopt linux/bits.h
- x86/msr-index: Cleanup bit defines
- x86/speculation: Consolidate CPU whitelists
- x86/speculation/mds: Add basic bug infrastructure for MDS
- x86/speculation/mds: Add BUG_MSBDS_ONLY
- x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
- x86/speculation/mds: Add mds_clear_cpu_buffers()
- x86/speculation/mds: Clear CPU buffers on exit to user
- x86/kvm/vmx: Add MDS protection when L1D Flush is not active
- x86/speculation/mds: Conditionally clear CPU buffers on idle entry
- x86/speculation/mds: Add mitigation control for MDS
- x86/speculation/mds: Add sysfs reporting for MDS
- x86/speculation/mds: Add mitigation mode VMWERV
- Documentation: Move L1TF to separate directory
- Documentation: Add MDS vulnerability documentation
- x86/speculation/mds: Add mds=full,nosmt cmdline option
- x86/speculation: Move arch_smt_update() call to after mitigation decisions
- x86/speculation/mds: Add SMT warning message
- x86/speculation/mds: Fix comment
- x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
- x86/speculation/mds: Add 'mitigations=' support for MDS
* CVE-2017-5715 // CVE-2017-5753
- s390/speculation: Support 'mitigations=' cmdline option
* CVE-2017-5715 // CVE-2017-5753 // CVE-2017-5754 // CVE-2018-3639
- powerpc/speculation: Support 'mitigations=' cmdline option
* CVE-2017-5715 // CVE-2017-5754 // CVE-2018-3620 // CVE-2018-3639 //
CVE-2018-3646
- cpu/speculation: Add 'mitigations=' cmdline option
- x86/speculation: Support 'mitigations=' cmdline option
* Packaging resync (LP: #1786013)
- [Packaging] resync git-ubuntu-log
linux (4.15.0-49.53) bionic; urgency=medium
* linux: 4.15.0-49.53 -proposed tracker (LP: #1826358)
* Backport support for software count cache flush Spectre v2 mitigation. (CVE)
(required for POWER9 DD2.3) (LP: #1822870)
- powerpc/64s: Add support for ori barrier_nospec patching
- powerpc/64s: Patch barrier_nospec in modules
- powerpc/64s: Enable barrier_nospec based on firmware settings
- powerpc: Use barrier_nospec in copy_from_user()
- powerpc/64: Use barrier_nospec in syscall entry
- powerpc/64s: Enhance the information in cpu_show_spectre_v1()
- powerpc/64: Disable the speculation barrier from the command line
- powerpc/64: Make stf barrier PPC_BOOK3S_64 specific.
- powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC
- powerpc/64: Call setup_barrier_nospec() from setup_arch()
- powerpc/64: Make meltdown reporting Book3S 64 specific
- powerpc/lib/code-patching: refactor patch_instruction()
- powerpc/lib/feature-fixups: use raw_patch_instruction()
- powerpc/asm: Add a patch_site macro & helpers for patching instructions
- powerpc/64s: Add new security feature flags for count cache flush
- powerpc/64s: Add support for software count cache flush
- powerpc/pseries: Query hypervisor for count cache flush settings
- powerpc/powernv: Query firmware for count cache flush settings
- powerpc/fsl: Add nospectre_v2 command line argument
- KVM: PPC: Book3S: Add count cache flush parameters to
kvmppc_get_cpu_char()
- [Config] Add CONFIG_PPC_BARRIER_NOSPEC
* Packaging resync (LP: #1786013)
- [Packaging] resync git-ubuntu-log
* autopkgtests run too often, too much and don't skip enough (LP: #1823056)
- [Debian] Set +x on rebuild testcase.
- [Debian] Skip rebuild test, for regression-suite deps.
- [Debian] Make ubuntu-regression-suite skippable on unbootable kernels.
- [Debian] make rebuild use skippable error codes when skipping.
- [Debian] Only run regression-suite, if requested to.
* bionic: fork out linux-snapdragon into its own topic kernel (LP: #1820868)
- [Packaging] remove arm64 snapdragon from getabis
- [Config] config changes for snapdragon split
- packaging: arm64: disable building the snapdragon flavour
- [Packaging] arm64: Drop snapdragon from kernel-versions
* CVE-2017-5753
- KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_get_irq()
- media: dvb_ca_en50221: prevent using slot_info for Spectre attacs
- sysvipc/sem: mitigate semnum index against spectre v1
- libahci: Fix possible Spectre-v1 pmp indexing in ahci_led_store()
- s390/keyboard: sanitize array index in do_kdsk_ioctl
- arm64: fix possible spectre-v1 write in ptrace_hbp_set_event()
- KVM: arm/arm64: vgic: Fix possible spectre-v1 write in
vgic_mmio_write_apr()
- pktcdvd: Fix possible Spectre-v1 for pkt_devs
- net: socket: fix potential spectre v1 gadget in socketcall
- net: socket: Fix potential spectre v1 gadget in sock_is_registered
- drm/amdgpu/pm: Fix potential Spectre v1
- netlink: Fix spectre v1 gadget in netlink_create()
- ext4: fix spectre gadget in ext4_mb_regular_allocator()
- drm/i915/kvmgt: Fix potential Spectre v1
- net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd()
- fs/quota: Fix spectre gadget in do_quotactl
- hwmon: (nct6775) Fix potential Spectre v1
- mac80211_hwsim: Fix possible Spectre-v1 for hwsim_world_regdom_custom
- switchtec: Fix Spectre v1 vulnerability
- misc: hmc6352: fix potential Spectre v1
- tty: vt_ioctl: fix potential Spectre v1
- nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT
- nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
- IB/ucm: Fix Spectre v1 vulnerability
- RDMA/ucma: Fix Spectre v1 vulnerability
- drm/bufs: Fix Spectre v1 vulnerability
- usb: gadget: storage: Fix Spectre v1 vulnerability
- ptp: fix Spectre v1 vulnerability
- HID: hiddev: fix potential Spectre v1
- vhost: Fix Spectre V1 vulnerability
- drivers/misc/sgi-gru: fix Spectre v1 vulnerability
- ipv4: Fix potential Spectre v1 vulnerability
- aio: fix spectre gadget in lookup_ioctx
- ALSA: emux: Fix potential Spectre v1 vulnerabilities
- ALSA: pcm: Fix potential Spectre v1 vulnerability
- ip6mr: Fix potential Spectre v1 vulnerability
- ALSA: rme9652: Fix potential Spectre v1 vulnerability
- ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities
- KVM: arm/arm64: vgic: Fix off-by-one bug in vgic_get_irq()
- drm/ioctl: Fix Spectre v1 vulnerabilities
- char/mwave: fix potential Spectre v1 vulnerability
- applicom: Fix potential Spectre v1 vulnerabilities
- ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
- powerpc/ptrace: Mitigate potential Spectre v1
- cfg80211: prevent speculation on cfg80211_classify8021d() return
- ALSA: rawmidi: Fix potential Spectre v1 vulnerability
- ALSA: seq: oss: Fix Spectre v1 vulnerability
* Bionic: Sync to Xenial (Spectre) (LP: #1822760)
- x86/speculation/l1tf: Suggest what to do on systems with too much RAM
- KVM: SVM: Add MSR-based feature support for serializing LFENCE
- KVM: VMX: fixes for vmentry_l1d_flush module parameter
- KVM: X86: Allow userspace to define the microcode version
- SAUCE: [Fix] x86/KVM/VMX: Add L1D flush logic
- SAUCE: [Fix] x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on
vmentry
* [SRU] [B/OEM] Fix ACPI bug that causes boot failure (LP: #1819921)
- SAUCE: ACPI / bus: Add some Lenovo laptops in list of acpi table term list
* Bionic update: upstream stable patchset for fuse 2019-04-12 (LP: #1824553)
- fuse: fix double request_end()
- fuse: fix unlocked access to processing queue
- fuse: umount should wait for all requests
- fuse: Fix oops at process_init_reply()
- fuse: Don't access pipe->buffers without pipe_lock()
- fuse: Fix use-after-free in fuse_dev_do_read()
- fuse: Fix use-after-free in fuse_dev_do_write()
- fuse: set FR_SENT while locked
- fuse: fix blocked_waitq wakeup
- fuse: fix leaked notify reply
- fuse: fix possibly missed wake-up after abort
- fuse: fix use-after-free in fuse_direct_IO()
- fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS
- fuse: handle zero sized retrieve correctly
- fuse: call pipe_buf_release() under pipe lock
- fuse: decrement NR_WRITEBACK_TEMP on the right page
* Backport support for software count cache flush Spectre v2 mitigation. (CVE)
(required for POWER9 DD2.3) (LP: #1822870) // Backport support for software
count cache flush Spectre v2 mitigation. (CVE) (required for POWER9 DD2.3)
(LP: #1822870)
- powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2
- powerpc/fsl: Fix spectre_v2 mitigations reporting
- powerpc: Avoid code patching freed init sections
* Backport support for software count cache flush Spectre v2 mitigation. (CVE)
(required for POWER9 DD2.3) (LP: #1822870) // Backport support for software
count cache flush Spectre v2 mitigation. (CVE) (required for POWER9 DD2.3)
(LP: #1822870) // Backport support for software count cache flush Spectre v2
mitigation. (CVE) (required for POWER9 DD2.3) (LP: #1822870)
- powerpc/security: Fix spectre_v2 reporting
* CVE-2019-3874
- sctp: use sk_wmem_queued to check for writable space
- sctp: implement memory accounting on tx path
- sctp: implement memory accounting on rx path
* NULL pointer dereference when using z3fold and zswap (LP: #1814874)
- z3fold: fix possible reclaim races
* Kprobe event argument syntax in ftrace from ubuntu_kernel_selftests failed
on B PowerPC (LP: #1812809)
- selftests/ftrace: Add ppc support for kprobe args tests
* The Realtek card reader does not enter PCIe 1.1/1.2 (LP: #1825487)
- misc: rtsx: make various functions static
- misc: rtsx: Enable OCP for rts522a rts524a rts525a rts5260
- SAUCE: misc: rtsx: Fixed rts5260 power saving parameter and sd glitch
* headset-mic doesn't work on two Dell laptops. (LP: #1825272)
- ALSA: hda/realtek - add two more pin configuration sets to quirk table
* CVE-2018-16884
- sunrpc: use SVC_NET() in svcauth_gss_* functions
- sunrpc: use-after-free in svc_process_common()
* sky2 ethernet card don't work after returning from suspension (LP: #1798921)
- sky2: Increase D3 delay again
* CVE-2019-9500
- brcmfmac: assure SSID length from firmware is limited
* CVE-2019-9503
- brcmfmac: add subtype check for event handling in data path
* CVE-2019-3882
- vfio/type1: Limit DMA mappings per container
* Intel I210 Ethernet card not working after hotplug [8086:1533]
(LP: #1818490)
- igb: Fix WARN_ONCE on runtime suspend
* bionic, xenial/hwe: misses "fuse: fix initial parallel dirops" patch
(LP: #1823972)
- fuse: fix initial parallel dirops
* amdgpu resume failure: failed to allocate wb slot (LP: #1825074)
- drm/amdgpu: fix&cleanups for wb_clear
* Pop noise when headset is plugged in or removed from GHS/Line-out jack
(LP: #1821290)
- ALSA: hda/realtek - Add unplug function into unplug state of Headset Mode
for ALC225
- ALSA: hda/realtek - Disable headset Mic VREF for headset mode of ALC225
- ALSA: hda/realtek - Add support headset mode for DELL WYSE AIO
- ALSA: hda/realtek - Add support headset mode for New DELL WYSE NB
* mac80211_hwsim unable to handle kernel NULL pointer dereference
at0000000000000000 (LP: #1825058)
- mac80211_hwsim: Timer should be initialized before device registered
* [regression][snd_hda_codec_realtek] repeating crackling noise after 19.04
upgrade (LP: #1821663)
- ALSA: hda: Add Intel NUC7i3BNB to the power_save blacklist
- ALSA: hda - add Lenovo IdeaCentre B550 to the power_save_blacklist
- ALSA: hda - Add two more machines to the power_save_blacklist
* ubuntu_nbd_smoke_test failed on P9 with Bionic kernel (LP: #1822247)
- nbd: fix how we set bd_invalidated
* TSC clocksource not available in nested guests (LP: #1822821)
- kvmclock: fix TSC calibration for nested guests
* 4.15 kernel ip_vs --ops causes performance and hang problem (LP: #1819786)
- ipvs: fix refcount usage for conns in ops mode
* systemd cause kernel trace "BUG: unable to handle kernel paging request at
6db23a14" on Cosmic i386 (LP: #1813244) // systemd cause kernel trace "BUG:
unable to handle kernel paging request at 6db23a14" on Cosmic i386
(LP: #1813244)
- openvswitch: fix flow actions reallocation
-- Stefan Bader <stefan.ba...@canonical.com> Mon, 06 May 2019 18:59:24
+0200
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12126
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12127
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12130
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16884
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3620
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3639
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3646
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-3874
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-3882
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9500
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9503
** Changed in: linux (Ubuntu Cosmic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-3887
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1814874
Title:
NULL pointer dereference when using z3fold and zswap
Status in Linux:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Cosmic:
Fix Released
Bug description:
== Justification ==
When using z3fold and zswap on a VM under overcommitted memory stress,
z3fold will complains about an "unknown buddy id 0" and fail to get a
pointer to the mapped allocation in z3fold_map().
z3fold: unknown buddy id 0
WARNING: CPU: 2 PID: 1584 at mm/z3fold.c:971 z3fold_zpool_map+0xce/0x100
[z3fold]
And it will leads to a null pointer dereference in zswap
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 2 PID: 1584 Comm: stress Tainted: G W 4.18.0-17-generic
#18-Ubuntu
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1ubuntu1
04/01/2014
RIP: 0010:zswap_writeback_entry+0x4d/0x360
== Fix ==
ca0246bb (z3fold: fix possible reclaim races)
This patch has already in Disco, and can be cherry-picked into B/C.
Not needed for Xenial and older kernels as z3fold is not supported.
== Test ==
Test kernels for Bionic / Cosmic could be found here:
http://people.canonical.com/~phlin/kernel/lp-1814874-z3fold-zswap/Bionic/
http://people.canonical.com/~phlin/kernel/lp-1814874-z3fold-zswap/Cosmic/
This issue can be reproduced easily in a KVM with the following setup:
* 8G disk, 4G RAM, 4 CPUs
* 1G swap
* "zswap.enabled=1 zswap.zpool=z3fold zswap.max_pool_percent=7" added to grub
* "z3fold" module added into /etc/initramfs-tools/modules
Stress it with two childs running:
* stress --vm-bytes 512M --vm 4 --vm-hang 3
* stress --vm-bytes 512M --vm 4 --vm-hang 7
The VM is expected to crash within 5 minutes.
With the patched kernel, the VM can withstand this stress for over an
hour with crashing with this issue
== Regression potential ==
Small.
Fix limited to z3fold. User needs to enable it explicitly for this
feature.
== Original Bug Report ==
Under memory pressure, my VM locks up. This has been reported upstream though
I don't know how far any solution has progressed.
https://bugzilla.kernel.org/show_bug.cgi?id=201603
Feb 6 07:15:42 vps632258 kernel: [151336.450064] z3fold: unknown buddy id 0
Feb 6 07:15:42 vps632258 kernel: [151336.454450] BUG: unable to handle
kernel NULL pointer dereference at 0000000000000008
The little bit of log I managed to salvage is attached.
This has happened to two identical VMs. Unusually it has not occurred
on a third VM which is configured the same but has less RAM (fingers
crossed it won't).
Irrelevant information:
I thought the lock-ups were due to me using a BTRFS filesystem, however I
swapped over to NILFS2 and this still occurs. The only difference seems to be
that I am now able to grab some of the kernel output.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.18.0-14-generic 4.18.0-14.15~18.04.1
ProcVersionSignature: Ubuntu 4.18.0-14.15~18.04.1-generic 4.18.20
Uname: Linux 4.18.0-14-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
Date: Wed Feb 6 10:55:05 2019
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_GB.UTF-8
SHELL=/bin/bash
SourcePackage: linux-signed-hwe
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/linux/+bug/1814874/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
