This bug was fixed in the package linux - 4.18.0-18.19
---------------
linux (4.18.0-18.19) cosmic; urgency=medium
* linux: 4.18.0-18.19 -proposed tracker (LP: #1822796)
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
- [Packaging] resync retpoline extraction
* 3b080b2564287be91605bfd1d5ee985696e61d3c in ubuntu_btrfs_kernel_fixes
triggers system hang on i386 (LP: #1812845)
- btrfs: raid56: properly unmap parity page in finish_parity_scrub()
* [SRU][B/C/OEM]IOMMU: add kernel dma protection (LP: #1820153)
- ACPI / property: Allow multiple property compatible _DSD entries
- PCI / ACPI: Identify untrusted PCI devices
- iommu/vt-d: Force IOMMU on for platform opt in hint
- iommu/vt-d: Do not enable ATS for untrusted devices
- thunderbolt: Export IOMMU based DMA protection support to userspace
- iommu/vt-d: Disable ATS support on untrusted devices
* Huawei Hi1822 NIC has poor performance (LP: #1820187)
- net-next: hinic: fix a problem in free_tx_poll()
- hinic: remove ndo_poll_controller
- net-next/hinic: add checksum offload and TSO support
- hinic: Fix l4_type parameter in hinic_task_set_tunnel_l4
- net-next/hinic:replace multiply and division operators
- net-next/hinic:add rx checksum offload for HiNIC
- net-next/hinic:fix a bug in set mac address
- net-next/hinic: fix a bug in rx data flow
- net: hinic: fix null pointer dereference on pointer hwdev
- hinic: optmize rx refill buffer mechanism
- net-next/hinic:add shutdown callback
- net-next/hinic: replace disable_irq_nosync/enable_irq
* [CONFIG] please enable highdpi font FONT_TER16x32 (LP: #1819881)
- Fonts: New Terminus large console font
- [Config]: enable highdpi Terminus 16x32 font support
* [19.04 FEAT] qeth: Enhanced link speed - kernel part (LP: #1814892)
- s390/qeth: report 25Gbit link speed
* Avoid potential memory corruption on HiSilicon SoCs (LP: #1819546)
- iommu/arm-smmu-v3: Avoid memory corruption from Hisilicon MSI payloads
* CVE-2017-5715
- x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
- x86/speculation: Propagate information about RSB filling mitigation to
sysfs
- x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC
variant
- x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support
- x86/retpoline: Remove minimal retpoline support
- x86/speculation: Update the TIF_SSBD comment
- x86/speculation: Clean up spectre_v2_parse_cmdline()
- x86/speculation: Remove unnecessary ret variable in cpu_show_common()
- x86/speculation: Move STIPB/IBPB string conditionals out of
cpu_show_common()
- x86/speculation: Disable STIBP when enhanced IBRS is in use
- x86/speculation: Rename SSBD update functions
- x86/speculation: Reorganize speculation control MSRs update
- sched/smt: Make sched_smt_present track topology
- x86/Kconfig: Select SCHED_SMT if SMP enabled
- sched/smt: Expose sched_smt_present static key
- x86/speculation: Rework SMT state change
- x86/l1tf: Show actual SMT state
- x86/speculation: Reorder the spec_v2 code
- x86/speculation: Mark string arrays const correctly
- x86/speculataion: Mark command line parser data __initdata
- x86/speculation: Unify conditional spectre v2 print functions
- x86/speculation: Add command line control for indirect branch speculation
- x86/speculation: Prepare for per task indirect branch speculation control
- x86/process: Consolidate and simplify switch_to_xtra() code
- x86/speculation: Avoid __switch_to_xtra() calls
- x86/speculation: Prepare for conditional IBPB in switch_mm()
- ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS
- x86/speculation: Split out TIF update
- x86/speculation: Prevent stale SPEC_CTRL msr content
- x86/speculation: Prepare arch_smt_update() for PRCTL mode
- x86/speculation: Add prctl() control for indirect branch speculation
- x86/speculation: Enable prctl mode for spectre_v2_user
- x86/speculation: Add seccomp Spectre v2 user space protection mode
- x86/speculation: Provide IBPB always command line options
- kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
- x86/speculation: Change misspelled STIPB to STIBP
- x86/speculation: Add support for STIBP always-on preferred mode
- x86, modpost: Replace last remnants of RETPOLINE with CONFIG_RETPOLINE
* [Ubuntu] vfio-ap: add subsystem to matrix device to avoid libudev failures
(LP: #1818854)
- s390: vfio_ap: link the vfio_ap devices to the vfio_ap bus subsystem
* Kernel regularly logs: Bluetooth: hci0: last event is not cmd complete
(0x0f) (LP: #1748565)
- Bluetooth: Fix unnecessary error message for HCI request completion
* HiSilicon HNS ethernet broken in 4.15.0-45 (LP: #1818294)
- net: hns: Fix WARNING when hns modules installed
* Lenovo ideapad 330-15ICH Wifi rfkill hard blocked (LP: #1811815)
- platform/x86: ideapad: Add ideapad 330-15ICH to no_hw_rfkill
* Qualcomm Atheros QCA9377 wireless does not work (LP: #1818204)
- platform/x86: ideapad-laptop: Add Ideapad 530S-14ARR to no_hw_rfkill list
* fscache: jobs might hang when fscache disk is full (LP: #1821395)
- fscache: fix race between enablement and dropping of object
* hns3: fix oops in hns3_clean_rx_ring() (LP: #1821064)
- net: hns3: add dma_rmb() for rx description
* tcm_loop.ko: move from modules-extra into main modules package
(LP: #1817786)
- [Packaging] move tcm_loop.lo to main linux-modules package
* tcmu user space crash results in kernel module hang. (LP: #1819504)
- scsi: tcmu: delete unused __wait
- scsi: tcmu: track nl commands
- scsi: tcmu: simplify nl interface
- scsi: tcmu: add module wide block/reset_netlink support
* Intel XL710 - i40e driver does not work with kernel 4.15 (Ubuntu 18.04)
(LP: #1779756)
- i40e: prevent overlapping tx_timeout recover
* some codecs stop working after S3 (LP: #1820930)
- ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec
* 4.15 s390x kernel BUG at /build/linux-
Gycr4Z/linux-4.15.0/drivers/block/virtio_blk.c:565! (LP: #1788432)
- virtio/s390: avoid race on vcdev->config
- virtio/s390: fix race in ccw_io_helper()
* [SRU][B/B-OEM/C/D] Fix AMD IOMMU NULL dereference (LP: #1820990)
- iommu/amd: Fix NULL dereference bug in match_hid_uid
* New Intel Wireless-AC 9260 [8086:2526] card not correctly probed in Ubuntu
system (LP: #1821271)
- iwlwifi: add new card for 9260 series
* Add support for MAC address pass through on RTL8153-BD (LP: #1821276)
- r8152: Add support for MAC address pass through on RTL8153-BD
- r8152: Fix an error on RTL8153-BD MAC Address Passthrough support
-- Kleber Sacilotto de Souza <kleber.so...@canonical.com> Tue, 02 Apr
2019 18:06:12 +0200
** Changed in: linux (Ubuntu Cosmic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem in Ubuntu.
https://bugs.launchpad.net/bugs/1820153
Title:
[SRU][B/C/OEM]IOMMU: add kernel dma protection
Status in HWE Next:
In Progress
Status in linux package in Ubuntu:
Invalid
Status in linux-oem package in Ubuntu:
Invalid
Status in linux source package in Bionic:
Fix Committed
Status in linux-oem source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Released
Status in linux-oem source package in Cosmic:
Invalid
Bug description:
SRU justification:
[Impact]
Recent systems shipping with "kernel DMA protection" = "enabled" by default
in BIOS. This setting option changed "Thunderbolt Security Level" = "No
Security (SL0)".
With this setting systems will be vulnerable to a DMA attack by a thunderbolt
device.
OS can use IOMMU to defend against DMA attacks from a PCI device like
thunderbolt one.
Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
[Fix]
Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in
_DSD.
Disable ATS on the untrusted PCI device.
[Test]
Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt
dock station.
iommu enabled as expected with this fix.
Verified by QA's full test with a temporary build of bionic-oem kernel.
All test passed on one supported "DMA protection" system and one
non-supported "DMA protection" system.
[Regression Potential]
Upstream fix, Verified on supported platforms, no affection on not supported
platforms.
Backported changes are fairly minimal.
These patches are included in 5.0 kernel, disco is good.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
