[Kernel-packages] [Bug 1747263] Re: [artful] panic in update_stack_state when reading /proc//stack on i386

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.13.0-36.40

---
linux (4.13.0-36.40) artful; urgency=medium

  * linux: 4.13.0-36.40 -proposed tracker (LP: #1750010)

  * Rebuild without "CVE-2017-5754 ARM64 KPTI fixes" patch set

linux (4.13.0-35.39) artful; urgency=medium

  * linux: 4.13.0-35.39 -proposed tracker (LP: #1748743)

  * CVE-2017-5715 (Spectre v2 Intel)
- Revert "UBUNTU: SAUCE: turn off IBPB when full retpoline is present"
- SAUCE: turn off IBRS when full retpoline is present
- [Packaging] retpoline files must be sorted
- [Packaging] pull in retpoline files

linux (4.13.0-34.37) artful; urgency=medium

  * linux: 4.13.0-34.37 -proposed tracker (LP: #1748475)

  * libata: apply MAX_SEC_1024 to all LITEON EP1 series devices (LP: #1743053)
- libata: apply MAX_SEC_1024 to all LITEON EP1 series devices

  * KVM patches for s390x to provide facility bits 81 (ppa15) and 82 (bpb)
(LP: #1747090)
- KVM: s390: wire up bpb feature

  * artful 4.13 i386 kernels crash after memory hotplug remove (LP: #1747069)
- Revert "mm, memory_hotplug: do not associate hotadded memory to zones 
until
  online"

  * CVE-2017-5715 (Spectre v2 Intel)
- x86/feature: Enable the x86 feature to control Speculation
- x86/feature: Report presence of IBPB and IBRS control
- x86/enter: MACROS to set/clear IBRS and set IBPB
- x86/enter: Use IBRS on syscall and interrupts
- x86/idle: Disable IBRS entering idle and enable it on wakeup
- x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
- x86/mm: Set IBPB upon context switch
- x86/mm: Only set IBPB when the new thread cannot ptrace current thread
- x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
- x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
- x86/kvm: Set IBPB when switching VM
- x86/kvm: Toggle IBRS on VM entry and exit
- x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
- x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
- x86/cpu/AMD: Add speculative control support for AMD
- x86/microcode: Extend post microcode reload to support IBPB feature
- KVM: SVM: Do not intercept new speculative control MSRs
- x86/svm: Set IBRS value on VM entry and exit
- x86/svm: Set IBPB when running a different VCPU
- KVM: x86: Add speculative control CPUID support for guests
- SAUCE: turn off IBPB when full retpoline is present

  * Artful 4.13 fixes for tun (LP: #1748846)
- tun: call dev_get_valid_name() before register_netdevice()
- tun: allow positive return values on dev_get_valid_name() call
- tun/tap: sanitize TUNSETSNDBUF input

  * boot failure on AMD Raven + WestonXT (LP: #1742759)
- SAUCE: drm/amdgpu: add atpx quirk handling (v2)

linux (4.13.0-33.36) artful; urgency=low

  * linux: 4.13.0-33.36 -proposed tracker (LP: #1746903)

  [ Stefan Bader ]
  * starting VMs causing retpoline4 to reboot (LP: #1747507) // CVE-2017-5715
(Spectre v2 retpoline)
- x86/retpoline: Fill RSB on context switch for affected CPUs
- x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
- x86/retpoline: Optimize inline assembler for vmexit_fill_RSB
- x86/retpoline: Remove the esp/rsp thunk
- x86/retpoline: Simplify vmexit_fill_RSB()

  * Missing install-time driver for QLogic QED 25/40/100Gb Ethernet NIC
(LP: #1743638)
- [d-i] Add qede to nic-modules udeb

  * hisi_sas: driver robustness fixes (LP: #1739807)
- scsi: hisi_sas: fix reset and port ID refresh issues
- scsi: hisi_sas: avoid potential v2 hw interrupt issue
- scsi: hisi_sas: fix v2 hw underflow residual value
- scsi: hisi_sas: add v2 hw DFX feature
- scsi: hisi_sas: add irq and tasklet cleanup in v2 hw
- scsi: hisi_sas: service interrupt ITCT_CLR interrupt in v2 hw
- scsi: hisi_sas: fix internal abort slot timeout bug
- scsi: hisi_sas: us start_phy in PHY_FUNC_LINK_RESET
- scsi: hisi_sas: fix NULL check in SMP abort task path
- scsi: hisi_sas: fix the risk of freeing slot twice
- scsi: hisi_sas: kill tasklet when destroying irq in v3 hw
- scsi: hisi_sas: complete all tasklets prior to host reset

  * [Artful/Zesty] ACPI APEI error handling bug fixes (LP: #1732990)
- ACPI: APEI: fix the wrong iteration of generic error status block
- ACPI / APEI: clear error status before acknowledging the error

  * [Zesty/Artful] On ARM64 PCIE physical function passthrough guest fails to
boot (LP: #1732804)
- vfio/pci: Virtualize Maximum Payload Size
- vfio/pci: Virtualize Maximum Read Request Size

  * hisi_sas: Add ATA command support for SMR disks (LP: #1739891)
- scsi: hisi_sas: support zone management commands

  * thunderx2: i2c driver PEC and ACPI clock fixes (LP: #1738073)
- ACPI / APD: Add clock frequency for ThunderX2 I2C controller
- i2c: xlp9xx: Get clock frequency with clk API
- i2c: xlp9xx: Handle 

[Kernel-packages] [Bug 1747263] Re: [artful] panic in update_stack_state when reading /proc//stack on i386

[Kleber Sacilotto de Souza]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
artful' to 'verification-done-artful'. If the problem still exists,
change the tag 'verification-needed-artful' to 'verification-failed-
artful'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-artful

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1747263

Title:
  [artful] panic in update_stack_state when reading /proc//stack on
  i386

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Artful:
  Fix Committed

Bug description:
  It seems that when reading /proc//stack we can sometimes triggers
  a panic on i386.  This is triggered by an unsafe pointer access when
  validating the stack in the stack unwinder.  This is reproducible in a
  4 cpu 32bit VM with the stress-ng /proc stressor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1747263/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1747263] Re: [artful] panic in update_stack_state when reading /proc//stack on i386

[Stefan Bader]

** Also affects: linux (Ubuntu Artful)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1747263

Title:
  [artful] panic in update_stack_state when reading /proc//stack on
  i386

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Artful:
  Fix Committed

Bug description:
  It seems that when reading /proc//stack we can sometimes triggers
  a panic on i386.  This is triggered by an unsafe pointer access when
  validating the stack in the stack unwinder.  This is reproducible in a
  4 cpu 32bit VM with the stress-ng /proc stressor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1747263/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1747263] Re: [artful] panic in update_stack_state when reading /proc//stack on i386

[Kleber Sacilotto de Souza]

** Changed in: linux (Ubuntu Artful)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1747263

Title:
  [artful] panic in update_stack_state when reading /proc//stack on
  i386

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Artful:
  Fix Committed

Bug description:
  It seems that when reading /proc//stack we can sometimes triggers
  a panic on i386.  This is triggered by an unsafe pointer access when
  validating the stack in the stack unwinder.  This is reproducible in a
  4 cpu 32bit VM with the stress-ng /proc stressor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1747263/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1747263] Re: [artful] panic in update_stack_state when reading /proc//stack on i386

[Andy Whitcroft]

** Changed in: linux (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1747263

Title:
  [artful] panic in update_stack_state when reading /proc//stack on
  i386

Status in linux package in Ubuntu:
  In Progress

Bug description:
  It seems that when reading /proc//stack we can sometimes triggers
  a panic on i386.  This is triggered by an unsafe pointer access when
  validating the stack in the stack unwinder.  This is reproducible in a
  4 cpu 32bit VM with the stress-ng /proc stressor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1747263/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1747263] Re: [artful] panic in update_stack_state when reading /proc//stack on i386

[Andy Whitcroft]

The below commit has been confirmed as the fix for this:

commit 62dd86ac01f9fb6386d7f8c6b389c3ea4582a50a
Author: Josh Poimboeuf 
Date:   Mon Oct 9 20:20:02 2017 -0500

x86/unwind: Fix dereference of untrusted pointer

Tetsuo Handa and Fengguang Wu reported a panic in the unwinder:

  BUG: unable to handle kernel NULL pointer dereference at 01f2
  IP: update_stack_state+0xd4/0x340
  *pde = 

  Oops:  [#1] PREEMPT SMP
  CPU: 0 PID: 18728 Comm: 01-cpu-hotplug Not tainted 
4.13.0-rc4-00170-gb09be67 #592
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
1.9.3-20161025_171302-gandalf 04/01/2014
  task: bb0b53c0 task.stack: bb3ac000
  EIP: update_stack_state+0xd4/0x340
  EFLAGS: 00010002 CPU: 0
  EAX: a570 EBX: bb3adccb ECX: f401 EDX: a570
  ESI: 0001 EDI: 01ba EBP: bb3adc6b ESP: bb3adc3f
   DS: 007b ES: 007b FS: 00d8 GS:  SS: 0068
  CR0: 80050033 CR2: 01f2 CR3: 0b3a7000 CR4: 00140690
  DR0:  DR1:  DR2:  DR3: 
  DR6: fffe0ff0 DR7: 0400
  Call Trace:
   ? unwind_next_frame+0xea/0x400
   ? __unwind_start+0xf5/0x180
   ? __save_stack_trace+0x81/0x160
   ? save_stack_trace+0x20/0x30
   ? __lock_acquire+0xfa5/0x12f0
   ? lock_acquire+0x1c2/0x230
   ? tick_periodic+0x3a/0xf0
   ? _raw_spin_lock+0x42/0x50
   ? tick_periodic+0x3a/0xf0
   ? tick_periodic+0x3a/0xf0
   ? debug_smp_processor_id+0x12/0x20
   ? tick_handle_periodic+0x23/0xc0
   ? local_apic_timer_interrupt+0x63/0x70
   ? smp_trace_apic_timer_interrupt+0x235/0x6a0
   ? trace_apic_timer_interrupt+0x37/0x3c
   ? strrchr+0x23/0x50
  Code: 0f 95 c1 89 c7 89 45 e4 0f b6 c1 89 c6 89 45 dc 8b 04 85 98 cb 74 
bc 88 4d e3 89 45 f0 83 c0 01 84 c9 89 04 b5 98 cb 74 bc 74 3b <8b> 47 38 8b 57 
34 c6 43 1d 01 25 00 00 02 00 83 e2 03 09 d0 83
  EIP: update_stack_state+0xd4/0x340 SS:ESP: 0068:bb3adc3f
  CR2: 01f2
  ---[ end trace 0d147fd4aba8ff50 ]---
  Kernel panic - not syncing: Fatal exception in interrupt

On x86-32, after decoding a frame pointer to get a regs address,
regs_size() dereferences the regs pointer when it checks regs->cs to see
if the regs are user mode.  This is dangerous because it's possible that
what looks like a decoded frame pointer is actually a corrupt value, and
we don't want the unwinder to make things worse.

Instead of calling regs_size() on an unsafe pointer, just assume they're
kernel regs to start with.  Later, once it's safe to access the regs, we
can do the user mode check and corresponding safety check for the
remaining two regs.

Reported-and-tested-by: Tetsuo Handa 
Reported-and-tested-by: Fengguang Wu 
Signed-off-by: Josh Poimboeuf 
Cc: Byungchul Park 
Cc: LKP 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Fixes: 5ed8d8bb38c5 ("x86/unwind: Move common code into 
update_stack_state()")
Link: 
http://lkml.kernel.org/r/7f95b9a6993dec7674b3f3ab3dcd3294f7b9644d.1507597785.git.jpoim...@redhat.com
Signed-off-by: Ingo Molnar 

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1747263

Title:
  [artful] panic in update_stack_state when reading /proc//stack on
  i386

Status in linux package in Ubuntu:
  In Progress

Bug description:
  It seems that when reading /proc//stack we can sometimes triggers
  a panic on i386.  This is triggered by an unsafe pointer access when
  validating the stack in the stack unwinder.  This is reproducible in a
  4 cpu 32bit VM with the stress-ng /proc stressor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1747263/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp