[Kernel-packages] [Bug 1866772] Re: Sys oopsed with sysfs test in ubuntu_stress_smoke_test on X-hwe ARM64

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 5.4.0-21.25

---------------
linux (5.4.0-21.25) focal; urgency=medium

  * CVE-2020-8835
    - SAUCE: bpf: undo incorrect __reg_bound_offset32 handling

 -- Thadeu Lima de Souza Cascardo <casca...@canonical.com>  Thu, 26 Mar
2020 17:51:28 -0300

** Changed in: linux (Ubuntu Focal)
       Status: Incomplete => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-8835

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1866772

Title:
  Sys oopsed with sysfs test in ubuntu_stress_smoke_test on X-hwe ARM64

Status in Stress-ng:
  New
Status in ubuntu-kernel-tests:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Bionic:
  Incomplete
Status in linux source package in Eoan:
  Incomplete
Status in linux source package in Focal:
  Fix Released

Bug description:
  == SRU Request [ BIONIC, EOAN, FOCAL ] ==

  Reading /sys/firmware/acpi/tables/data/BERT as root at at odd byte
  offset will cause an oops.  This is because the source address is I/O
  mapped and this needs to be read with an I/O memcpy rather than an
  memcpy.

  == Fix ==

  The fix is upstream (linux-next) commit that will land in 5.7, the
  backport to bionic, eoan and focal is just a minor context wiggle.

  commit 08c07cefb3042a55bc9f8243814b504d5eff93f3
  Author: Colin Ian King <colin.k...@canonical.com>
  Date:   Thu Mar 12 11:13:45 2020 +0000

      ACPI: sysfs: copy ACPI data using io memory copying

  == Test ==

  Running on hotdog with the reproducer below (run as root):

  #include <sys/types.h>
  #include <sys/stat.h>
  #include <fcntl.h>
  #include <unistd.h>
  #include <errno.h>
  #include <stdio.h>
  #include <string.h>

  int main(void)
  {
          int fd;
          char buffer[3];
          ssize_t n;

          fd = open("/sys/firmware/acpi/tables/data/BERT", O_RDONLY);
          if (fd < 0) {
                  fprintf(stderr, "open failed: %d (%s)\n", errno, 
strerror(errno));
                  return -1;
          }
          do {
                  n = read(fd, buffer, sizeof(buffer));
          } while (n > 0);

          return 0;
  }

  Without the fix it will oops. With the fix it works OK.

  == Regession Potential ==

  This only affects the reading of the ACPI BERT table from /sys as root
  so it is limited in scope to just a very narrow use case. Normally the
  BERT table is just handled by the kernel, so access to this table is
  just for debugging purposes.

  -----------------------

  Issue found on new ARM64 node "hotdog" 4.15.0-91.92~16.04.1
  Failed 2 of 2 attempts.

  Test suite HEAD SHA1: 3f43e81

   sysfs STARTING
   sysfs RETURNED 0
   sysfs FAILED (kernel oopsed)
   [ 1075.760640] Unable to handle kernel paging request at virtual address 
ffff00004a70072a
   [ 1075.763319] Unable to handle kernel paging request at virtual address 
ffff00004a70e4ba
   [ 1075.768563] Mem abort info:
   [ 1075.768566]   ESR = 0x96000021
   [ 1075.768568]   Exception class = DABT (current EL), IL = 32 bits
   [ 1075.768569]   SET = 0, FnV = 0
   [ 1075.768570]   EA = 0, S1PTW = 0
   [ 1075.768571] Data abort info:
   [ 1075.768577]   ISV = 0, ISS = 0x00000021
   [ 1075.776489] Mem abort info:
   [ 1075.776491]   ESR = 0x96000021
   [ 1075.776493]   Exception class = DABT (current EL), IL = 32 bits
   [ 1075.776494]   SET = 0, FnV = 0
   [ 1075.776495]   EA = 0, S1PTW = 0
   [ 1075.776496] Data abort info:
   [ 1075.776500]   ISV = 0, ISS = 0x00000021
   [ 1075.779284]   CM = 0, WnR = 0
   [ 1075.779288] swapper pgtable: 4k pages, 48-bit VAs, pgd = 00000000facfed4f
   [ 1075.779290] [ffff00004a70072a] *pgd=000000bffcffe003, 
*pud=0000009f6122c003, *pmd=000000bf5adf4003, *pte=0068000080280703
   [ 1075.782342]   CM = 0, WnR = 0
   [ 1075.782346] swapper pgtable: 4k pages, 48-bit VAs, pgd = 00000000facfed4f
   [ 1075.782352] [ffff00004a70e4ba] *pgd=000000bffcffe003, 
*pud=0000009f6122c003, *pmd=000000bf5adf4003, *pte=006800008028e703
   [ 1075.788262] Internal error: Oops: 96000021 [#2] SMP
   [ 1075.788269] Modules linked in: unix_diag binfmt_misc snd_seq 
snd_seq_device snd_timer snd soundcore userio vfio_iommu_type1 vfio hci_vhci 
bluetooth ecdh_generic uhid cuse vhost_vsock vmw_vsock_virtio_transport_common 
vhost_net vhost vsock tap dccp_ipv4 dccp ipx p8023 atm psnap p8022 llc 
algif_rng algif_aead anubis fcrypt khazad seed tea md4 michael_mic 
poly1305_generic rmd128 rmd160 rmd256 rmd320 sha3_generic sm3_generic tgr192 
wp512 algif_hash chacha20_neon chacha20_generic blowfish_generic 
blowfish_common cast5_generic des_generic salsa20_generic camellia_generic 
cast6_generic cast_common serpent_generic twofish_generic twofish_common 
algif_skcipher af_alg nls_iso8859_1 ipmi_ssif ipmi_devintf joydev input_leds 
ipmi_msghandler shpchp i2c_xlp9xx(+) thunderx2_pmu ib_iser rdma_cm iw_cm ib_cm 
ib_core
   [ 1075.942470]  iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 
btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq 
async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 
hid_generic usbhid hid uas usb_storage aes_ce_blk aes_ce_cipher crc32_ce qede 
ast i2c_algo_bit crct10dif_ce ptp ghash_ce ttm drm_kms_helper sha2_ce pps_core 
syscopyarea sysfillrect sysimgblt fb_sys_fops sha256_arm64 sha1_ce mpt3sas qed 
drm raid_class scsi_transport_sas ahci libahci gpio_xlp aes_neon_bs 
aes_neon_blk crypto_simd cryptd aes_arm64
   [ 1075.991997] Process stress-ng-sysfs (pid: 108395, stack limit = 
0x000000009cb607b8)
   [ 1075.999643] CPU: 100 PID: 108395 Comm: stress-ng-sysfs Tainted: G      D  
        4.15.0-91-generic #92~16.04.1-Ubuntu
   [ 1076.010324] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 
0ACKL027 07/01/2019
   [ 1076.018314] pstate: 80400009 (Nzcv daif +PAN -UAO)
   [ 1076.023096] pc : __memcpy+0x84/0x180
   [ 1076.026663] lr : memory_read_from_buffer+0x64/0x88
   [ 1076.031441] sp : ffff00003ea2bd10
   [ 1076.034743] x29: ffff00003ea2bd10 x28: ffff80be4d85cb00
   [ 1076.040042] x27: ffff000008b42000 x26: 000000000000003f
   [ 1076.045342] x25: 0000000000000124 x24: ffff00004a700000
   [ 1076.050643] x23: ffff809e3a7e8500 x22: 000000000000000a
   [ 1076.055942] x21: ffff00003ea2bd88 x20: 000000000000000a
   [ 1076.061240] x19: 0000000000000734 x18: 0000000000000014
   [ 1076.066540] x17: 0000ffffaf4e1a58 x16: ffff0000082e8e28
   [ 1076.071839] x15: 00002d88734750e0 x14: 00181a0596c27059
   [ 1076.077138] x13: 00000003e8000000 x12: 0000000000000018
   [ 1076.082436] x11: 000000000006372e x10: 000000005e66c174
   [ 1076.087735] x9 : 003b9aca00000000 x8 : 000000000000003f
   [ 1076.093034] x7 : ffff000008645490 x6 : ffff809e3a7e8500
   [ 1076.098333] x5 : 000000000000000a x4 : 0000000000010000
   [ 1076.103633] x3 : ffff00004a700000 x2 : 000000000000000a
   [ 1076.108932] x1 : ffff00004a70072a x0 : ffff809e3a7e8500
   [ 1076.114231] Call trace:
   [ 1076.116668]  __memcpy+0x84/0x180
   [ 1076.119887]  acpi_data_show+0x54/0x80
   [ 1076.123541]  sysfs_kf_bin_read+0x6c/0xa8
   [ 1076.127451]  kernfs_fop_read+0xa4/0x1e0
   [ 1076.131274]  __vfs_read+0x48/0x90
   [ 1076.134577]  vfs_read+0x94/0x150
   [ 1076.137792]  SyS_read+0x74/0xf0
   [ 1076.140923]  el0_svc_naked+0x30/0x34
   [ 1076.144487] Code: a88120c7 a8c12027 a88120c7 36180062 (f8408423)
   [ 1076.150570] ---[ end trace 496ae41e9716bef2 ]---
   [ 1076.155180] Internal error: Oops: 96000021 [#3] SMP
   [ 1076.160054] Modules linked in: unix_diag binfmt_misc snd_seq 
snd_seq_device snd_timer snd soundcore userio vfio_iommu_type1 vfio hci_vhci 
bluetooth ecdh_generic uhid cuse vhost_vsock vmw_vsock_virtio_transport_common 
vhost_net vhost vsock tap dccp_ipv4 dccp ipx p8023 atm psnap p8022 llc 
algif_rng algif_aead anubis fcrypt khazad seed tea md4 michael_mic 
poly1305_generic rmd128 rmd160 rmd256 rmd320 sha3_generic sm3_generic tgr192 
wp512 algif_hash chacha20_neon chacha20_generic blowfish_generic 
blowfish_common cast5_generic des_generic salsa20_generic camellia_generic 
cast6_generic cast_common serpent_generic twofish_generic twofish_common 
algif_skcipher af_alg nls_iso8859_1 ipmi_ssif ipmi_devintf joydev input_leds 
ipmi_msghandler shpchp i2c_xlp9xx(+) thunderx2_pmu ib_iser rdma_cm iw_cm ib_cm 
ib_core
   [ 1076.230688]  iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 
btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq 
async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 
hid_generic usbhid hid uas usb_storage aes_ce_blk aes_ce_cipher crc32_ce qede 
ast i2c_algo_bit crct10dif_ce ptp ghash_ce ttm drm_kms_helper sha2_ce pps_core 
syscopyarea sysfillrect sysimgblt fb_sys_fops sha256_arm64 sha1_ce mpt3sas qed 
drm raid_class scsi_transport_sas ahci libahci gpio_xlp aes_neon_bs 
aes_neon_blk crypto_simd cryptd aes_arm64
   [ 1076.280211] Process stress-ng-sysfs (pid: 108405, stack limit = 
0x00000000081889d7)
   [ 1076.287856] CPU: 155 PID: 108405 Comm: stress-ng-sysfs Tainted: G      D  
        4.15.0-91-generic #92~16.04.1-Ubuntu
   [ 1076.298538] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 
0ACKL027 07/01/2019
   [ 1076.306530] pstate: 80400009 (Nzcv daif +PAN -UAO)
   [ 1076.311319] pc : __memcpy+0x84/0x180
   [ 1076.314890] lr : memory_read_from_buffer+0x64/0x88
   [ 1076.319667] sp : ffff00003eea3d10
   [ 1076.322969] x29: ffff00003eea3d10 x28: ffff80be4d858000
   [ 1076.328269] x27: ffff000008b42000 x26: 000000000000003f
   [ 1076.333568] x25: 0000000000000124 x24: ffff00004a700000
   [ 1076.338868] x23: ffff80bec6fa7400 x22: 000000000000000d
   [ 1076.344167] x21: ffff00003eea3d88 x20: 000000000000000d
   [ 1076.349467] x19: 000000000000e4c7 x18: 0000000000000014
   [ 1076.354767] x17: 0000ffffaf4e1a58 x16: ffff0000082e8e28
   [ 1076.360068] x15: 0000566c10765956 x14: 00181a0596c27059
   [ 1076.365368] x13: 00000003e8000000 x12: 0000000000000018
   [ 1076.370667] x11: 00000000000641a6 x10: 000000005e66c174
   [ 1076.375966] x9 : 003b9aca00000000 x8 : 000000000000003f
   [ 1076.381265] x7 : ffff000008645490 x6 : ffff80bec6fa7400
   [ 1076.386564] x5 : 000000000000000d x4 : 0000000000010000
   [ 1076.391864] x3 : ffff00004a700000 x2 : 000000000000000d
   [ 1076.397163] x1 : ffff00004a70e4ba x0 : ffff80bec6fa7400
   [ 1076.402463] Call trace:
   [ 1076.404901]  __memcpy+0x84/0x180
   [ 1076.408125]  acpi_data_show+0x54/0x80
   [ 1076.411785]  sysfs_kf_bin_read+0x6c/0xa8
   [ 1076.415696]  kernfs_fop_read+0xa4/0x1e0
   [ 1076.419520]  __vfs_read+0x48/0x90
   [ 1076.422823]  vfs_read+0x94/0x150
   [ 1076.426038]  SyS_read+0x74/0xf0
   [ 1076.429171]  el0_svc_naked+0x30/0x34
   [ 1076.432736] Code: a88120c7 a8c12027 a88120c7 36180062 (f8408423)
   [ 1076.438818] ---[ end trace 496ae41e9716bef3 ]---

To manage notifications about this bug go to:
https://bugs.launchpad.net/stress-ng/+bug/1866772/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp