Bug #1667567 “msleep() bug causes Nuvoton I2C TPM device driver ...” : Bugs : checksecurity package : Ubuntu

bugproxy (bugproxy) on 2017-02-24

tags:	added: architecture-ppc64le bugnameltc-151987 severity-critical targetmilestone-inin1704
Changed in ubuntu:
assignee:	nobody → Taco Screen team (taco-screen-team)
affects:	ubuntu → checksecurity (Ubuntu)

Revision history for this message

Manoj Iyer (manjo) wrote on 2017-02-24:

#1

Need a description and methods to recreate.

Revision history for this message

Michael Hohnbaum (hohnbaum) wrote on 2017-02-24:

#2

Please provide details for this issue

Changed in checksecurity (Ubuntu):
status:	New → Incomplete

Revision history for this message

bugproxy (bugproxy) wrote on 2017-02-24: Comment bridged from LTC Bugzilla

#3

Download full text (4.4 KiB)

------- Comment From <email address hidden> 2017-02-24 15:35 EDT-------
From <email address hidden> Fri Feb 24 11:30:55 2017
From: Mimi Zohar <email address hidden>
To: Jarkko Sakkinen <email address hidden>
Date: Fri, 24 Feb 2017 12:29:02 -0500
Message-Id: <email address hidden>
Cc: Morav <email address hidden>, <email address hidden>,
<email address hidden>, linux-ima-devel
<email address hidden>, linux-security-module
<email address hidden>, tpmdd-devel
<email address hidden>, linux-fsdevel
<email address hidden>, Gleixner <email address hidden>
Subject: Re: [tpmdd-devel] [RFC PATCH] tpm: msleep() delays - replace with
usleep_range() in i2c nuvoton driver

On Fri, 2017-02-24 at 19:01 +0200, Jarkko Sakkinen wrote:
> On Thu, Feb 23, 2017 at 06:46:18PM -0500, Mimi Zohar wrote:
> > Commit 500462a9de65 "timers: Switch to a non-cascading wheel" replaced
> > the 'classic' timer wheel, which aimed for near 'exact' expiry of the
> > timers. Their analysis was that the vast majority of timeout timers
> > are used as safeguards, not as real timers, and are cancelled or
> > rearmed before expiration. The only exception noted to this were
> > networking timers with a small expiry time.
> >
> > Not included in the analysis was the TPM polling timer, which resulted
> > in a longer normal delay and, every so often, a very long delay. The
> > non-cascading wheel delay is based on CONFIG_HZ. For a description of
> > the different rings and their delays, refer to the comments in
> > kernel/time/timer.c.
> >
> > Below are the delays given for rings 0 - 2, which explains the longer
> > "normal" delays and the very, long delays as seen on systems with
> > CONFIG_HZ 250.
> >
> > * HZ 1000 steps
> > * Level Offset Granularity Range
> > * 0 0 1 ms 0 ms - 63 ms
> > * 1 64 8 ms 64 ms - 511 ms
> > * 2 128 64 ms 512 ms - 4095 ms (512ms - ~4s)
> >
> > * HZ 250
> > * Level Offset Granularity Range
> > * 0 0 4 ms 0 ms - 255 ms
> > * 1 64 32 ms 256 ms - 2047 ms (256ms - ~2s)
> > * 2 128 256 ms 2048 ms - 16383 ms (~2s - ~16s)
> >
> > Below is a comparison of extending the TPM with 1000 measurements,
> > using msleep() vs. usleep_delay() when configured for 1000 hz vs. 250
> > hz, before and after commit 500462a9de65.
> >
> > linux-4.7 | msleep() usleep_range()
> > 1000 hz: 0m44.628s | 1m34.497s 29.243s
> > 250 hz: 1m28.510s | 4m49.269s 32.386s
> >
> > linux-4.7 | min-max (msleep) min-max (usleep_range)
> > 1000 hz: 0:017 - 2:760s | 0:015 - 3:967s 0:014 - 0:418s
> > 250 hz: 0:028 - 1:954s | 0:040 - 4:096s 0:016 - 0:816s
> >
> > This patch replaces the msleep() with usleep_range() calls in the
> > i2c nuvoton driver with a consistent max range value.
> >
> > Signed-of-by: Mimi Zohar <email address hidden>
> > Reviewed-by: Nayna Jain <email address hidden>
>
> So why doesn't it go to level 0 with msleep()? I quickly skimme...

------- Comment From gcwilson@us.ibm.com 2017-02-24 15:35 EDT-------
From tpmdd-devel-bounces@lists.sourceforge.net Fri Feb 24 11:30:55 2017
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Date: Fri, 24 Feb 2017 12:29:02 -0500
Message-Id: <1487957342.3193.200.camel@linux.vnet.ibm.com>
Cc: Morav <dmorav@nuvoton.com>, Dan@mx0b-001b2d01.pphosted.com,
Thomas@intel.com,        linux-ima-devel
<linux-ima-devel@lists.sourceforge.net>,        linux-security-module
<linux-security-module@vger.kernel.org>,        tpmdd-devel
<tpmdd-devel@lists.sourceforge.net>,        linux-fsdevel
<linux-fsdevel@vger.kernel.org>,        Gleixner <tglx@linutronix.de>
Subject: Re: [tpmdd-devel] [RFC PATCH] tpm: msleep() delays - replace with
usleep_range() in i2c nuvoton driver

On Fri, 2017-02-24 at 19:01 +0200, Jarkko Sakkinen wrote:
> On Thu, Feb 23, 2017 at 06:46:18PM -0500, Mimi Zohar wrote:
> > Commit 500462a9de65 "timers: Switch to a non-cascading wheel" replaced
> > the 'classic' timer wheel, which aimed for near 'exact' expiry of the
> > timers.  Their analysis was that the vast majority of timeout timers
> > are used as safeguards, not as real timers, and are cancelled or
> > rearmed before expiration.  The only exception noted to this were
> > networking timers with a small expiry time.
> >
> > Not included in the analysis was the TPM polling timer, which resulted
> > in a longer normal delay and, every so often, a very long delay.  The
> > non-cascading wheel delay is based on CONFIG_HZ.  For a description of
> > the different rings and their delays, refer to the comments in
> > kernel/time/timer.c.
> >
> > Below are the delays given for rings 0 - 2, which explains the longer
> > "normal" delays and the very, long delays as seen on systems with
> > CONFIG_HZ 250.
> >
> > * HZ 1000 steps
> >  * Level Offset  Granularity            Range
> >  *  0      0         1 ms                0 ms - 63 ms
> >  *  1     64         8 ms               64 ms - 511 ms
> >  *  2    128        64 ms              512 ms - 4095 ms (512ms - ~4s)
> >
> > * HZ  250
> >  * Level Offset  Granularity            Range
> >  *  0      0         4 ms                0 ms - 255 ms
> >  *  1     64        32 ms              256 ms - 2047 ms (256ms - ~2s)
> >  *  2    128       256 ms             2048 ms - 16383 ms (~2s - ~16s)
> >
> > Below is a comparison of extending the TPM with 1000 measurements,
> > using msleep() vs. usleep_delay() when configured for 1000 hz vs. 250
> > hz, before and after commit 500462a9de65.
> >
> > 		linux-4.7 | msleep()	usleep_range()
> > 1000 hz:	0m44.628s | 1m34.497s	29.243s
> > 250 hz:		1m28.510s | 4m49.269s	32.386s
> >
> > 		linux-4.7 	| min-max (msleep)  min-max (usleep_range)
> > 1000 hz:	0:017 - 2:760s	| 0:015 - 3:967s    0:014 - 0:418s
> > 250 hz:		0:028 - 1:954s	| 0:040 - 4:096s    0:016 - 0:816s
> >
> > This patch replaces the msleep() with usleep_range() calls in the
> > i2c nuvoton driver with a consistent max range value.
> >
> > Signed-of-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > Reviewed-by: Nayna Jain <nayna@linux.vnet.ibm.com>
>
> So why doesn't it go to level 0 with msleep()?  I quickly skimmed
> through __mod_timer() and for me it looked like that level 0 would be
> calculated (when it is eventually called starting from msleep()).
> What did I miss?

I've just added some printk's in kernel/time/timer.c.  It looks like it
is level 0.  The delay seems to be caused by schedule() in
schedule_timeout().

setup_timer_on_stack(&timer, process_timeout, (unsigned
long)current);
__mod_timer(&timer, expire, false, false);
schedule();  <===
del_singleshot_timer_sync(&timer);

/* Remove the timer from the object tracker */
destroy_timer_on_stack(&timer);

printks output:
124.901002] calc_wheel_index: level 0 timer: c000003fab32b150 expires
4294923520 new expires 4294923520 now 4294923518
[  124.901003] __mod_timer: exit timer c000003fab32b1a0 now 4294923518

<  call to schedule()  >

[  128.607463] schedule_timeout: before destroy timer: c000003fab32b150
expires 4294923520 now 4294924439   <=== notice that the "now" time is
way beyond the expires time.

Mimi

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2017-02-27:

#4

"This patch replaces the msleep() with usleep_range() calls in the i2c nuvoton driver with a consistent max range value."

Is there a patch (?to checksecurity?) attached that bugproxy yet has to mirror?
Could you as a failsafe point a link to the upstream change?

Those changes are on the tpm mailing list for the Kernel portion of tpm.
drivers/char/tpm/tpm_i2c_nuvoton.c is a kernel file.

Did you mean the kernel patch behind https://sourceforge.net/p/tpmdd/mailman/message/35686697/ ?
As far as I can see that is not even through the tpm community and due to that not upstream either.

Sorry, but the few bits this bug force us to guess, so for now I'll add the linux-kernel for awareness but mark both incomplete.

Changed in linux (Ubuntu):
status:	New → Incomplete

Revision history for this message

bugproxy (bugproxy) wrote on 2017-03-15:

#5

------- Comment From <email address hidden> 2017-03-15 10:32 EDT-------
The original patch is in Jarkko's master branch, but will be replaced with a newer version, posted by Nayna, that addresses a few minor review comments.

git://git.infradead.org/users/jjs/linux-tpmdd.git:
109e5b554dc3 tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver (original)

In addition, Nayna posted an additional patch to further improve performance.
[PATCH 2/2] tpm: add sleep only for retry in i2c_nuvoton_write_status()

Both of these patches should be staged shortly by Jarkko:
https://www.spinics.net/lists/stable/msg162931.html
https://www.spinics.net/lists/stable/msg162461.html

Mimi

Revision history for this message

bugproxy (bugproxy) wrote on 2017-03-15: Patch 1/2 - tpm-msleep-delays-replace-with-usleep_range-in-i2c-nuvoton

#6

Patch 1/2 - tpm-msleep-delays-replace-with-usleep_range-in-i2c-nuvoton Edit (4.7 KiB, text/plain)

------- Comment (attachment only) From <email address hidden> 2017-03-15 17:13 EDT-------

Revision history for this message

bugproxy (bugproxy) wrote on 2017-03-15: Patch 2/2 - tpm-add-sleep-only-for-retry-in-i2c_nuvoton_write_status

#7

Patch 2/2 - tpm-add-sleep-only-for-retry-in-i2c_nuvoton_write_status Edit (1.5 KiB, text/plain)

------- Comment (attachment only) From <email address hidden> 2017-03-15 17:14 EDT-------

Tim Gardner (timg-tpi) on 2017-03-17

Changed in linux (Ubuntu Zesty):
assignee:	nobody → Tim Gardner (timg-tpi)
status:	Incomplete → Fix Committed

Revision history for this message

bugproxy (bugproxy) wrote on 2017-03-20: Comment bridged from LTC Bugzilla

#8

------- Comment From <email address hidden> 2017-03-20 01:51 EDT-------
Both the patches are applied by Jarkko and are available in Jarkko's master branch.

https://www.spinics.net/lists/stable/msg163302.html
https://www.spinics.net/lists/stable/msg163664.html

Thanks & Regards,
- Nayna

Revision history for this message

Michael Hohnbaum (hohnbaum) wrote on 2017-03-21:

#9

IBM, is there a problem with checksecurity that needs to be addressed? Patches? Or was checksecurity set in error for this bug report?

Revision history for this message

bugproxy (bugproxy) wrote on 2017-03-21:

#10

------- Comment From <email address hidden> 2017-03-21 14:13 EDT-------
(In reply to comment #19)
> IBM, is there a problem with checksecurity that needs to be addressed?
> Patches? Or was checksecurity set in error for this bug report?

George opened this bugzilla on my behalf, but is out. I have no idea what "checksecurity" is. This is not a "security" bug per-se, but a driver timing problem.

Revision history for this message

Michael Hohnbaum (hohnbaum) wrote on 2017-03-21:

#11

Marking the checksecurity component as invalid. If there is an issue here that needs to be addressed, add an appropriate description and reopen this bug.

Changed in checksecurity (Ubuntu Zesty):
status:	Incomplete → Invalid

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-03-24:

#12

Download full text (17.1 KiB)

This bug was fixed in the package linux - 4.10.0-14.16

---------------
linux (4.10.0-14.16) zesty; urgency=low

[ Tim Gardner ]

* Release Tracking Bug
- LP: #1673805

  * msleep() bug causes Nuvoton I2C TPM device driver delays (LP: #1667567)
    - tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver
    - SAUCE: tpm: add sleep only for retry in i2c_nuvoton_write_status()

* C++ demangling support missing from perf (LP: #1396654)
- [Config] added binutils-dev to Build-deps

* dm-queue-length module is not included in installer/initramfs (LP: #1673350)
- [Config] d-i: Also add dm-queue-length to multipath modules

* move aufs.ko from -extra to linux-image package (LP: #1673498)
- [config] aufs.ko moved to linux-image package

  * Using an NVMe drive causes huge power drain (LP: #1664602)
    - nvme: Add a quirk mechanism that uses identify_ctrl
    - nvme: Enable autonomous power state transitions

* Broadcom bluetooth modules sometimes fail to initialize (LP: #1483101)
- Bluetooth: btbcm: Add a delay for module reset

* Need support of Broadcom bluetooth device [413c:8143] (LP: #1166113)
- Bluetooth: btusb: Add support for 413c:8143

  * Zesty update to v4.10.3 stable release (LP: #1673118)
    - serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards
    - KVM: s390: Disable dirty log retrieval for UCONTROL guests
    - KVM: VMX: use correct vmcs_read/write for guest segment selector/base
    - Bluetooth: Add another AR3012 04ca:3018 device
    - phy: qcom-ufs: Don't kfree devres resource
    - phy: qcom-ufs: Fix misplaced jump label
    - s390/qdio: clear DSCI prior to scanning multiple input queues
    - s390/dcssblk: fix device size calculation in dcssblk_direct_access()
    - s390/kdump: Use "LINUX" ELF note name instead of "CORE"
    - s390/chsc: Add exception handler for CHSC instruction
    - s390: TASK_SIZE for kernel threads
    - s390/topology: correct allocation of topology information
    - s390: make setup_randomness work
    - s390: use correct input data address for setup_randomness
    - net: mvpp2: fix DMA address calculation in mvpp2_txq_inc_put()
    - cxl: Prevent read/write to AFU config space while AFU not configured
    - cxl: fix nested locking hang during EEH hotplug
    - brcmfmac: fix incorrect event channel deduction
    - mnt: Tuck mounts under others instead of creating shadow/side mounts.
    - IB/ipoib: Fix deadlock between rmmod and set_mode
    - IB/IPoIB: Add destination address when re-queue packet
    - IB/mlx5: Fix out-of-bound access
    - IB/SRP: Avoid using IB_MR_TYPE_SG_GAPS
    - IB/srp: Avoid that duplicate responses trigger a kernel bug
    - IB/srp: Fix race conditions related to task management
    - Btrfs: fix data loss after truncate when using the no-holes feature
    - orangefs: Use RCU for destroy_inode
    - memory/atmel-ebi: Fix ns <-> cycles conversions
    - tracing: Fix return value check in trace_benchmark_reg()
    - ktest: Fix child exit code processing
    - ceph: remove req from unsafe list when unregistering it
    - target: Fix NULL dereference during LUN lookup + active I/O shutdown
    - drivers/pci/hotplug: Han...

This bug was fixed in the package linux - 4.10.0-14.16

---------------
linux (4.10.0-14.16) zesty; urgency=low

[ Tim Gardner ]

* Release Tracking Bug
    - LP: #1673805

* msleep() bug causes Nuvoton I2C TPM device driver delays (LP: #1667567)
    - tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver
    - SAUCE: tpm: add sleep only for retry in i2c_nuvoton_write_status()

* C++ demangling support missing from perf (LP: #1396654)
    - [Config] added binutils-dev to Build-deps

* dm-queue-length module is not included in installer/initramfs (LP: #1673350)
    - [Config] d-i: Also add dm-queue-length to multipath modules

* move aufs.ko from -extra to linux-image package (LP: #1673498)
    - [config] aufs.ko moved to linux-image package

* Using an NVMe drive causes huge power drain (LP: #1664602)
    - nvme: Add a quirk mechanism that uses identify_ctrl
    - nvme: Enable autonomous power state transitions

* Broadcom bluetooth modules sometimes fail to initialize (LP: #1483101)
    - Bluetooth: btbcm: Add a delay for module reset

* Need support of Broadcom bluetooth device [413c:8143] (LP: #1166113)
    - Bluetooth: btusb: Add support for 413c:8143

* Zesty update to v4.10.3 stable release (LP: #1673118)
    - serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards
    - KVM: s390: Disable dirty log retrieval for UCONTROL guests
    - KVM: VMX: use correct vmcs_read/write for guest segment selector/base
    - Bluetooth: Add another AR3012 04ca:3018 device
    - phy: qcom-ufs: Don't kfree devres resource
    - phy: qcom-ufs: Fix misplaced jump label
    - s390/qdio: clear DSCI prior to scanning multiple input queues
    - s390/dcssblk: fix device size calculation in dcssblk_direct_access()
    - s390/kdump: Use "LINUX" ELF note name instead of "CORE"
    - s390/chsc: Add exception handler for CHSC instruction
    - s390: TASK_SIZE for kernel threads
    - s390/topology: correct allocation of topology information
    - s390: make setup_randomness work
    - s390: use correct input data address for setup_randomness
    - net: mvpp2: fix DMA address calculation in mvpp2_txq_inc_put()
    - cxl: Prevent read/write to AFU config space while AFU not configured
    - cxl: fix nested locking hang during EEH hotplug
    - brcmfmac: fix incorrect event channel deduction
    - mnt: Tuck mounts under others instead of creating shadow/side mounts.
    - IB/ipoib: Fix deadlock between rmmod and set_mode
    - IB/IPoIB: Add destination address when re-queue packet
    - IB/mlx5: Fix out-of-bound access
    - IB/SRP: Avoid using IB_MR_TYPE_SG_GAPS
    - IB/srp: Avoid that duplicate responses trigger a kernel bug
    - IB/srp: Fix race conditions related to task management
    - Btrfs: fix data loss after truncate when using the no-holes feature
    - orangefs: Use RCU for destroy_inode
    - memory/atmel-ebi: Fix ns <-> cycles conversions
    - tracing: Fix return value check in trace_benchmark_reg()
    - ktest: Fix child exit code processing
    - ceph: remove req from unsafe list when unregistering it
    - target: Fix NULL dereference during LUN lookup + active I/O shutdown
    - drivers/pci/hotplug: Handle presence detection change properly
    - drivers/pci/hotplug: Fix initial state for empty slot
    - nlm: Ensure callback code also checks that the files match
    - pwm: pca9685: Fix period change with same duty cycle
    - xtensa: move parse_tag_fdt out of #ifdef CONFIG_BLK_DEV_INITRD
    - nfit, libnvdimm: fix interleave set cookie calculation
    - mac80211: flush delayed work when entering suspend
    - mac80211: don't reorder frames with SN smaller than SSN
    - mac80211: don't handle filtered frames within a BA session
    - mac80211: use driver-indicated transmitter STA only for data frames
    - drm/amdgpu: add more cases to DCE11 possible crtc mask setup
    - drm/amdgpu/pm: check for headless before calling compute_clocks
    - Revert "drm/amdgpu: update tile table for oland/hainan"
    - drm/ast: Fix AST2400 POST failure without BMC FW or VBIOS
    - drm/radeon: handle vfct with multiple vbios images
    - drm/edid: Add EDID_QUIRK_FORCE_8BPC quirk for Rotel RSX-1058
    - drm/ttm: Make sure BOs being swapped out are cacheable
    - drm/vmwgfx: Work around drm removal of control nodes
    - drm/imx: imx-tve: Do not set the regulator voltage
    - drm/atomic: fix an error code in mode_fixup()
    - drm/i915/gvt: Disable access to stolen memory as a guest
    - drm: Cancel drm_fb_helper_dirty_work on unload
    - drm: Cancel drm_fb_helper_resume_work on unload
    - drm/i915: Recreate internal objects with single page segments if dmar fails
    - drm/i915: Avoid spurious WARNs about the wrong pipe in the PPS code
    - drm/i915: Check for timeout completion when waiting for the rq to submitted
    - drm/i915: Pass timeout==0 on to i915_gem_object_wait_fence()
    - drm/i915: Fix not finding the VBT when it overlaps with OPREGION_ASLE_EXT
    - libceph: use BUG() instead of BUG_ON(1)
    - x86, mm: fix gup_pte_range() vs DAX mappings
    - x86/tlb: Fix tlb flushing when lguest clears PGE
    - thp: fix another corner case of munlock() vs. THPs
    - mm: do not call mem_cgroup_free() from within mem_cgroup_alloc()
    - kasan: resched in quarantine_remove_cache()
    - fat: fix using uninitialized fields of fat_inode/fsinfo_inode
    - drivers: hv: Turn off write permission on the hypercall page
    - Linux 4.10.3

* Zesty update to v4.10.2 stable release (LP: #1672544)
    - MIPS: pic32mzda: Fix linker error for pic32_get_pbclk()
    - MIPS: Fix special case in 64 bit IP checksumming.
    - MIPS: BCM47XX: Fix button inversion for Asus WL-500W
    - MIPS: OCTEON: Fix copy_from_user fault handling for large buffers
    - MIPS: Lantiq: Keep ethernet enabled during boot
    - MIPS: Clear ISA bit correctly in get_frame_info()
    - MIPS: Prevent unaligned accesses during stack unwinding
    - MIPS: Fix get_frame_info() handling of microMIPS function size
    - MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions
    - MIPS: Calculate microMIPS ra properly when unwinding the stack
    - MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps
    - mmc: sdhci-acpi: support deferred probe
    - am437x-vpfe: always assign bpp variable
    - uvcvideo: Fix a wrong macro
    - media: fix dm1105.c build error
    - cxd2820r: fix gpio null pointer dereference
    - dvb-usb: don't use stack for firmware load
    - lirc_dev: LIRC_{G,S}ET_REC_MODE do not work
    - media: Properly pass through media entity types in entity enumeration
    - ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()
    - spi: s3c64xx: fix inconsistency between binding and driver
    - ARM: at91: define LPDDR types
    - ARM: dts: at91: Enable DMA on sama5d4_xplained console
    - ARM: dts: at91: Enable DMA on sama5d2_xplained console
    - ALSA: hda/realtek - Cannot adjust speaker's volume on a Dell AIO
    - ALSA: hda - fix Lewisburg audio issue
    - ALSA: timer: Reject user params with too small ticks
    - ALSA: ctxfi: Fallback DMA mask to 32bit
    - ALSA: seq: Fix link corruption by event error handling
    - ALSA: hda - Add subwoofer support for Dell Inspiron 17 7000 Gaming
    - ALSA: hda - Fix micmute hotkey problem for a lenovo AIO machine
    - hwmon: (it87) Do not overwrite bit 2..6 of pwm control registers
    - hwmon: (it87) Ensure that pwm control cache is current before updating values
    - staging: greybus: loopback: fix broken udelay
    - staging/lustre/lnet: Fix allocation size for sv_cpt_data
    - staging: rtl: fix possible NULL pointer dereference
    - coresight: STM: Balance enable/disable
    - coresight: fix kernel panic caused by invalid CPU
    - regulator: Fix regulator_summary for deviceless consumers
    - tpm_tis: use default timeout value if chip reports it as zero
    - tpm_tis: fix the error handling of init_tis()
    - iommu/vt-d: Fix some macros that are incorrectly specified in intel-iommu
    - iommu/vt-d: Tylersburg isoch identity map check is done too late.
    - CIFS: Fix splice read for non-cached files
    - mm, devm_memremap_pages: hold device_hotplug lock over mem_hotplug_{begin, done}
    - mm/page_alloc: fix nodes for reclaim in fast path
    - mm: vmpressure: fix sending wrong events on underflow
    - mm: do not access page->mapping directly on page_endio
    - mm balloon: umount balloon_mnt when removing vb device
    - mm, vmscan: cleanup lru size claculations
    - mm, vmscan: consider eligible zones in get_scan_count
    - sigaltstack: support SS_AUTODISARM for CONFIG_COMPAT
    - ipc/shm: Fix shmat mmap nil-page protection
    - ima: fix ima_d_path() possible race with rename
    - PM / devfreq: Fix available_governor sysfs
    - PM / devfreq: Fix wrong trans_stat of passive devfreq device
    - dm cache: fix corruption seen when using cache > 2TB
    - dm stats: fix a leaked s->histogram_boundaries array
    - dm round robin: revert "use percpu 'repeat_count' and 'current_path'"
    - dm raid: fix data corruption on reshape request
    - scsi: qla2xxx: Cleaned up queue configuration code.
    - scsi: qla2xxx: Fix response queue count for Target mode.
    - scsi: qla2xxx: Fix Regression introduced by pci_alloc_irq_vectors_affinity call.
    - Revert "scsi: aacraid: Reorder Adapter status check"
    - scsi: aacraid: Reorder Adapter status check
    - scsi: use 'scsi_device_from_queue()' for scsi_dh
    - power: reset: at91-poweroff: timely shutdown LPDDR memories
    - Fix: Disable sys_membarrier when nohz_full is enabled
    - jbd2: don't leak modified metadata buffers on an aborted journal
    - block/loop: fix race between I/O and set_status
    - loop: fix LO_FLAGS_PARTSCAN hang
    - ext4: Include forgotten start block on fallocate insert range
    - ext4: do not polute the extents cache while shifting extents
    - ext4: trim allocation requests to group size
    - ext4: fix data corruption in data=journal mode
    - ext4: fix use-after-iput when fscrypt contexts are inconsistent
    - ext4: fix inline data error paths
    - ext4: preserve the needs_recovery flag when the journal is aborted
    - ext4: return EROFS if device is r/o and journal replay is needed
    - ext4: fix fencepost in s_first_meta_bg validation
    - samples/seccomp: fix 64-bit comparison macros
    - mei: remove support for broken parallel read
    - ath10k: fix boot failure in UTF mode/testmode
    - ath5k: drop bogus warning on drv_set_key with unsupported cipher
    - ath9k: fix race condition in enabling/disabling IRQs
    - ath9k: use correct OTP register offsets for the AR9340 and AR9550
    - PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal
    - PCI: altera: Fix TLP_CFG_DW0 for TLP write
    - Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
    - crypto: xts - Add ECB dependency
    - crypto: testmgr - Pad aes_ccm_enc_tv_template vector
    - crypto: xts - Propagate NEED_FALLBACK bit
    - crypto: api - Add crypto_requires_off helper
    - fuse: add missing FR_FORCE
    - x86/pkeys: Check against max pkey to avoid overflows
    - arm/arm64: KVM: Enforce unconditional flush to PoC when mapping to stage-2
    - arm64: dma-mapping: Fix dma_mapping_error() when bypassing SWIOTLB
    - arm64: fix erroneous __raw_read_system_reg() cases
    - KVM: arm/arm64: vgic: Stop injecting the MSI occurrence twice
    - Revert "arm64: mm: set the contiguous bit for kernel mappings where appropriate"
    - iio: pressure: mpl115: do not rely on structure field ordering
    - iio: pressure: mpl3115: do not rely on structure field ordering
    - can: gs_usb: Don't use stack memory for USB transfers
    - can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
    - w1: don't leak refcount on slave attach failure in w1_attach_slave_device()
    - w1: ds2490: USB transfer buffers need to be DMAable
    - usb: musb: da8xx: Remove CPPI 3.0 quirk and methods
    - usb: dwc3: gadget: skip Set/Clear Halt when invalid
    - usb: host: xhci: plat: check hcc_params after add hcd
    - usb: gadget: udc-core: Rescan pending list on driver unbind
    - usb: gadget: udc: fsl: Add missing complete function.
    - usb: gadget: f_hid: fix: Free out requests
    - usb: gadget: f_hid: fix: Prevent accessing released memory
    - usb: gadget: f_hid: Use spinlock instead of mutex
    - usb: gadget: f_hid: fix: Move IN request allocation to set_alt()
    - hv: allocate synic pages for all present CPUs
    - hv: init percpu_list in hv_synic_alloc()
    - Drivers: hv: vmbus: Prevent sending data on a rescinded channel
    - Drivers: hv: vmbus: Fix a rescind handling bug
    - Drivers: hv: util: kvp: Fix a rescind processing issue
    - Drivers: hv: util: Fcopy: Fix a rescind processing issue
    - Drivers: hv: util: Backup: Fix a rescind processing issue
    - RDMA/core: Fix incorrect structure packing for booleans
    - rdma_cm: fail iwarp accepts w/o connection params
    - gfs2: Add missing rcu locking for glock lookup
    - remoteproc: qcom: mdt_loader: Don't overwrite firmware object
    - rtlwifi: Fix alignment issues
    - rtlwifi: rtl8192c-common: Fix "BUG: KASAN:
    - VME: restore bus_remove function causing incomplete module unload
    - nfsd: minor nfsd_setattr cleanup
    - nfsd: special case truncates some more
    - NFSv4: Fix memory and state leak in _nfs4_open_and_get_state
    - NFSv4: Fix reboot recovery in copy offload
    - pNFS/flexfiles: If the layout is invalid, it must be updated before retrying
    - Revert "NFSv4.1: Handle NFS4ERR_BADSESSION/NFS4ERR_DEADSESSION replies to OP_SEQUENCE"
    - NFSv4: fix getacl head length estimation
    - NFSv4: fix getacl ERANGE for some ACL buffer sizes
    - f2fs: fix a problem of using memory after free
    - f2fs: fix multiple f2fs_add_link() calls having same name
    - f2fs: add ovp valid_blocks check for bg gc victim to fg_gc
    - f2fs: avoid to issue redundant discard commands
    - f2fs: Fix zoned block device support
    - rtc: sun6i: Disable the build as a module
    - rtc: sun6i: Add some locking
    - rtc: sun6i: Switch to the external oscillator
    - md linear: fix a race between linear_add() and linear_congested()
    - bcma: use (get|put)_device when probing/removing device driver
    - mtd: nand: ifc: Fix location of eccstat registers for IFC V1.0
    - dmaengine: ipu: Make sure the interrupt routine checks all interrupts.
    - xprtrdma: Fix Read chunk padding
    - xprtrdma: Per-connection pad optimization
    - xprtrdma: Disable pad optimization by default
    - xprtrdma: Reduce required number of send SGEs
    - powerpc/xmon: Fix data-breakpoint
    - powerpc/mm: Add MMU_FTR_KERNEL_RO to possible feature mask
    - module: fix memory leak on early load_module() failures
    - MIPS: IP22: Reformat inline assembler code to modern standards.
    - MIPS: IP22: Fix build error due to binutils 2.25 uselessnes.
    - ceph: update readpages osd request according to size of pages
    - Linux 4.10.2

* kernel selftests ADT failure with linux 4.10.0-13.15 on ppc64el (LP: #1672510)
    - SAUCE: Add '-fno-ie -no-pie' to cflags for powerpc ptrace tests

* arm64: Workaround QDF2400 erratum 0065 (LP: #1672486)
    - [Config] CONFIG_QCOM_QDF2400_ERRATUM_0065=y
    - irqchip/gicv3-its: Add workaround for QDF2400 ITS erratum 0065

* arm64 MSI/PCIe passthrough patches break build of certain configs (LP: #1672502)
    - irqdomain: Add empty irq_domain_check_msi_remap

* pinctrl: qcom: add get_direction function (LP: #1672504)
    - pinctrl: qcom: add get_direction function

* perf probes on arm64 don't work with 4.10 kernel b/c of register name issue (LP: #1671917)
    - perf probe: Fix wrong register name for arm64

* cleanup primary tree for linux-hwe layering issues (LP: #1637473)
    - [Config] linux-source-* is in the primary linux namespace

* hv_set_ifconfig script parsing fails for certain configuration (LP: #1640109)
    - hv_set_ifconfig -- handle DHCP interfaces correctly
    - hv_set_ifconfig -- ensure we include the last stanza

* Revert "UBUNTU: SAUCE: Disable timers selftest for now" (LP: #1672372)
    - Revert "UBUNTU: SAUCE: Disable timers selftest for now"

* Ubuntu 16.10: Network checksum fixes needed for IPoIB for Mellanox CX4/CX5 card (LP: #1670247)
    - powerpc/64: Fix checksum folding in csum_add()

* POWER9: Additional power9 patches (LP: #1671613)
    - mm/autonuma: don't use set_pte_at when updating protnone ptes
    - mm/autonuma: let architecture override how the write bit should be stashed in a protnone pte.
    - powerpc/mm/autonuma: switch ppc64 to its own implementation of saved write
    - mm/gup: check for protnone only if it is a PTE entry
    - mm/thp/autonuma: use TNF flag instead of vm fault
    - SAUCE: powerpc/mm: handle protnone ptes on fork
    - SAUCE: power/mm: update pte_write and pte_wrprotect to handle savedwrite
    - mm/ksm: improve deduplication of zero pages with colouring
    - mm: introduce page_vma_mapped_walk()
    - mm, ksm: convert write_protect_page() to use page_vma_mapped_walk()
    - mm/ksm: handle protnone saved writes when making page write protect

* POWER9 : Enable Stop 0-2 with ESL=EC=0 (LP: #1666197)
    - powerpc/powernv: Fix bug due to labeling ambiguity in power_enter_stop

* Miscellaneous Ubuntu changes
    - [Debian] consider renames in gen-auto-reconstruct

-- Tim Gardner <tim.gardner@canonical.com>  Thu, 09 Mar 2017 13:30:55 -0700

Changed in linux (Ubuntu Zesty):
status:	Fix Committed → Fix Released

Revision history for this message

bugproxy (bugproxy) wrote on 2019-01-08:

#13

------- Comment From <email address hidden> 2019-01-08 17:54 EDT-------
My impression from comment 22 is that this is ready to verify.

Brad Figg (brad-figg) on 2019-07-24

tags:

added: cscc

Ubuntu
checksecurity package

msleep() bug causes Nuvoton I2C TPM device driver delays

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

	Status	Importance	Assigned to
checksecurity (Ubuntu)	Invalid	Undecided	Taco Screen team
Zesty	Invalid	Undecided	Taco Screen team
linux (Ubuntu)	Fix Released	Undecided	Tim Gardner
Zesty	Fix Released	Undecided	Tim Gardner

Ubuntuchecksecurity package

msleep() bug causes Nuvoton I2C TPM device driver delays

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
checksecurity package