Bug #1834522 “Bionic QEMU with Bionic Kernel hangs in AMD FX-835...” : Bugs : linux package : Ubuntu

Rafael David Tinoco (rafaeldtinoco) on 2019-06-27

Changed in linux (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Rafael David Tinoco (rafaeldtinoco)
Changed in linux (Ubuntu Bionic):
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Rafael David Tinoco (rafaeldtinoco)
Changed in linux (Ubuntu):
importance:	Medium → Undecided
assignee:	Rafael David Tinoco (rafaeldtinoco) → nobody
status:	Confirmed → Fix Released
importance:	Undecided → Medium

Brad Figg (brad-figg) on 2019-07-24

tags:

added: cscc

Revision history for this message

Rafael David Tinoco (rafaeldtinoco) wrote on 2019-08-29:

#1

Download full text (3.7 KiB)

# BISECT LOG

git bisect start
# bad: [0adb32858b0bddf4ada5f364a84ed60b196dbcda] Linux 4.16
git bisect bad 0adb32858b0bddf4ada5f364a84ed60b196dbcda
# good: [d8a5b80568a9cb66810e75b182018e9edb68e8ff] Linux 4.15
git bisect good d8a5b80568a9cb66810e75b182018e9edb68e8ff
# good: [c14376de3a1befa70d9811ca2872d47367b48767] printk: Wake klogd when passing console_lock owner
git bisect good c14376de3a1befa70d9811ca2872d47367b48767
# good: [2246edfaf88dc368e8671b04afd54412625df60a] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
git bisect good 2246edfaf88dc368e8671b04afd54412625df60a
# good: [dfe8db22372873d205c78a9fd5370b1b088a2b87] Merge tag 'drm-misc-fixes-2018-02-21' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes
git bisect good dfe8db22372873d205c78a9fd5370b1b088a2b87
# bad: [4665c6b04651e96c1e2eb9129a30d6055040ff73] Merge tag 'linux-can-fixes-for-4.16-20180312' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
git bisect bad 4665c6b04651e96c1e2eb9129a30d6055040ff73
# bad: [3499de32fa6b608ba646380ac3838d30a2558ead] Merge tag 'linux-kselftest-4.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
git bisect bad 3499de32fa6b608ba646380ac3838d30a2558ead
# good: [65738c6b461a8bb0b056e024299738f7cc9a28b7] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
git bisect good 65738c6b461a8bb0b056e024299738f7cc9a28b7
# good: [c23a75759191e84f4ba15b85ea4f97bd544b5362] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good c23a75759191e84f4ba15b85ea4f97bd544b5362
# bad: [d4858aaf6bd8a90e2dacc0dfec2077e334dcedbf] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
git bisect bad d4858aaf6bd8a90e2dacc0dfec2077e334dcedbf
# good: [0eb578009a1d530a11846d7c4733a5db04730884] tools/kvm_stat: use a more pythonic way to iterate over dictionaries
git bisect good 0eb578009a1d530a11846d7c4733a5db04730884
# good: [fe2a3027e74e40a3ece3a4c1e4e51403090a907a] KVM: x86: fix backward migration with async_PF
git bisect good fe2a3027e74e40a3ece3a4c1e4e51403090a907a
# bad: [7607b7174405aec7441ff6c970833c463114040a] KVM: SVM: install RSM intercept
git bisect bad 7607b7174405aec7441ff6c970833c463114040a
# good: [e5699f56bc91a286f006b0728085e0b4e8f5749b] crypto: ccp: Fix sparse, use plain integer as NULL pointer
git bisect good e5699f56bc91a286f006b0728085e0b4e8f5749b
# good: [3e233385ef4a217a2812115ed84d4be36eb16817] KVM: SVM: no need to call access_ok() in LAUNCH_MEASURE command
git bisect good 3e233385ef4a217a2812115ed84d4be36eb16817
# first bad commit: [7607b7174405aec7441ff6c970833c463114040a] KVM: SVM: install RSM intercept

# NOTE

I was doing "invert" bisection.. so the bad commit is actually what seems to have fixed the issue:

commit 7607b7174405aec7441ff6c970833c463114040a
Author: Brijesh Singh <email address hidden>
Date: Mon Feb 19 10:14:44 2018 -0600

KVM: SVM: install RSM intercept

    RSM instruction is used by the SMM handler to return from SMM mode.
    Currently, rsm causes a #UD - which results in instruction fetch, decode,
    and emulate. By installing the RSM inte...

# BISECT LOG

git bisect start
# bad: [0adb32858b0bddf4ada5f364a84ed60b196dbcda] Linux 4.16
git bisect bad 0adb32858b0bddf4ada5f364a84ed60b196dbcda
# good: [d8a5b80568a9cb66810e75b182018e9edb68e8ff] Linux 4.15
git bisect good d8a5b80568a9cb66810e75b182018e9edb68e8ff
# good: [c14376de3a1befa70d9811ca2872d47367b48767] printk: Wake klogd when passing console_lock owner
git bisect good c14376de3a1befa70d9811ca2872d47367b48767
# good: [2246edfaf88dc368e8671b04afd54412625df60a] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
git bisect good 2246edfaf88dc368e8671b04afd54412625df60a
# good: [dfe8db22372873d205c78a9fd5370b1b088a2b87] Merge tag 'drm-misc-fixes-2018-02-21' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes
git bisect good dfe8db22372873d205c78a9fd5370b1b088a2b87
# bad: [4665c6b04651e96c1e2eb9129a30d6055040ff73] Merge tag 'linux-can-fixes-for-4.16-20180312' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
git bisect bad 4665c6b04651e96c1e2eb9129a30d6055040ff73
# bad: [3499de32fa6b608ba646380ac3838d30a2558ead] Merge tag 'linux-kselftest-4.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
git bisect bad 3499de32fa6b608ba646380ac3838d30a2558ead
# good: [65738c6b461a8bb0b056e024299738f7cc9a28b7] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
git bisect good 65738c6b461a8bb0b056e024299738f7cc9a28b7
# good: [c23a75759191e84f4ba15b85ea4f97bd544b5362] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good c23a75759191e84f4ba15b85ea4f97bd544b5362
# bad: [d4858aaf6bd8a90e2dacc0dfec2077e334dcedbf] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
git bisect bad d4858aaf6bd8a90e2dacc0dfec2077e334dcedbf
# good: [0eb578009a1d530a11846d7c4733a5db04730884] tools/kvm_stat: use a more pythonic way to iterate over dictionaries
git bisect good 0eb578009a1d530a11846d7c4733a5db04730884
# good: [fe2a3027e74e40a3ece3a4c1e4e51403090a907a] KVM: x86: fix backward migration with async_PF
git bisect good fe2a3027e74e40a3ece3a4c1e4e51403090a907a
# bad: [7607b7174405aec7441ff6c970833c463114040a] KVM: SVM: install RSM intercept
git bisect bad 7607b7174405aec7441ff6c970833c463114040a
# good: [e5699f56bc91a286f006b0728085e0b4e8f5749b] crypto: ccp: Fix sparse, use plain integer as NULL pointer
git bisect good e5699f56bc91a286f006b0728085e0b4e8f5749b
# good: [3e233385ef4a217a2812115ed84d4be36eb16817] KVM: SVM: no need to call access_ok() in LAUNCH_MEASURE command
git bisect good 3e233385ef4a217a2812115ed84d4be36eb16817
# first bad commit: [7607b7174405aec7441ff6c970833c463114040a] KVM: SVM: install RSM intercept

# NOTE

I was doing "invert" bisection.. so the bad commit is actually what seems to have fixed the issue:

commit 7607b7174405aec7441ff6c970833c463114040a
Author: Brijesh Singh <brijesh.singh@amd.com>
Date:   Mon Feb 19 10:14:44 2018 -0600

KVM: SVM: install RSM intercept

RSM instruction is used by the SMM handler to return from SMM mode.
    Currently, rsm causes a #UD - which results in instruction fetch, decode,
    and emulate. By installing the RSM intercept we can avoid the instruction
    fetch since we know that #VMEXIT was due to rsm.

The patch is required for the SEV guest, because in case of SEV guest
    memory is encrypted with guest-specific key and hypervisor will not
    able to fetch the instruction bytes from the guest memory.

Cc: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Radim Krčmář <rkrcmar@redhat.com>
    Cc: Joerg Roedel <joro@8bytes.org>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Tom Lendacky <thomas.lendacky@amd.com>
    Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Rafael David Tinoco (rafaeldtinoco) on 2019-08-29

Changed in linux (Ubuntu Bionic):
status:	Confirmed → In Progress

Revision history for this message

Rafael David Tinoco (rafaeldtinoco) wrote on 2019-08-29:

#2

I've included patch above into Bionic tree:

commit 9bff5f095923aab04411cf4e9135b975b70e3ead (tag: Ubuntu-4.15.0-58.64, origin/master, origin/HEAD)
Author: Stefan Bader <email address hidden>
Date: Tue Aug 6 10:45:37 2019

UBUNTU: Ubuntu-4.15.0-58.64

And it, indeed, fixed the issue.

Revision history for this message

Rafael David Tinoco (rafaeldtinoco) wrote on 2019-08-29:

#3

Also needed:

commit 35be0aded76b54a24dc8aa678a71bca22273e8d8
Author: Sean Christopherson <email address hidden>
Date: Thu Aug 23 17:56:47 2018

KVM: x86: SVM: Set EMULTYPE_NO_REEXECUTE for RSM emulation

    Re-execution after an emulation decode failure is only intended to
    handle a case where two or vCPUs race to write a shadowed page, i.e.
    we should never re-execute an instruction as part of RSM emulation.

    Add a new helper, kvm_emulate_instruction_from_buffer(), to support
    emulating from a pre-defined buffer. This eliminates the last direct
    call to x86_emulate_instruction() outside of kvm_mmu_page_fault(),
    which means x86_emulate_instruction() can be unexported in a future
    patch.

    Fixes: 7607b7174405 ("KVM: SVM: install RSM intercept")
    Cc: Brijesh Singh <email address hidden>
    Signed-off-by: Sean Christopherson <email address hidden>
    Cc: <email address hidden>
    Signed-off-by: Radim Krčmář <email address hidden>

Revision history for this message

Rafael David Tinoco (rafaeldtinoco) wrote on 2019-08-29:

#4

Sent out to kernel team:

https://lists.ubuntu.com/archives/kernel-team/2019-August/103470.html
https://lists.ubuntu.com/archives/kernel-team/2019-August/103471.html

description:

updated

Revision history for this message

Rafael David Tinoco (rafaeldtinoco) wrote on 2019-08-29:

#5

Waiting kernel team sponsorship. Thx.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-09-02:

#6

BTW - Thanks for the work on this Rafael!

Khaled El Mously (kmously) on 2019-09-03

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2019-09-11:

#7

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Rafael David Tinoco (rafaeldtinoco) wrote on 2019-09-23:

#8

It solves the problem and I'm sorry for taking so long to verify...

Commit:

Author: Sean Christopherson <email address hidden>
Date: Thu Aug 29 14:06:58 2019

KVM: x86: SVM: Set EMULTYPE_NO_REEXECUTE for RSM emulation

BugLink: https://bugs.launchpad.net/bugs/1834522

Indeed solves the problem.

Thank you!

Rafael David Tinoco (rafaeldtinoco) on 2019-09-23

tags:

added: verification-done verification-done-bionic
removed: verification-needed-bionic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-09-30:

#9

Download full text (20.2 KiB)

This bug was fixed in the package linux - 4.15.0-65.74

---------------
linux (4.15.0-65.74) bionic; urgency=medium

* bionic/linux: 4.15.0-65.74 -proposed tracker (LP: #1844403)

  * arm64: large modules fail to load (LP: #1841109)
    - arm64/kernel: kaslr: reduce module randomization range to 4 GB
    - arm64/kernel: don't ban ADRP to work around Cortex-A53 erratum #843419
    - arm64: fix undefined reference to 'printk'
    - arm64/kernel: rename module_emit_adrp_veneer->module_emit_veneer_for_adrp
    - [config] Remove CONFIG_ARM64_MODULE_CMODEL_LARGE

* CVE-2018-20976
- xfs: clear sb->s_fs_info on mount failure

  * br_netfilter: namespace sysctl operations (LP: #1836910)
    - net: bridge: add bitfield for options and convert vlan opts
    - net: bridge: convert nf call options to bits
    - netfilter: bridge: port sysctls to use brnf_net
    - netfilter: bridge: namespace bridge netfilter sysctls
    - netfilter: bridge: prevent UAF in brnf_exit_net()

* tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (LP: #1830756)
- tuntap: correctly set SOCKWQ_ASYNC_NOSPACE

  * Bionic update: upstream stable patchset 2019-08-30 (LP: #1842114)
    - HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
    - MIPS: kernel: only use i8253 clocksource with periodic clockevent
    - mips: fix cacheinfo
    - netfilter: ebtables: fix a memory leak bug in compat
    - ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks
    - bonding: Force slave speed check after link state recovery for 802.3ad
    - can: dev: call netif_carrier_off() in register_candev()
    - ASoC: Fail card instantiation if DAI format setup fails
    - st21nfca_connectivity_event_received: null check the allocation
    - st_nci_hci_connectivity_event_received: null check the allocation
    - ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
    - net: usb: qmi_wwan: Add the BroadMobi BM818 card
    - qed: RDMA - Fix the hw_ver returned in device attributes
    - isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in
      start_isoc_chain()
    - netfilter: ipset: Fix rename concurrency with listing
    - isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
    - perf bench numa: Fix cpu0 binding
    - can: sja1000: force the string buffer NULL-terminated
    - can: peak_usb: force the string buffer NULL-terminated
    - net/ethernet/qlogic/qed: force the string buffer NULL-terminated
    - NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
    - HID: input: fix a4tech horizontal wheel custom usage
    - SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL
    - net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
    - net: hisilicon: make hip04_tx_reclaim non-reentrant
    - net: hisilicon: fix hip04-xmit never return TX_BUSY
    - net: hisilicon: Fix dma_map_single failed on arm64
    - libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
    - libata: add SG safety checks in SFF pio transfers
    - x86/lib/cpu: Address missing prototypes warning
    - drm/vmwgfx: fix memory leak when too many retries have occurred
    - perf ftrace: Fix failure to set cpuma...

This bug was fixed in the package linux - 4.15.0-65.74

---------------
linux (4.15.0-65.74) bionic; urgency=medium

* bionic/linux: 4.15.0-65.74 -proposed tracker (LP: #1844403)

* arm64: large modules fail to load (LP: #1841109)
    - arm64/kernel: kaslr: reduce module randomization range to 4 GB
    - arm64/kernel: don't ban ADRP to work around Cortex-A53 erratum #843419
    - arm64: fix undefined reference to 'printk'
    - arm64/kernel: rename module_emit_adrp_veneer->module_emit_veneer_for_adrp
    - [config] Remove CONFIG_ARM64_MODULE_CMODEL_LARGE

* CVE-2018-20976
    - xfs: clear sb->s_fs_info on mount failure

* br_netfilter: namespace sysctl operations (LP: #1836910)
    - net: bridge: add bitfield for options and convert vlan opts
    - net: bridge: convert nf call options to bits
    - netfilter: bridge: port sysctls to use brnf_net
    - netfilter: bridge: namespace bridge netfilter sysctls
    - netfilter: bridge: prevent UAF in brnf_exit_net()

* tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (LP: #1830756)
    - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE

* Bionic update: upstream stable patchset 2019-08-30 (LP: #1842114)
    - HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
    - MIPS: kernel: only use i8253 clocksource with periodic clockevent
    - mips: fix cacheinfo
    - netfilter: ebtables: fix a memory leak bug in compat
    - ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks
    - bonding: Force slave speed check after link state recovery for 802.3ad
    - can: dev: call netif_carrier_off() in register_candev()
    - ASoC: Fail card instantiation if DAI format setup fails
    - st21nfca_connectivity_event_received: null check the allocation
    - st_nci_hci_connectivity_event_received: null check the allocation
    - ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
    - net: usb: qmi_wwan: Add the BroadMobi BM818 card
    - qed: RDMA - Fix the hw_ver returned in device attributes
    - isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in
      start_isoc_chain()
    - netfilter: ipset: Fix rename concurrency with listing
    - isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
    - perf bench numa: Fix cpu0 binding
    - can: sja1000: force the string buffer NULL-terminated
    - can: peak_usb: force the string buffer NULL-terminated
    - net/ethernet/qlogic/qed: force the string buffer NULL-terminated
    - NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
    - HID: input: fix a4tech horizontal wheel custom usage
    - SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL
    - net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
    - net: hisilicon: make hip04_tx_reclaim non-reentrant
    - net: hisilicon: fix hip04-xmit never return TX_BUSY
    - net: hisilicon: Fix dma_map_single failed on arm64
    - libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
    - libata: add SG safety checks in SFF pio transfers
    - x86/lib/cpu: Address missing prototypes warning
    - drm/vmwgfx: fix memory leak when too many retries have occurred
    - perf ftrace: Fix failure to set cpumask when only one cpu is present
    - perf cpumap: Fix writing to illegal memory in handling cpumap mask
    - perf pmu-events: Fix missing "cpu_clk_unhalted.core" event
    - selftests: kvm: Adding config fragments
    - HID: wacom: correct misreported EKR ring values
    - HID: wacom: Correct distance scale for 2nd-gen Intuos devices
    - Revert "dm bufio: fix deadlock with loop device"
    - ceph: don't try fill file_lock on unsuccessful GETFILELOCK reply
    - libceph: fix PG split vs OSD (re)connect race
    - drm/nouveau: Don't retry infinitely when receiving no data on i2c over AUX
    - gpiolib: never report open-drain/source lines as 'input' to user-space
    - userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx
    - x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386
    - x86/apic: Handle missing global clockevent gracefully
    - x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h
    - x86/boot: Save fields explicitly, zero out everything else
    - x86/boot: Fix boot regression caused by bootparam sanitizing
    - dm kcopyd: always complete failed jobs
    - dm btree: fix order of block initialization in btree_split_beneath
    - dm space map metadata: fix missing store of apply_bops() return value
    - dm table: fix invalid memory accesses with too high sector number
    - dm zoned: improve error handling in reclaim
    - dm zoned: improve error handling in i/o map code
    - dm zoned: properly handle backing device failure
    - genirq: Properly pair kobject_del() with kobject_add()
    - mm, page_owner: handle THP splits correctly
    - mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely
    - mm/zsmalloc.c: fix race condition in zs_destroy_pool
    - xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT
    - dm zoned: fix potential NULL dereference in dmz_do_reclaim()
    - powerpc: Allow flush_(inval_)dcache_range to work across ranges >4GB
    - can: mcp251x: add error check when wq alloc failed
    - netfilter: ipset: Actually allow destination MAC address for hash:ip,mac
      sets too
    - netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and
      hash:ip,mac sets
    - rxrpc: Fix the lack of notification when sendmsg() fails on a DATA packet
    - net: phy: phy_led_triggers: Fix a possible null-pointer dereference in
      phy_led_trigger_change_speed()
    - NFS: Fix regression whereby fscache errors are appearing on 'nofsc' mounts
    - net: stmmac: Fix issues when number of Queues >= 4
    - KVM: arm64: Don't write junk to sysregs on reset
    - KVM: arm: Don't write junk to CP15 registers on reset
    - xfs: don't trip over uninitialized buffer on extent read of corrupted inode
    - xfs: Move fs/xfs/xfs_attr.h to fs/xfs/libxfs/xfs_attr.h
    - xfs: Add helper function xfs_attr_try_sf_addname
    - xfs: Add attibute remove and helper functions

* Bionic update: upstream stable patchset 2019-08-27 (LP: #1841652)
    - sh: kernel: hw_breakpoint: Fix missing break in switch statement
    - mm/usercopy: use memory range to be accessed for wraparound check
    - mm/memcontrol.c: fix use after free in mem_cgroup_iter()
    - bpf: get rid of pure_initcall dependency to enable jits
    - bpf: restrict access to core bpf sysctls
    - bpf: add bpf_jit_limit knob to restrict unpriv allocations
    - xtensa: add missing isync to the cpu_reset TLB code
    - ALSA: hda - Apply workaround for another AMD chip 1022:1487
    - ALSA: hda - Fix a memory leak bug
    - HID: holtek: test for sanity of intfdata
    - HID: hiddev: avoid opening a disconnected device
    - HID: hiddev: do cleanup in failure of opening a device
    - Input: kbtab - sanity check for endpoint type
    - Input: iforce - add sanity checks
    - net: usb: pegasus: fix improper read if get_registers() fail
    - netfilter: ebtables: also count base chain policies
    - clk: at91: generated: Truncate divisor to GENERATED_MAX_DIV + 1
    - clk: renesas: cpg-mssr: Fix reset control race condition
    - xen/pciback: remove set but not used variable 'old_state'
    - irqchip/gic-v3-its: Free unused vpt_page when alloc vpe table fail
    - irqchip/irq-imx-gpcv2: Forward irq type to parent
    - perf header: Fix divide by zero error if f_header.attr_size==0
    - perf header: Fix use of unitialized value warning
    - libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
    - drm/bridge: lvds-encoder: Fix build error while CONFIG_DRM_KMS_HELPER=m
    - scsi: hpsa: correct scsi command status issue after reset
    - scsi: qla2xxx: Fix possible fcport null-pointer dereferences
    - ata: libahci: do not complain in case of deferred probe
    - kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external modules
    - arm64/efi: fix variable 'si' set but not used
    - arm64: unwind: Prohibit probing on return_address()
    - arm64/mm: fix variable 'pud' set but not used
    - IB/core: Add mitigation for Spectre V1
    - IB/mad: Fix use-after-free in ib mad completion handling
    - drm: msm: Fix add_gpu_components
    - ocfs2: remove set but not used variable 'last_hash'
    - asm-generic: fix -Wtype-limits compiler warnings
    - KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block
    - staging: comedi: dt3000: Fix signed integer overflow 'divider * base'
    - staging: comedi: dt3000: Fix rounding up of timer divisor
    - iio: adc: max9611: Fix temperature reading in probe
    - USB: core: Fix races in character device registration and deregistraion
    - usb: gadget: udc: renesas_usb3: Fix sysfs interface of "role"
    - usb: cdc-acm: make sure a refcount is taken early enough
    - USB: CDC: fix sanity checks in CDC union parser
    - USB: serial: option: add D-Link DWM-222 device ID
    - USB: serial: option: Add support for ZTE MF871A
    - USB: serial: option: add the BroadMobi BM818 card
    - USB: serial: option: Add Motorola modem UARTs
    - bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K
    - arm64: ftrace: Ensure module ftrace trampoline is coherent with I-side
    - netfilter: conntrack: Use consistent ct id hash calculation
    - Input: psmouse - fix build error of multiple definition
    - iommu/amd: Move iommu_init_pci() to .init section
    - bnx2x: Fix VF's VLAN reconfiguration in reload.
    - net/mlx4_en: fix a memory leak bug
    - net/packet: fix race in tpacket_snd()
    - sctp: fix the transport error_count check
    - xen/netback: Reset nr_frags before freeing skb
    - net/mlx5e: Only support tx/rx pause setting for port owner
    - net/mlx5e: Use flow keys dissector to parse packets for ARFS
    - team: Add vlan tx offload to hw_enc_features
    - bonding: Add vlan tx offload to hw_enc_features
    - mmc: sdhci-of-arasan: Do now show error message in case of deffered probe
    - xfrm: policy: remove pcpu policy cache
    - mm/hmm: fix bad subpage pointer in try_to_unmap_one
    - mm: mempolicy: make the behavior consistent when MPOL_MF_MOVE* and
      MPOL_MF_STRICT were specified
    - mm: mempolicy: handle vma with unmovable pages mapped correctly in mbind
    - riscv: Make __fstate_clean() work correctly.
    - Revert "kmemleak: allow to coexist with fault injection"
    - sctp: fix memleak in sctp_send_reset_streams

* Bionic update: upstream stable patchset 2019-08-16 (LP: #1840520)
    - iio: adc: max9611: Fix misuse of GENMASK macro
    - crypto: ccp - Fix oops by properly managing allocated structures
    - crypto: ccp - Ignore tag length when decrypting GCM ciphertext
    - usb: usbfs: fix double-free of usb memory upon submiturb error
    - usb: iowarrior: fix deadlock on disconnect
    - sound: fix a memory leak bug
    - mmc: cavium: Set the correct dma max segment size for mmc_host
    - mmc: cavium: Add the missing dma unmap when the dma has finished.
    - loop: set PF_MEMALLOC_NOIO for the worker thread
    - Input: synaptics - enable RMI mode for HP Spectre X360
    - lkdtm: support llvm-objcopy
    - crypto: ccp - Validate buffer lengths for copy operations
    - crypto: ccp - Add support for valid authsize values less than 16
    - perf annotate: Fix s390 gap between kernel end and module start
    - perf db-export: Fix thread__exec_comm()
    - perf record: Fix module size on s390
    - usb: host: xhci-rcar: Fix timeout in xhci_suspend()
    - usb: yurex: Fix use-after-free in yurex_delete
    - can: rcar_canfd: fix possible IRQ storm on high load
    - can: peak_usb: fix potential double kfree_skb()
    - netfilter: nfnetlink: avoid deadlock due to synchronous request_module
    - vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn
    - netfilter: Fix rpfilter dropping vrf packets by mistake
    - netfilter: nft_hash: fix symhash with modulus one
    - scripts/sphinx-pre-install: fix script for RHEL/CentOS
    - iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND
    - mac80211: don't warn about CW params when not using them
    - hwmon: (nct6775) Fix register address and added missed tolerance for nct6106
    - drm: silence variable 'conn' set but not used
    - cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init()
    - s390/qdio: add sanity checks to the fast-requeue path
    - ALSA: compress: Fix regression on compressed capture streams
    - ALSA: compress: Prevent bypasses of set_params
    - ALSA: compress: Don't allow paritial drain operations on capture streams
    - ALSA: compress: Be more restrictive about when a drain is allowed
    - perf tools: Fix proper buffer size for feature processing
    - perf probe: Avoid calling freeing routine multiple times for same pointer
    - drbd: dynamically allocate shash descriptor
    - ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id()
    - ARM: davinci: fix sleep.S build error on ARMv4
    - scsi: megaraid_sas: fix panic on loading firmware crashdump
    - scsi: ibmvfc: fix WARN_ON during event pool release
    - scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG
    - test_firmware: fix a memory leak bug
    - tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop
    - perf/core: Fix creating kernel counters for PMUs that override event->cpu
    - HID: sony: Fix race condition between rumble and device remove.
    - can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
    - can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices
    - hwmon: (nct7802) Fix wrong detection of in4 presence
    - drm/i915: Fix wrong escape clock divisor init for GLK
    - ALSA: firewire: fix a memory leak bug
    - ALSA: hda - Don't override global PCM hw info flag
    - ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457)
    - mac80211: don't WARN on short WMM parameters from AP
    - SMB3: Fix deadlock in validate negotiate hits reconnect
    - smb3: send CAP_DFS capability during session setup
    - NFSv4: Only pass the delegation to setattr if we're sending a truncate
    - NFSv4: Fix an Oops in nfs4_do_setattr
    - KVM: Fix leak vCPU's VMCS value into other pCPU
    - mwifiex: fix 802.11n/WPA detection
    - iwlwifi: don't unmap as page memory that was mapped as single
    - iwlwifi: mvm: fix an out-of-bound access
    - iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT on version < 41
    - iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support
    - iio: cros_ec_accel_legacy: Fix incorrect channel setting
    - staging: android: ion: Bail out upon SIGKILL when allocating memory.
    - x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS
    - usb: typec: tcpm: free log buf memory when remove debug file
    - usb: typec: tcpm: remove tcpm dir if no children
    - usb: typec: tcpm: Add NULL check before dereferencing config
    - netfilter: conntrack: always store window size un-scaled
    - drm/amd/display: Wait for backlight programming completion in set backlight
      level
    - drm/amd/display: use encoder's engine id to find matched free audio device
    - drm/amd/display: Fix dc_create failure handling and 666 color depths
    - drm/amd/display: Only enable audio if speaker allocation exists
    - drm/amd/display: Increase size of audios array
    - allocate_flower_entry: should check for null deref
    - s390/dma: provide proper ARCH_ZONE_DMA_BITS value
    - ALSA: hiface: fix multiple memory leak bugs

* Bionic update: upstream stable patchset 2019-08-15 (LP: #1840378)
    - scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure
    - ARM: dts: Add pinmuxing for i2c2 and i2c3 for LogicPD SOM-LV
    - ARM: dts: Add pinmuxing for i2c2 and i2c3 for LogicPD torpedo
    - HID: wacom: fix bit shift for Cintiq Companion 2
    - HID: Add quirk for HP X1200 PIXART OEM mouse
    - RDMA: Directly cast the sockaddr union to sockaddr
    - IB: directly cast the sockaddr union to aockaddr
    - atm: iphase: Fix Spectre v1 vulnerability
    - ife: error out when nla attributes are empty
    - ip6_tunnel: fix possible use-after-free on xmit
    - net: bridge: delete local fdb on device init failure
    - net: bridge: mcast: don't delete permanent entries when fast leave is
      enabled
    - net: fix ifindex collision during namespace removal
    - net/mlx5: Use reversed order when unregister devices
    - net: phylink: Fix flow control for fixed-link
    - net: sched: Fix a possible null-pointer dereference in dequeue_func()
    - NFC: nfcmrvl: fix gpio-handling regression
    - tipc: compat: allow tipc commands without arguments
    - compat_ioctl: pppoe: fix PPPOEIOCSFWD handling
    - net/mlx5e: Prevent encap flow counter update async to user query
    - tun: mark small packets as owned by the tap sock
    - mvpp2: refactor MTU change code
    - bnx2x: Disable multi-cos feature.
    - cgroup: Call cgroup_release() before __exit_signal()
    - cgroup: Implement css_task_iter_skip()
    - cgroup: Include dying leaders with live threads in PROCS iterations
    - cgroup: css_task_iter_skip()'d iterators must be advanced before accessed
    - cgroup: Fix css_task_iter_advance_css_set() cset skip condition
    - spi: bcm2835: Fix 3-wire mode if DMA is enabled
    - driver core: Establish order of operations for device_add and device_del via
      bitflag
    - drivers/base: Introduce kill_device()
    - libnvdimm/bus: Prevent duplicate device_unregister() calls
    - libnvdimm/region: Register badblocks before namespaces
    - libnvdimm/bus: Prepare the nd_ioctl() path to be re-entrant
    - libnvdimm/bus: Fix wait_nvdimm_bus_probe_idle() ABBA deadlock
    - ipip: validate header length in ipip_tunnel_xmit
    - mvpp2: fix panic on module removal
    - net/mlx5: Fix modify_cq_in alignment
    - r8169: don't use MSI before RTL8168d

* VIMC module not available (CONFIG_VIDEO_VIMC not set) (LP: #1831482)
    - [Config] Enable VIMC module

* reboot will introduce an alarm 'beep ...' during BIOS phase (LP: #1840395)
    - ALSA: hda - Let all conexant codec enter D3 when rebooting
    - ALSA: hda - Add a generic reboot_notify

* Include Sunix serial/parallel driver (LP: #1826716)
    - serial: 8250_pci: Add support for Sunix serial boards
    - parport: parport_serial: Add support for Sunix Multi I/O boards

* Intel HDMI audio print "Unable to sync register" errors (LP: #1840394)
    - ALSA: hda - Don't resume forcibly i915 HDMI/DP codec

* Support cpufreq, thermal sensors & cooling cells on iMX6Q based Nitrogen6x
    board (LP: #1840437)
    - arm: imx: Add MODULE_ALIAS for cpufreq
    - ARM: dts: imx: Add missing OPP properties for CPUs
    - ARM: dts: imx7d: use operating-points-v2 for cpu
    - ARM: dts: imx7d: remove "operating-points" property for cpu1
    - ARM: dts: imx: add cooling-cells for cpufreq cooling device
    - ARM: dts: imx6: add thermal sensor and cooling cells

* hns3: ring buffer race leads can cause corruption (LP: #1840717)
    - net: hns3: minor optimization for ring_space
    - net: hns3: fix data race between ring->next_to_clean
    - net: hns3: optimize the barrier using when cleaning TX BD

* Bionic build broken if CONFIG_MODVERSIONS enabled (LP: #1840321)
    - Revert "genksyms: Teach parser about 128-bit built-in types"

* [bionic] drm/i915: softpin broken, needs to be fixed for 32bit mesa
    (LP: #1815172)
    - SAUCE: drm/i915: Partially revert d6edad3777c28ea

* Goodix touchpad may drop first input event (LP: #1840075)
    - mfd: intel-lpss: Remove D3cold delay

* NULL pointer dereference when Inserting the VIMC module (LP: #1840028)
    - media: vimc: fix component match compare

* Fix touchpad IRQ storm after S3 (LP: #1841396)
    - pinctrl: intel: remap the pin number to gpio offset for irq enabled pin

* [SRU][B/OEM-B/OEM-OSP1/D] UBUNTU: SAUCE: enable middle button for one more
    ThinkPad (LP: #1841722)
    - SAUCE: Input: elantech - enable middle button for one more ThinkPad

* Test 391/u and 391/p from ubuntu_bpf failed on B (LP: #1841704)
    - SAUCE: Fix "bpf: improve verifier branch analysis"

* crypto/testmgr.o fails to build due to struct cipher_testvec not having data
    members: ctext, ptext, len (LP: #1841264)
    - SAUCE: Revert "crypto: testmgr - add AES-CFB tests"

* Bionic QEMU with Bionic Kernel hangs in AMD FX-8350 with cpu-host as
    passthrough (LP: #1834522)
    - KVM: SVM: install RSM intercept
    - KVM: x86: SVM: Set EMULTYPE_NO_REEXECUTE for RSM emulation

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Tue, 17 Sep 2019 18:12:26 +0200

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Ubuntu
linux package

Bionic QEMU with Bionic Kernel hangs in AMD FX-8350 with cpu-host as passthrough

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Medium	Unassigned
	Bionic	Fix Released	Medium	Rafael David Tinoco

Ubuntulinux package

Bionic QEMU with Bionic Kernel hangs in AMD FX-8350 with cpu-host as passthrough

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package