group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #29059
[Bug 1764956] Re: Guests using IBRS incur a large performance penalty
This bug was fixed in the package linux - 4.4.0-143.169
---------------
linux (4.4.0-143.169) xenial; urgency=medium
* linux: 4.4.0-143.169 -proposed tracker (LP: #1814647)
* x86/kvm: Backport fixup and missing commits (LP: #1811646)
- KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID
- kvm: nVMX: VMCLEAR an active shadow VMCS after last use
- X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
- KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR
path as unlikely()
- kvm: x86: IA32_ARCH_CAPABILITIES is always supported
- KVM: SVM: Add MSR-based feature support for serializing LFENCE
- KVM: X86: Allow userspace to define the microcode version
- KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled
- KVM: VMX: fixes for vmentry_l1d_flush module parameter
- kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
- kvm: vmx: Scrub hardware GPRs at VM-exit
- SAUCE: [Fix] x86/KVM/VMX: Add L1D flush logic
- SAUCE: KVM: Move code fragments, cleanup and re-indent
* linux-buildinfo: pull out ABI information into its own package
(LP: #1806380)
- [Packaging] limit preparation to linux-libc-dev in headers
- [Packaging] commonise debhelper invocation
- [Packaging] ABI -- accumulate abi information at the end of the build
- [Packaging] buildinfo -- add basic build information
- [Packaging] buildinfo -- add firmware information to the flavour ABI
- [Packaging] buildinfo -- add compiler information to the flavour ABI
- [Packaging] buildinfo -- add buildinfo support to getabis
- [Config] buildinfo -- add retpoline version markers
- [Packaging] getabis -- handle all known package combinations
- [Packaging] getabis -- support parsing a simple version
* signing: only install a signed kernel (LP: #1764794)
- [Packaging] update to Debian like control scripts
- [Packaging] switch to triggers for postinst.d postrm.d handling
- [Packaging] signing -- switch to raw-signing tarballs
- [Packaging] signing -- switch to linux-image as signed when available
- [Packaging] printenv -- add signing options
- [Packaging] fix invocation of header postinst hooks
- [Packaging] signing -- add support for signing Opal kernel binaries
- [Debian] Use src_pkg_name when constructing udeb control files
- [Debian] Dynamically determine linux udebs package name
- [Packaging] handle both linux-lts* and linux-hwe* as backports
- [Config] linux-source-* is in the primary linux namespace
- [Packaging] lookup the upstream tag
- [Packaging] zfs/spl -- enhance provides information
- [Packaging] switch up to debhelper 9
- [Packaging] autopkgtest -- disable d-i when dropping flavours
- [debian] support for ship_extras_package=false
- [Debian] do_common_tools should always be on
- [debian] do not force do_tools_common
- [Packaging] Add linux-tools-host package for VM host tools
- [Packaging] signing should be conditional
- [Packaging] skip cloud tools packaging when not building package
- [Packaging] add acpidbg
- [debian] prep linux-libc-dev only if do_libc_dev_package=true
- [Packaging] Only install cloud init files when do_tools_common=true
* Redpine: Driver crash with network-manager 1.10 and above (LP: #1813869)
- SAUCE: Redpine: enhancement for MAC spoofing to avoid kernel crash
* Guests using IBRS incur a large performance penalty (LP: #1764956)
- SAUCE: Restore the IBRS host state on VMEXIT
* Xenial update: 4.4.170 upstream stable release (LP: #1811647)
- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
- xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
- USB: serial: option: add GosunCn ZTE WeLink ME3630
- USB: serial: option: add HP lt4132
- USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
- USB: serial: option: add Fibocom NL668 series
- USB: serial: option: add Telit LN940 series
- mmc: core: Reset HPI enabled state during re-init and in case of errors
- mmc: omap_hsmmc: fix DMA API warning
- gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
- Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
- x86/mtrr: Don't copy uninitialized gentry fields back to userspace
- drm/ioctl: Fix Spectre v1 vulnerabilities
- ip6mr: Fix potential Spectre v1 vulnerability
- ipv4: Fix potential Spectre v1 vulnerability
- ax25: fix a use-after-free in ax25_fillin_cb()
- ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
- ieee802154: lowpan_header_create check must check daddr
- ipv6: explicitly initialize udp6_addr in udp_sock_create6()
- isdn: fix kernel-infoleak in capi_unlocked_ioctl
- netrom: fix locking in nr_find_socket()
- packet: validate address length
- packet: validate address length if non-zero
- sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
- vhost: make sure used idx is seen before log in vhost_add_used_n()
- VSOCK: Send reset control packet when socket is partially bound
- xen/netfront: tolerate frags with no data
- gro_cell: add napi_disable in gro_cells_destroy
- sock: Make sock->sk_stamp thread-safe
- ALSA: rme9652: Fix potential Spectre v1 vulnerability
- ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities
- ALSA: pcm: Fix potential Spectre v1 vulnerability
- ALSA: emux: Fix potential Spectre v1 vulnerabilities
- ALSA: hda: add mute LED support for HP EliteBook 840 G4
- ALSA: hda/tegra: clear pending irq handlers
- USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays
- USB: serial: option: add Fibocom NL678 series
- usb: r8a66597: Fix a possible concurrency use-after-free bug in
r8a66597_endpoint_disable()
- Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G
- KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup
- perf pmu: Suppress potential format-truncation warning
- ext4: fix possible use after free in ext4_quota_enable
- ext4: missing unlock/put_page() in ext4_try_to_write_inline_data()
- ext4: fix EXT4_IOC_GROUP_ADD ioctl
- ext4: force inode writes when nfsd calls commit_metadata()
- spi: bcm2835: Fix race on DMA termination
- spi: bcm2835: Fix book-keeping of DMA termination
- spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode
- cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader.
- media: vivid: free bitmap_cap when updating std/timings/etc.
- MIPS: Ensure pmd_present() returns false after pmd_mknotpresent()
- MIPS: Align kernel load address to 64KB
- CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem
- x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when
running nested
- spi: bcm2835: Unbreak the build of esoteric configs
- powerpc: Fix COFF zImage booting on old powermacs
- ARM: imx: update the cpu power up timing setting on i.mx6sx
- Input: restore EV_ABS ABS_RESERVED
- checkstack.pl: fix for aarch64
- xfrm: Fix bucket count reported to userspace
- scsi: bnx2fc: Fix NULL dereference in error handling
- Input: omap-keypad - fix idle configuration to not block SoC idle states
- scsi: zfcp: fix posting too many status read buffers leading to adapter
shutdown
- hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined
- mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL
- mm, devm_memremap_pages: kill mapping "System RAM" support
- sunrpc: fix cache_head leak due to queued request
- sunrpc: use SVC_NET() in svcauth_gss_* functions
- crypto: x86/chacha20 - avoid sleeping with preemption disabled
- ALSA: cs46xx: Potential NULL dereference in probe
- ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
- ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
- dlm: fixed memory leaks after failed ls_remove_names allocation
- dlm: possible memory leak on error path in create_lkb()
- dlm: lost put_lkb on error path in receive_convert() and receive_unlock()
- dlm: memory leaks on error path in dlm_user_request()
- gfs2: Fix loop in gfs2_rbm_find
- b43: Fix error in cordic routine
- 9p/net: put a lower bound on msize
- iommu/vt-d: Handle domain agaw being less than iommu agaw
- ceph: don't update importing cap's mseq when handing cap export
- genwqe: Fix size check
- intel_th: msu: Fix an off-by-one in attribute store
- power: supply: olpc_battery: correct the temperature units
- Linux 4.4.170
* Xenial update: 4.4.169 upstream stable release (LP: #1811252)
- lib/interval_tree_test.c: make test options module parameters
- lib/interval_tree_test.c: allow full tree search
- lib/rbtree_test.c: make input module parameters
- lib/rbtree-test: lower default params
- lib/interval_tree_test.c: allow users to limit scope of endpoint
- timer/debug: Change /proc/timer_list from 0444 to 0400
- powerpc/boot: Fix random libfdt related build errors
- pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11
- aio: fix spectre gadget in lookup_ioctx
- MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310
- tracing: Fix memory leak in set_trigger_filter()
- tracing: Fix memory leak of instance function hash filters
- powerpc/msi: Fix NULL pointer access in teardown code
- Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec"
- f2fs: fix a panic caused by NULL flush_cmd_control
- mac80211: don't WARN on bad WMM parameters from buggy APs
- mac80211: Fix condition validating WMM IE
- mac80211_hwsim: fix module init error paths for netlink
- scsi: libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset
- scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during
unload
- x86/earlyprintk/efi: Fix infinite loop on some screen widths
- drm/msm: Grab a vblank reference when waiting for commit_done
- ARC: io.h: Implement reads{x}()/writes{x}()
- bonding: fix 802.3ad state sent to partner when unbinding slave
- SUNRPC: Fix a potential race in xprt_connect()
- sbus: char: add of_node_put()
- drivers/sbus/char: add of_node_put()
- drivers/tty: add missing of_node_put()
- ide: pmac: add of_node_put()
- clk: mmp: Off by one in mmp_clk_add()
- Input: omap-keypad - fix keyboard debounce configuration
- libata: whitelist all SAMSUNG MZ7KM* solid-state disks
- mv88e6060: disable hardware level MAC learning
- ARM: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address
handling
- cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)
- [Config] Remove CONFIG_CIFS_POSIX=y
- i2c: axxia: properly handle master timeout
- i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node
- rtc: snvs: add a missing write sync
- rtc: snvs: Add timeouts to avoid kernel lockups
- ALSA: isa/wavefront: prevent some out of bound writes
- Linux 4.4.169
* Xenial update: 4.4.168 upstream stable release (LP: #1811080)
- ipv6: Check available headroom in ip6_xmit() even without options
- net: 8139cp: fix a BUG triggered by changing mtu with network traffic
- net: phy: don't allow __set_phy_supported to add unsupported modes
- net: Prevent invalid access to skb->prev in __qdisc_drop_all
- rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices
- tcp: fix NULL ref in tail loss probe
- tun: forbid iface creation with rtnl ops
- neighbour: Avoid writing before skb->head in neigh_hh_output()
- ARM: OMAP2+: prm44xx: Fix section annotation on
omap44xx_prm_enable_io_wakeup
- ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
- sysv: return 'err' instead of 0 in __sysv_write_inode
- s390/cpum_cf: Reject request for sampling in event initialization
- hwmon: (ina2xx) Fix current value calculation
- ASoC: dapm: Recalculate audio map forcely when card instantiated
- hwmon: (w83795) temp4_type has writable permission
- Btrfs: send, fix infinite loop due to directory rename dependencies
- ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE
- ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
- exportfs: do not read dentry after free
- bpf: fix check of allowed specifiers in bpf_trace_printk
- USB: omap_udc: use devm_request_irq()
- USB: omap_udc: fix crashes on probe error and module removal
- USB: omap_udc: fix omap_udc_start() on 15xx machines
- USB: omap_udc: fix USB gadget functionality on Palm Tungsten E
- KVM: x86: fix empty-body warnings
- net: thunderx: fix NULL pointer dereference in nic_remove
- ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
- net: hisilicon: remove unexpected free_netdev
- drm/ast: fixed reading monitor EDID not stable issue
- xen: xlate_mmu: add missing header to fix 'W=1' warning
- fscache: fix race between enablement and dropping of object
- fscache, cachefiles: remove redundant variable 'cache'
- ocfs2: fix deadlock caused by ocfs2_defrag_extent()
- hfs: do not free node before using
- hfsplus: do not free node before using
- debugobjects: avoid recursive calls with kmemleak
- ocfs2: fix potential use after free
- pstore: Convert console write to use ->write_buf
- ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command
- KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC
- KVM: nVMX: mark vmcs12 pages dirty on L2 exit
- KVM: nVMX: Eliminate vmcs02 pool
- KVM: VMX: introduce alloc_loaded_vmcs
- KVM: VMX: make MSR bitmaps per-VCPU
- KVM/x86: Add IBPB support
- KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
- KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
- KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
- x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
- KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
- bpf: support 8-byte metafield access
- bpf/verifier: Add spi variable to check_stack_write()
- bpf/verifier: Pass instruction index to check_mem_access() and check_xadd()
- bpf: Prevent memory disambiguation attack
- wil6210: missing length check in wmi_set_ie
- mm/hugetlb.c: don't call region_abort if region_chg fails
- hugetlbfs: fix offset overflow in hugetlbfs mmap
- hugetlbfs: check for pgoff value overflow
- hugetlbfs: fix bug in pgoff overflow checking
- swiotlb: clean up reporting
- sr: pass down correctly sized SCSI sense buffer
- mm: remove write/force parameters from __get_user_pages_locked()
- mm: remove write/force parameters from __get_user_pages_unlocked()
- mm/nommu.c: Switch __get_user_pages_unlocked() to use __get_user_pages()
- mm: replace get_user_pages_unlocked() write/force parameters with gup_flags
- mm: replace get_user_pages_locked() write/force parameters with gup_flags
- mm: replace get_vaddr_frames() write/force parameters with gup_flags
- mm: replace get_user_pages() write/force parameters with gup_flags
- mm: replace __access_remote_vm() write parameter with gup_flags
- mm: replace access_remote_vm() write parameter with gup_flags
- proc: don't use FOLL_FORCE for reading cmdline and environment
- proc: do not access cmdline nor environ from file-backed areas
- media: dvb-frontends: fix i2c access helpers for KASAN
- matroxfb: fix size of memcpy
- staging: speakup: Replace strncpy with memcpy
- rocker: fix rocker_tlv_put_* functions for KASAN
- selftests: Move networking/timestamping from Documentation
- Linux 4.4.168
* kernel oops in bcache module (LP: #1793901)
- SAUCE: bcache: never writeback a discard operation
* Userspace break as a result of missing patch backport (LP: #1813873)
- tty: Don't hold ldisc lock in tty_reopen() if ldisc present
* CVE-2019-6133
- fork: record start_time late
* Crash on "ip link add foo type ipip" (LP: #1811803)
- SAUCE: fan: Fix NULL pointer dereference
-- Juerg Haefliger <juergh@xxxxxxxxxxxxx> Wed, 06 Feb 2019 10:39:59
+0000
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6133
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1764956
Title:
Guests using IBRS incur a large performance penalty
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Trusty:
In Progress
Status in linux source package in Xenial:
Fix Released
Bug description:
[Impact]
the IBRS would be mistakenly enabled in the host when the switching
from an IBRS-enabled VM and that causes the performance overhead in
the host. The other condition could also mistakenly disables the IBRS
in VM when context-switching from the host. And this could be
considered a CVE host.
[Fix]
The patch fixes the logic inside the x86_virt_spec_ctrl that it checks
the ibrs_enabled and _or_ the hostval with the SPEC_CTRL_IBRS as the
x86_spec_ctrl_base by default is zero. Because the upstream
implementation is not equal to the Xenial's implementation. Upstream
doesn't use the IBRS as the formal fix. So, by default, it's zero.
On the other hand, after the VM exit, the SPEC_CTRL register also
needs to be saved manually by reading the SPEC_CTRL MSR as the MSR
intercept is disabled by default in the hardware_setup(v4.4) and
vmx_init(v3.13). The access to SPEC_CTRL MSR in VM is direct and
doesn't trigger a trap. So, the vmx_set_msr() function isn't called.
The v3.13 kernel hasn't been tested. However, the patch can be viewed
at:
http://kernel.ubuntu.com/git/gavinguo/ubuntu-trusty-amd64.git/log/?h=sf00191076-sru
The v4.4 patch:
http://kernel.ubuntu.com/git/gavinguo/ubuntu-xenial.git/log/?h=sf00191076-spectre-v2-regres-backport-juerg
[Test]
The patch has been tested on the 4.4.0-140.166 and works fine.
The reproducing environment:
Guest kernel version: 4.4.0-138.164
Host kernel version: 4.4.0-140.166
(host IBRS, guest IBRS)
- 1). (0, 1).
The case can be reproduced by the following instructions:
guest$ echo 1 | sudo tee /proc/sys/kernel/ibrs_enabled
1
<Several minutes later...>
host$ cat /proc/sys/kernel/ibrs_enabled
0
host$ for i in {0..55}; do sudo rdmsr 0x48 -p $i; done
11111111111111000000000000000000010010100000000000000000
Some of the IBRS bit inside the SPEC_CTRL MSR are mistakenly
enabled.
host$ taskset -c 5 stress-ng -c 1 --cpu-ops 2500
stress-ng: info: [11264] defaulting to a 86400 second run per stressor
stress-ng: info: [11264] dispatching hogs: 1 cpu
stress-ng: info: [11264] cache allocate: default cache size: 35840K
stress-ng: info: [11264] successful run completed in 33.48s
The host kernel didn't notice the IBRS bit is enabled. So, the situation
is the same as "echo 2 > /proc/sys/kernel/ibrs_enabled" in the host.
And running the stress-ng is a pure userspace CPU capability
calculation. So, the performance downgrades to about 1/3. Without the
IBRS enabled, it needs about 10s.
- 2). (1, 1) disables IBRS in host -> (0, 1) actually it becomes (0, 0).
The guest IBRS has been mistakenly disabled.
guest$ echo 2 | sudo tee /proc/sys/kernel/ibrs_enabled
guest$ for i in {0..55}; do sudo rdmsr 0x48 -p $i; done
11111111111111111111111111111111111111111111111111111111
host$ echo 2 | sudo tee /proc/sys/kernel/ibrs_enabled
host$ for i in {0..55}; do sudo rdmsr 0x48 -p $i; done
11111111111111111111111111111111111111111111111111111111
host$ echo 0 | sudo tee /proc/sys/kernel/ibrs_enabled
host$ for i in {0..55}; do sudo rdmsr 0x48 -p $i; done
00000000000000000000000000000000000000000000000000000000
guest$ for i in {0..55}; do sudo rdmsr 0x48 -p $i; done
00000000000000000000000000000000000000000000000000000000
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764956/+subscriptions