[UBUNTU 20.04] s390x/pci: do not allow to create more pci functions than configured via CONFIG_PCI_NR_FUNCTIONS

Bug #1874057 reported by bugproxy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
Medium
Canonical Kernel Team
linux (Ubuntu)
Fix Released
Undecided
Canonical Kernel Team
Focal
Fix Released
Undecided
Canonical Kernel Team
Groovy
Fix Released
Undecided
Canonical Kernel Team

Bug Description

SRU Justification:
==================

[Impact]

* PCI Functions with UIDs >128 are currently not accounted correctly in the s390x/pci (zPCI) code.

* Furthermore, the code allows that more than CONFIG_PCI_NR_FUNCTIONS are created.

* This can lead to issues with data structures which were only allocated for CONFIG_PCI_NR_FUNCTIONS.

[Fix]

* https://launchpadlibrarian.net/478235080/0001-s390-pci-Fix-zpci_alloc_domain-over-allocation.patch

[Test Case]

* Set the kernel parameter CONFIG_PCI_NR_FUNCTIONS to a specific (reasonablly low) number.

* And check if more PCI functions can be created than specified by CONFIG_PCI_NR_FUNCTIONS (e.g. using a RoCE adapter) and watch for kernel message 'Adding PCI function ... failed'

[Regression Potential]

* There is regression potential can be considered as low, since:

* the zPCI cards are less wide spread than for example ccw adapters on s390x

* the fix got already upstream accepted in 5.7, hence upstream reviewed, too

* the modifications span just two files and both are s390x arch specific

[Other Info]

* the above patch-file is based on commit 969ae01bab2fe938b4c8324836038b5ac1c78fac ("s390/pci: Fix zpci_alloc_domain() over allocation"), but this backport was needed for getting this applied to focal master-next

* and this patch got upstream accepted with kernel v5.7-rc1, hence on the long term it should be in 'gorilla'

__________

PCI Functions with UIDs >128 are currently not accounted correctly in the s390x/pci code. Furthermore, the code allows that more than CONFIG_PCI_NR_FUNCTIONS are created. This can lead to issues with data structures which were only allocated for CONFIG_PCI_NR_FUNCTIONS.

This has been fixed in the following upstream commit:

969ae01bab2fe938b4c8324836038b5ac1c78fac
("s390/pci: Fix zpci_alloc_domain() over allocation")

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-184167 severity-medium targetmilestone-inin2004
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
summary: - s390x/pci: do not allow to create more pci functions than configured via
- CONFIG_PCI_NR_FUNCTIONS
+ [UBUNTU 20.04] s390x/pci: do not allow to create more pci functions than
+ configured via CONFIG_PCI_NR_FUNCTIONS
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-04-21 09:56 EDT-------
PCI Functions with UIDs >128 are currently not accounted correctly in the s390x/pci code. Furthermore, the code allows that more than CONFIG_PCI_NR_FUNCTIONS are created. This can lead to issues with data structures which were only allocated for CONFIG_PCI_NR_FUNCTIONS.

This has been fixed in the following upstream commit:

969ae01bab2fe938b4c8324836038b5ac1c78fac ("s390/pci: Fix zpci_alloc_domain() over allocation")

Revision history for this message
Frank Heimes (fheimes) wrote :

Patch just landed on 5.7:
git tag --contains 969ae01bab2f | grep ^v
v5.7-rc1
v5.7-rc2

description: updated
Changed in ubuntu-z-systems:
importance: Undecided → Medium
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
Revision history for this message
Frank Heimes (fheimes) wrote :
Download full text (5.0 KiB)

The mentioned commit from 5.7 does not simply apply to focal master-next:

cherry-pick says:

Auto-merging arch/s390/pci/pci.c
CONFLICT (content): Merge conflict in arch/s390/pci/pci.c
Auto-merging arch/s390/include/asm/pci.h
warning: inexact rename detection was skipped due to too many files.
warning: you may want to set your merge.renamelimit variable to at least 2342 and retry the command.
error: could not apply 969ae01bab2f... s390/pci: Fix zpci_alloc_domain() over allocation
hint: after resolving the conflicts, mark the corrected paths
hint: with 'git add <paths>' or 'git rm <paths>'
hint: and commit the result with 'git commit'

with status:

On branch master-next
Your branch is ahead of 'origin/master-next' by 2 commits.
  (use "git push" to publish your local commits)

You are currently cherry-picking commit 969ae01bab2f.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
 modified: arch/s390/include/asm/pci.h

Unmerged paths:
  (use "git add <file>..." to mark resolution)
 both modified: arch/s390/pci/pci.c

and the git diff is:

diff --cc arch/s390/pci/pci.c
index 6105b1b6e49b,2b90a90aa81d..000000000000
--- a/arch/s390/pci/pci.c
+++ b/arch/s390/pci/pci.c
@@@ -39,11 -40,12 +39,12 @@@
  static LIST_HEAD(zpci_list);
  static DEFINE_SPINLOCK(zpci_list_lock);

- static DECLARE_BITMAP(zpci_domain, ZPCI_NR_DEVICES);
+ static DECLARE_BITMAP(zpci_domain, ZPCI_DOMAIN_BITMAP_SIZE);
  static DEFINE_SPINLOCK(zpci_domain_lock);
+ static unsigned int zpci_num_domains_allocated;

  #define ZPCI_IOMAP_ENTRIES \
 - min(((unsigned long) ZPCI_NR_DEVICES * PCI_STD_NUM_BARS / 2), \
 + min(((unsigned long) ZPCI_NR_DEVICES * PCI_BAR_COUNT / 2), \
            ZPCI_IOMAP_MAX_ENTRIES)

  static DEFINE_SPINLOCK(zpci_iomap_lock);
@@@ -606,59 -608,22 +607,63 @@@ void pcibios_disable_device(struct pci_
        zpci_debug_exit_device(zdev);
  }

 +#ifdef CONFIG_HIBERNATE_CALLBACKS
 +static int zpci_restore(struct device *dev)
 +{
 + struct pci_dev *pdev = to_pci_dev(dev);
 + struct zpci_dev *zdev = to_zpci(pdev);
 + int ret = 0;
 +
 + if (zdev->state != ZPCI_FN_STATE_ONLINE)
 + goto out;
 +
 + ret = clp_enable_fh(zdev, ZPCI_NR_DMA_SPACES);
 + if (ret)
 + goto out;
 +
 + zpci_map_resources(pdev);
 + zpci_register_ioat(zdev, 0, zdev->start_dma, zdev->end_dma,
 + (u64) zdev->dma_table);
 +
 +out:
 + return ret;
 +}
 +
 +static int zpci_freeze(struct device *dev)
 +{
 + struct pci_dev *pdev = to_pci_dev(dev);
 + struct zpci_dev *zdev = to_zpci(pdev);
 +
 + if (zdev->state != ZPCI_FN_STATE_ONLINE)
 + return 0;
 +
 + zpci_unregister_ioat(zdev, 0);
 + zpci_unmap_resources(pdev);
 + return clp_disable_fh(zdev);
 +}
 +
 +struct dev_pm_ops pcibios_pm_ops = {
 + .thaw_noirq = zpci_restore,
 + .freeze_noirq = zpci_freeze,
 + .restore_noirq = zpci_restore,
 + .poweroff_noirq = zpci_freeze,
 +};
 +#endi...

Read more...

Revision history for this message
bugproxy (bugproxy) wrote : s390/pci: Fix zpci_alloc_domain() over allocation (for focal)

------- Comment on attachment From <email address hidden> 2020-04-22 04:30 EDT-------

Sorry, I totally forgot that the final patch version came after the power management removal which screwed up the context. Otherwise there would only have been a trivial constant rename.

Revision history for this message
Frank Heimes (fheimes) wrote :

Okay, that backport applies flawlessly - thanks!

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: New → Triaged
Revision history for this message
Frank Heimes (fheimes) wrote :

Kernel SRU request submitted:
https://lists.ubuntu.com/archives/kernel-team/2020-April/thread.html#109402
Changing status to 'In Progress'.

description: updated
Frank Heimes (fheimes)
Changed in linux (Ubuntu):
status: New → In Progress
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Revision history for this message
Frank Heimes (fheimes) wrote :

With the patch applied the compile complains with:
...
  CC mm/vmalloc.o
^[[01m^[[K/home/ubuntu/focal-lp1874057/arch/s390/pci/pci.c:^[[m^[[K In function ‘^[[01m^[[Kzpci_alloc_domain^[[m^[[K’:
^[[01m^[[K/home/ubuntu/focal-lp1874057/arch/s390/pci/pci.c:668:4:^[[m^[[K ^[[01;31m^[[Kerror: ^[[m^[[Kimplicit declaration of function ‘^[[01m^[[Kupdate_uid_checking^[[m^[[K’ [^[[01;31m^[[K-Werror=implicit-function-declaration^[[m^[[K]
  668 | ^[[01;31m^[[Kupdate_uid_checking^[[m^[[K(false);
      | ^[[01;31m^[[K^~~~~~~~~~~~~~~~~~~^[[m^[[K
  CC mm/process_vm_access.o
  CC security/apparmor/lib.o
cc1: some warnings being treated as errors
make[4]: *** [/home/ubuntu/focal-lp1874057/scripts/Makefile.build:273: arch/s390/pci/pci.o] Error 1
make[3]: *** [/home/ubuntu/focal-lp1874057/scripts/Makefile.build:522: arch/s390/pci] Error 2
make[2]: *** [/home/ubuntu/focal-lp1874057/Makefile:1719: arch/s390] Error 2

I double-checked with compiling the focal master-next tree w/o the patch, which works fine.

Revision history for this message
bugproxy (bugproxy) wrote : s390/pci: Fix zpci_alloc_domain() over allocation (for focal 2)

------- Comment on attachment From <email address hidden> 2020-05-04 09:52 EDT-------

Oh thank you for your patience, I totally screwed up the backport patch
as I accidentally included some code from the next commit

7a11c67a1ff9b0231eaaaa6a28294776d55b569a ("s390/pci: Improve handling of unset UID")

Actually that now applies cleanly on top and I think we might
want to include that as well, escpecially since it will also simplify
the backporting of the multi-function patch series.

Frank Heimes (fheimes)
description: updated
Revision history for this message
Frank Heimes (fheimes) wrote :

Kernel SRU request resubmitted as v2:
https://lists.ubuntu.com/archives/kernel-team/2020-May/thread.html#109579
Status still 'In Progress'.

Revision history for this message
Frank Heimes (fheimes) wrote :
Frank Heimes (fheimes)
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Frank Heimes (fheimes)
Changed in linux (Ubuntu Groovy):
status: Fix Committed → In Progress
Changed in linux (Ubuntu Focal):
status: New → In Progress
Changed in ubuntu-z-systems:
status: Fix Committed → In Progress
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Frank Heimes (fheimes)
Changed in linux (Ubuntu Focal):
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu Groovy):
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
bugproxy (bugproxy)
tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-05-20 08:49 EDT-------
Verified by IBM

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.4.0-37.41

---------------
linux (5.4.0-37.41) focal; urgency=medium

  * CVE-2020-0543
    - SAUCE: x86/speculation/spectre_v2: Exclude Zhaoxin CPUs from SPECTRE_V2
    - SAUCE: x86/cpu: Add a steppings field to struct x86_cpu_id
    - SAUCE: x86/cpu: Add 'table' argument to cpu_matches()
    - SAUCE: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
      mitigation
    - SAUCE: x86/speculation: Add SRBDS vulnerability and mitigation documentation
    - SAUCE: x86/speculation: Add Ivy Bridge to affected list

 -- Marcelo Henrique Cerri <email address hidden> Wed, 03 Jun 2020 11:24:23 -0300

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (linux-oracle-5.4/5.4.0-1019.19~18.04.1)

All autopkgtests for the newly accepted linux-oracle-5.4 (5.4.0-1019.19~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-oracle-5.4

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.4.0-42.46

---------------
linux (5.4.0-42.46) focal; urgency=medium

  * focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069)

  * linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
    - SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux (5.4.0-41.45) focal; urgency=medium

  * focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * CVE-2019-19642
    - kernel/relay.c: handle alloc_percpu returning NULL in relay_open

  * CVE-2019-16089
    - SAUCE: nbd_genl_status: null check for nla_nest_start

  * CVE-2020-11935
    - aufs: do not call i_readcount_inc()

  * ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
    kernel (LP: #1826848)
    - selftests: net: ip_defrag: ignore EPERM

  * Update lockdown patches (LP: #1884159)
    - SAUCE: acpi: disallow loading configfs acpi tables when locked down

  * seccomp_bpf fails on powerpc (LP: #1885757)
    - SAUCE: selftests/seccomp: fix ptrace tests on powerpc

  * Introduce the new NVIDIA 418-server and 440-server series, and update the
    current NVIDIA drivers (LP: #1881137)
    - [packaging] add signed modules for the 418-server and the 440-server
      flavours

 -- Khalid Elmously <email address hidden> Thu, 09 Jul 2020 19:50:26 -0400

Changed in linux (Ubuntu Groovy):
status: In Progress → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-07-28 02:37 EDT-------
IBM bugzilla status-> closed, Fix Released with focal

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.