Ubuntu
linux package

[UBUNTU 20.04] zPCI device hot-plug during boot may result in unusable device

Bug #1893778 reported by bugproxy on 2020-09-01

This bug affects 1 person

	Status	Importance	Assigned to
Ubuntu on IBM z Systems	Fix Released	High	Skipper Bug Screeners
linux (Ubuntu)	Fix Released	Undecided	Skipper Bug Screeners
Focal	Fix Released	Undecided	Frank Heimes
Groovy	Fix Released	Undecided	Skipper Bug Screeners

Bug Description

SRU Justification:
==================

[Impact]

* If a PCI device (incl. virtio-pci) is hot-plugged during boot-up on s390x, it can be detected as an entry in CLP List PCI functions and via the hot-plug event.

* (This is basically equivalent to boot time probing on other architectures.)

* In such a case the hot-plug event will be stale, but Linux still tries to add and enable the device which leads to:

* a) a duplicate entry in zPCI internal device list

* b) an attempt to enable the device with a stale function handle

* In case b) the device will be placed in error state which makes it unusable.

[Fix]

* b76fee1bc56c31a9d2a49592810eba30cc06d61a b76fee1bc56c "s390/pci: ignore stale configuration request event"

[Test Case]

* Setup an Ubuntu Server 20.04 (focal) Linux operating system on an IBM Z or LinuxONE III LPAR.

* It's now easiest to test on KVM using virtio-pci (on s390x).

* Start a test virtual machine: sudo virsh start <test-guest>

* Attach and hotplug a virtio-pci device: sudo virsh attach-device <test-guest> hotplug_pci_block.xml

* Where hotplug_pci_block.xml looks like:
   <disk device="disk" type="file">
      <driver name="qemu" type="raw" />
      <address type="pci">
         <zpci fid="4660" uid="4660" />
      </address>
      <source file="testdisk.img" />
      <target bus="virtio" dev="vdt" />
   </disk>

[Regression Potential]

* The regression risk is moderate, since the modification is very limited and therefore manageable (additional if statement - two lines of code) and easily testable on KVM using virtio-pci.

* The changes are in the zPCI event code, so in worst-case it can happen that the event handling get harmed which may break zPCI entirely, affecting all PCI devices incl. virtio-pci (on s390x).

* A bug in PCI 'availability' handling also just lead to wrong states of PCI devices which make them unavailable, hence unusable.

* Notice that zPCI is the s390x-specific PCI implementation, modifications here do not affect any other architecture.

* And zPCI devices are less wide-spread compared to ccw devices on s390x.

* On top a test kernel was build and made available for further testing atesting can be easily done with virtio-pci on KVM.

[Other]

* The fix/patch got upstream accepted with kernel v5.9-rc2.

* But it landed already in groovy's proposed kernel 5.8 (Ubuntu-5.8.0-18.19), due to 'Groovy update: v5.8.4 upstream stable release' that is handled in LP 1893048.

* Hence this fix/patch need to be applied to focal only.

__________

When a PCI device (including virtio-pci for which this is easiest to test)
is hot-plugged while Linux is still booting, it can be detected as
an entry in CLP List PCI Functions (basically equivalent to boot time probing
on other architectures) and with the hot-plug event.
In this case the hot-plug event will be stale but Linux still
tried to add and enable the device leading

a) to a duplicate entry in zPCI internal device list
b) an attempt to enable the device witha stale function handle

Part b) would lead to the device being place in the error state
and make it unusable.

This can most easily be reproduced using KVM and doing

# sudo virsh start myguest && sudo virsh attach-device myguest hotplug_pci_block.xml

Where hotplug_pci_block.xml looks like the following:

The problem is fixed with the 3-line upstream commit

b76fee1bc56c31a9d2a49592810eba30cc06d61a s390/pci: ignore stale configuration request event

I also confirmed that as of the focal tag Ubuntu-5.4.0-46.50 this
cherry-picks cleanly.

See original description

Tags:

CVE References

bugproxy (bugproxy) on 2020-09-01

tags:	added: architecture-s39064 bugnameltc-187974 severity-high targetmilestone-inin2004
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → linux (Ubuntu)

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-09-01:

The commit mentioned got upstream accepted with v5.9-rc2, but already landed in groovy via Groovy update: v5.8.4 upstream stable release of LP 1893048.
Hence only SRU to Focal is needed.

Changed in linux (Ubuntu Groovy):
status:	New → Fix Released

Frank Heimes (fheimes) on 2020-09-01

Changed in linux (Ubuntu Focal):
assignee:	nobody → Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
importance:	Undecided → High

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-09-03:

While working on this SRU a set of patched kernel packages was created that were now made available here for further testing:
https://people.canonical.com/~fheimes/lp1893778/

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-09-03:

Kernel SRU request submitted:
https://lists.ubuntu.com/archives/kernel-team/2020-September/thread.html#113190
Updating status to 'In Progress'.

Changed in linux (Ubuntu Focal):
status:	New → In Progress
Changed in ubuntu-z-systems:
status:	New → In Progress
description:	updated

Khaled El Mously (kmously) on 2020-09-16

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed

Frank Heimes (fheimes) on 2020-09-16

Changed in ubuntu-z-systems:
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-09-21:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Revision history for this message

bugproxy (bugproxy) wrote on 2020-09-22: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-09-22 04:02 EDT-------
I've verified that this now works as expected on focal-proposed kernel 5.4.0-49.53.
Thanks!

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-09-22:

Thx Niklas for the verification - updating tags ...

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-10-13:

Download full text (31.2 KiB)

This bug was fixed in the package linux - 5.4.0-51.56

---------------
linux (5.4.0-51.56) focal; urgency=medium

* Packaging resync (LP: #1786013)
- update dkms package versions

linux (5.4.0-50.55) focal; urgency=medium

* CVE-2020-16119
- SAUCE: dccp: avoid double free of ccid on child socket

  * CVE-2020-16120
    - Revert "UBUNTU: SAUCE: overlayfs: ensure mounter privileges when reading
      directories"
    - ovl: pass correct flags for opening real directory
    - ovl: switch to mounter creds in readdir
    - ovl: verify permissions in ovl_path_open()
    - ovl: call secutiry hook in ovl_real_ioctl()
    - ovl: check permission to open real file

linux (5.4.0-49.53) focal; urgency=medium

* focal/linux: 5.4.0-49.53 -proposed tracker (LP: #1896007)

* Comet Lake PCH-H RAID not support on Ubuntu20.04 (LP: #1892288)
- ahci: Add Intel Comet Lake PCH-H PCI ID

* Novalink (mkvterm command failure) (LP: #1892546)
- tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()

  * Oops and hang when starting LVM snapshots on 5.4.0-47 (LP: #1894780)
    - SAUCE: Revert "mm: memcg/slab: fix memory leak at non-root kmem_cache
      destroy"

  * Intel x710 LOMs do not work on Focal (LP: #1893956)
    - i40e: Fix LED blinking flow for X710T*L devices
    - i40e: enable X710 support

* Add/Backport EPYC-v3 and EPYC-Rome CPU model (LP: #1887490)
- kvm: svm: Update svm_xsaves_supported

* Fix non-working NVMe after S3 (LP: #1895718)
- SAUCE: PCI: Enable ACS quirk on CML root port

  * Focal update: v5.4.65 upstream stable release (LP: #1895881)
    - ipv4: Silence suspicious RCU usage warning
    - ipv6: Fix sysctl max for fib_multipath_hash_policy
    - netlabel: fix problems with mapping removal
    - net: usb: dm9601: Add USB ID of Keenetic Plus DSL
    - sctp: not disable bh in the whole sctp_get_port_local()
    - taprio: Fix using wrong queues in gate mask
    - tipc: fix shutdown() of connectionless socket
    - net: disable netpoll on fresh napis
    - Linux 5.4.65

This bug was fixed in the package linux - 5.4.0-51.56

---------------
linux (5.4.0-51.56) focal; urgency=medium

* Packaging resync (LP: #1786013)
    - update dkms package versions

linux (5.4.0-50.55) focal; urgency=medium

* CVE-2020-16119
    - SAUCE: dccp: avoid double free of ccid on child socket

linux (5.4.0-49.53) focal; urgency=medium

* focal/linux: 5.4.0-49.53 -proposed tracker (LP: #1896007)

* Comet Lake PCH-H RAID not support on Ubuntu20.04 (LP: #1892288)
    - ahci: Add Intel Comet Lake PCH-H PCI ID

* Novalink (mkvterm command failure) (LP: #1892546)
    - tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()

* Oops and hang when starting LVM snapshots on 5.4.0-47 (LP: #1894780)
    - SAUCE: Revert "mm: memcg/slab: fix memory leak at non-root kmem_cache
      destroy"

* Intel x710 LOMs do not work on Focal (LP: #1893956)
    - i40e: Fix LED blinking flow for X710T*L devices
    - i40e: enable X710 support

* Add/Backport EPYC-v3 and EPYC-Rome CPU model (LP: #1887490)
    - kvm: svm: Update svm_xsaves_supported

* Fix non-working NVMe after S3 (LP: #1895718)
    - SAUCE: PCI: Enable ACS quirk on CML root port

* Focal update: v5.4.64 upstream stable release (LP: #1895880)
    - HID: quirks: Always poll three more Lenovo PixArt mice
    - drm/msm/dpu: Fix scale params in plane validation
    - tty: serial: qcom_geni_serial: Drop __init from qcom_geni_console_setup
    - drm/msm: add shutdown support for display platform_driver
    - hwmon: (applesmc) check status earlier.
    - nvmet: Disable keep-alive timer when kato is cleared to 0h
    - drm/msm: enable vblank during atomic commits
    - habanalabs: validate FW file size
    - habanalabs: check correct vmalloc return code
    - drm/msm/a6xx: fix gmu start on newer firmware
    - ceph: don't allow setlease on cephfs
    - drm/omap: fix incorrect lock state
    - cpuidle: Fixup IRQ state
    - nbd: restore default timeout when setting it to zero
    - s390: don't trace preemption in percpu macros
    - drm/amd/display: Reject overlay plane configurations in multi-display
      scenarios
    - drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in
      amdgpu_dm_update_backlight_caps
    - drm/amd/display: Retry AUX write when fail occurs
    - drm/amd/display: Fix memleak in amdgpu_dm_mode_config_init
    - xen/xenbus: Fix granting of vmalloc'd memory
    - fsldma: fix very broken 32-bit ppc ioread64 functionality
    - dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling
    - batman-adv: Avoid uninitialized chaddr when handling DHCP
    - batman-adv: Fix own OGM check in aggregated OGMs
    - batman-adv: bla: use netif_rx_ni when not in interrupt context
    - dmaengine: at_hdmac: check return value of of_find_device_by_node() in
      at_dma_xlate()
    - rxrpc: Keep the ACK serial in a var in rxrpc_input_ack()
    - rxrpc: Make rxrpc_kernel_get_srtt() indicate validity
    - MIPS: mm: BMIPS5000 has inclusive physical caches
    - MIPS: BMIPS: Also call bmips_cpu_setup() for secondary cores
    - mmc: sdhci-acpi: Fix HS400 tuning for AMDI0040
    - netfilter: nf_tables: add NFTA_SET_USERDATA if not null
    - netfilter: nf_tables: incorrect enum nft_list_attributes definition
    - netfilter: nf_tables: fix destination register zeroing
    - net: hns: Fix memleak in hns_nic_dev_probe
    - net: systemport: Fix memleak in bcm_sysport_probe
    - ravb: Fixed to be able to unload modules
    - net: arc_emac: Fix memleak in arc_mdio_probe
    - dmaengine: pl330: Fix burst length if burst size is smaller than bus width
    - gtp: add GTPA_LINK info to msg sent to userspace
    - net: ethernet: ti: cpsw: fix clean up of vlan mc entries for host port
    - bnxt_en: Don't query FW when netif_running() is false.
    - bnxt_en: Check for zero dir entries in NVRAM.
    - bnxt_en: Fix PCI AER error recovery flow
    - bnxt_en: Fix possible crash in bnxt_fw_reset_task().
    - bnxt_en: fix HWRM error when querying VF temperature
    - xfs: fix boundary test in xfs_attr_shortform_verify
    - bnxt: don't enable NAPI until rings are ready
    - media: vicodec: add missing v4l2_ctrl_request_hdl_put()
    - media: cedrus: Add missing v4l2_ctrl_request_hdl_put()
    - selftests/bpf: Fix massive output from test_maps
    - net: dsa: mt7530: fix advertising unsupported 1000baseT_Half
    - netfilter: nfnetlink: nfnetlink_unicast() reports EAGAIN instead of ENOBUFS
    - nvmet-fc: Fix a missed _irqsave version of spin_lock in
      'nvmet_fc_fod_op_done()'
    - nvme: fix controller instance leak
    - cxgb4: fix thermal zone device registration
    - perf tools: Correct SNOOPX field offset
    - net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init()
    - fix regression in "epoll: Keep a reference on files added to the check list"
    - net: gemini: Fix another missing clk_disable_unprepare() in probe
    - MIPS: add missing MSACSR and upper MSA initialization
    - xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files
    - perf jevents: Fix suspicious code in fixregex()
    - tg3: Fix soft lockup when tg3_reset_task() fails.
    - x86, fakenuma: Fix invalid starting node ID
    - iommu/vt-d: Serialize IOMMU GCMD register modifications
    - thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430
    - thermal: qcom-spmi-temp-alarm: Don't suppress negative temp
    - iommu/amd: Restore IRTE.RemapEn bit after programming IRTE
    - include/linux/log2.h: add missing () around n in roundup_pow_of_two()
    - iommu/vt-d: Handle 36bit addressing for x86-32
    - tracing/kprobes, x86/ptrace: Fix regs argument order for i386
    - ext2: don't update mtime on COW faults
    - xfs: don't update mtime on COW faults
    - ARC: perf: don't bail setup if pct irq missing in device-tree
    - btrfs: drop path before adding new uuid tree entry
    - btrfs: allocate scrub workqueues outside of locks
    - btrfs: set the correct lockdep class for new nodes
    - btrfs: set the lockdep class for log tree extent buffers
    - btrfs: tree-checker: fix the error message for transid error
    - net: core: use listified Rx for GRO_NORMAL in napi_gro_receive()
    - btrfs: fix potential deadlock in the search ioctl
    - ALSA: ca0106: fix error code handling
    - ALSA: usb-audio: Add implicit feedback quirk for UR22C
    - ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check
    - ALSA: hda/hdmi: always check pin power status in i915 pin fixup
    - ALSA: firewire-digi00x: exclude Avid Adrenaline from detection
    - ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO
    - ALSA; firewire-tascam: exclude Tascam FE-8 from detection
    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion NT950XCJ-X716A
    - ALSA: hda/realtek - Improved routing for Thinkpad X1 7th/8th Gen
    - arm64: dts: mt7622: add reset node for mmc device
    - mmc: mediatek: add optional module reset property
    - mmc: dt-bindings: Add resets/reset-names for Mediatek MMC bindings
    - mmc: cqhci: Add cqhci_deactivate()
    - mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based
      controllers
    - media: rc: do not access device via sysfs after rc_unregister_device()
    - media: rc: uevent sysfs file races with rc_unregister_device()
    - affs: fix basic permission bits to actually work
    - block: allow for_each_bvec to support zero len bvec
    - block: ensure bdi->io_pages is always initialized
    - libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks
    - blk-iocost: ioc_pd_free() shouldn't assume irq disabled
    - dmaengine: dw-edma: Fix scatter-gather address calculation
    - drm/amd/pm: avoid false alarm due to confusing softwareshutdowntemp setting
    - dm writecache: handle DAX to partitions on persistent memory correctly
    - dm mpath: fix racey management of PG initialization
    - dm integrity: fix error reporting in bitmap mode after creation
    - dm crypt: Initialize crypto wait structures
    - dm cache metadata: Avoid returning cmd->bm wild pointer on error
    - dm thin metadata: Avoid returning cmd->bm wild pointer on error
    - dm thin metadata: Fix use-after-free in dm_bm_set_read_only
    - mm: slub: fix conversion of freelist_corrupted()
    - mm: madvise: fix vma user-after-free
    - vfio/pci: Fix SR-IOV VF handling with MMIO blocking
    - perf record: Correct the help info of option "--no-bpf-event"
    - sdhci: tegra: Add missing TMCLK for data timeout
    - checkpatch: fix the usage of capture group ( ... )
    - mm/hugetlb: fix a race between hugetlb sysctl handlers
    - mm/khugepaged.c: fix khugepaged's request size in collapse_file
    - cfg80211: regulatory: reject invalid hints
    - net: usb: Fix uninit-was-stored issue in asix_read_phy_addr()
    - Linux 5.4.64

* Focal update: v5.4.63 upstream stable release (LP: #1895879)
    - HID: core: Correctly handle ReportSize being zero
    - HID: core: Sanitize event code and type when mapping input
    - perf record/stat: Explicitly call out event modifiers in the documentation
    - drm/sched: Fix passing zero to 'PTR_ERR' warning v2
    - drm/etnaviv: fix TS cache flushing on GPUs with BLT engine
    - KVM: arm64: Add kvm_extable for vaxorcism code
    - KVM: arm64: Survive synchronous exceptions caused by AT instructions
    - KVM: arm64: Set HCR_EL2.PTW to prevent AT taking synchronous exception
    - dt-bindings: mmc: tegra: Add tmclk for Tegra210 and later
    - arm64: tegra: Add missing timeout clock to Tegra194 SDMMC nodes
    - arm64: tegra: Add missing timeout clock to Tegra186 SDMMC nodes
    - arm64: tegra: Add missing timeout clock to Tegra210 SDMMC
    - sdhci: tegra: Remove SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK for Tegra210
    - sdhci: tegra: Remove SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK for Tegra186
    - scsi: target: tcmu: Fix size in calls to tcmu_flush_dcache_range
    - scsi: target: tcmu: Optimize use of flush_dcache_page
    - Linux 5.4.63

* Focal update: v5.4.62 upstream stable release (LP: #1895174)
    - binfmt_flat: revert "binfmt_flat: don't offset the data start"
    - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY
    - net: Fix potential wrong skb->protocol in skb_vlan_untag()
    - net: nexthop: don't allow empty NHA_GROUP
    - net: qrtr: fix usage of idr in port assignment to socket
    - net: sctp: Fix negotiation of the number of data streams.
    - net/smc: Prevent kernel-infoleak in __smc_diag_dump()
    - tipc: fix uninit skb->data in tipc_nl_compat_dumpit()
    - net: ena: Make missed_tx stat incremental
    - net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error
      flow
    - ipvlan: fix device features
    - ALSA: pci: delete repeated words in comments
    - ASoC: img: Fix a reference count leak in img_i2s_in_set_fmt
    - ASoC: img-parallel-out: Fix a reference count leak
    - ASoC: tegra: Fix reference count leaks.
    - mfd: intel-lpss: Add Intel Emmitsburg PCH PCI IDs
    - arm64: dts: qcom: msm8916: Pull down PDM GPIOs during sleep
    - powerpc/xive: Ignore kmemleak false positives
    - media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA
      value in debiirq()
    - blktrace: ensure our debugfs dir exists
    - scsi: target: tcmu: Fix crash on ARM during cmd completion
    - mfd: intel-lpss: Add Intel Tiger Lake PCH-H PCI IDs
    - iommu/iova: Don't BUG on invalid PFNs
    - drm/amdkfd: Fix reference count leaks.
    - drm/radeon: fix multiple reference count leak
    - drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms
    - drm/amd/display: fix ref count leak in amdgpu_drm_ioctl
    - drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config
    - drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails
    - scsi: lpfc: Fix shost refcount mismatch when deleting vport
    - xfs: Don't allow logging of XFS_ISTALE inodes
    - scsi: target: Fix xcopy sess release leak
    - selftests/powerpc: Purge extra count_pmc() calls of ebb selftests
    - f2fs: fix error path in do_recover_data()
    - omapfb: fix multiple reference count leaks due to pm_runtime_get_sync
    - PCI: Fix pci_create_slot() reference count leak
    - ARM: dts: ls1021a: output PPS signal on FIPER2
    - rtlwifi: rtl8192cu: Prevent leaking urb
    - mips/vdso: Fix resource leaks in genvdso.c
    - cec-api: prevent leaking memory through hole in structure
    - HID: quirks: add NOGET quirk for Logitech GROUP
    - f2fs: fix use-after-free issue
    - drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open
    - drm/nouveau: fix reference count leak in nv50_disp_atomic_commit
    - drm/nouveau: Fix reference count leak in nouveau_connector_detect
    - locking/lockdep: Fix overflow in presentation of average lock-time
    - btrfs: file: reserve qgroup space after the hole punch range is locked
    - btrfs: make btrfs_qgroup_check_reserved_leak take btrfs_inode
    - scsi: iscsi: Do not put host in iscsi_set_flashnode_param()
    - ceph: fix potential mdsc use-after-free crash
    - ceph: do not access the kiocb after aio requests
    - scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del()
    - EDAC/ie31200: Fallback if host bridge device is already initialized
    - hugetlbfs: prevent filesystem stacking of hugetlbfs
    - media: davinci: vpif_capture: fix potential double free
    - KVM: arm64: Fix symbol dependency in __hyp_call_panic_nvhe
    - powerpc/spufs: add CONFIG_COREDUMP dependency
    - USB: sisusbvga: Fix a potential UB casued by left shifting a negative value
    - brcmfmac: Set timeout value when configuring power save
    - efi: provide empty efi_enter_virtual_mode implementation
    - arm64: Fix __cpu_logical_map undefined issue
    - Revert "ath10k: fix DMA related firmware crashes on multiple devices"
    - sched/uclamp: Protect uclamp fast path code with static key
    - sched/uclamp: Fix a deadlock when enabling uclamp static key
    - usb: cdns3: gadget: always zeroed TRB buffer when enable endpoint
    - PM / devfreq: rk3399_dmc: Add missing of_node_put()
    - PM / devfreq: rk3399_dmc: Disable devfreq-event device when fails
    - PM / devfreq: rk3399_dmc: Fix kernel oops when rockchip,pmu is absent
    - drm/xen: fix passing zero to 'PTR_ERR' warning
    - drm/xen-front: Fix misused IS_ERR_OR_NULL checks
    - s390/numa: set node distance to LOCAL_DISTANCE
    - btrfs: factor out inode items copy loop from btrfs_log_inode()
    - btrfs: only commit the delayed inode when doing a full fsync
    - btrfs: only commit delayed items at fsync if we are logging a directory
    - mm/shuffle: don't move pages between zones and don't read garbage memmaps
    - mm: fix kthread_use_mm() vs TLB invalidate
    - mm/cma.c: switch to bitmap_zalloc() for cma bitmap allocation
    - cma: don't quit at first error when activating reserved areas
    - gpu/drm: ingenic: Use the plane's src_[x,y] to configure DMA length
    - drm/ingenic: Fix incorrect assumption about plane->index
    - drm/amd/display: Trigger modesets on MST DSC connectors
    - drm/amd/display: Add additional config guards for DCN
    - drm/amd/display: Fix dmesg warning from setting abm level
    - mm/vunmap: add cond_resched() in vunmap_pmd_range
    - EDAC: sb_edac: get rid of unused vars
    - EDAC: skx_common: get rid of unused type var
    - EDAC/{i7core,sb,pnd2,skx}: Fix error event severity
    - PCI: qcom: Add missing ipq806x clocks in PCIe driver
    - PCI: qcom: Change duplicate PCI reset to phy reset
    - PCI: qcom: Add missing reset for ipq806x
    - cpufreq: intel_pstate: Fix EPP setting via sysfs in active mode
    - ALSA: usb-audio: Add capture support for Saffire 6 (USB 1.1)
    - media: gpio-ir-tx: improve precision of transmitted signal due to scheduling
    - block: respect queue limit of max discard segment
    - block: virtio_blk: fix handling single range discard request
    - drm/msm/adreno: fix updating ring fence
    - block: Fix page_is_mergeable() for compound pages
    - bfq: fix blkio cgroup leakage v4
    - hwmon: (nct7904) Correct divide by 0
    - blk-mq: insert request not through ->queue_rq into sw/scheduler queue
    - blkcg: fix memleak for iolatency
    - nvme-fc: Fix wrong return value in __nvme_fc_init_request()
    - nvme: multipath: round-robin: fix single non-optimized path case
    - null_blk: fix passing of REQ_FUA flag in null_handle_rq
    - i2c: core: Don't fail PRP0001 enumeration when no ID table exist
    - i2c: rcar: in slave mode, clear NACK earlier
    - usb: gadget: f_tcm: Fix some resource leaks in some error paths
    - spi: stm32: clear only asserted irq flags on interrupt
    - jbd2: make sure jh have b_transaction set in refile/unfile_buffer
    - ext4: don't BUG on inconsistent journal feature
    - ext4: handle read only external journal device
    - jbd2: abort journal if free a async write error metadata buffer
    - ext4: handle option set by mount flags correctly
    - ext4: handle error of ext4_setup_system_zone() on remount
    - ext4: correctly restore system zone info when remount fails
    - fs: prevent BUG_ON in submit_bh_wbc()
    - spi: stm32h7: fix race condition at end of transfer
    - spi: stm32: fix fifo threshold level in case of short transfer
    - spi: stm32: fix stm32_spi_prepare_mbr in case of odd clk_rate
    - spi: stm32: always perform registers configuration prior to transfer
    - drm/amd/powerplay: correct Vega20 cached smu feature state
    - drm/amd/powerplay: correct UVD/VCE PG state on custom pptable uploading
    - drm/amd/display: Switch to immediate mode for updating infopackets
    - netfilter: avoid ipv6 -> nf_defrag_ipv6 module dependency
    - can: j1939: transport: j1939_xtp_rx_dat_one(): compare own packets to detect
      corruptions
    - ALSA: hda/realtek: Add model alc298-samsung-headphone
    - s390/cio: add cond_resched() in the slow_eval_known_fn() loop
    - ASoC: wm8994: Avoid attempts to read unreadable registers
    - selftests: disable rp_filter for icmp_redirect.sh
    - scsi: fcoe: Fix I/O path allocation
    - scsi: ufs: Fix possible infinite loop in ufshcd_hold
    - scsi: ufs: Improve interrupt handling for shared interrupts
    - scsi: ufs: Clean up completed request without interrupt notification
    - scsi: qla2xxx: Fix login timeout
    - scsi: qla2xxx: Check if FW supports MQ before enabling
    - scsi: qla2xxx: Fix null pointer access during disconnect from subsystem
    - Revert "scsi: qla2xxx: Fix crash on qla2x00_mailbox_command"
    - macvlan: validate setting of multiple remote source MAC addresses
    - net: gianfar: Add of_node_put() before goto statement
    - powerpc/perf: Fix soft lockups due to missed interrupt accounting
    - arm64: Move handling of erratum 1418040 into C code
    - arm64: Allow booting of late CPUs affected by erratum 1418040
    - block: fix get_max_io_size()
    - block: loop: set discard granularity and alignment for block device backed
      loop
    - HID: i2c-hid: Always sleep 60ms after I2C_HID_PWR_ON commands
    - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART
    - btrfs: reset compression level for lzo on remount
    - btrfs: check the right error variable in btrfs_del_dir_entries_in_log
    - btrfs: fix space cache memory leak after transaction abort
    - btrfs: detect nocow for swap after snapshot delete
    - fbcon: prevent user font height or width change from causing potential out-
      of-bounds access
    - USB: lvtest: return proper error code in probe
    - vt: defer kfree() of vc_screenbuf in vc_do_resize()
    - vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize()
    - serial: samsung: Removes the IRQ not found warning
    - serial: pl011: Fix oops on -EPROBE_DEFER
    - serial: pl011: Don't leak amba_ports entry on driver register error
    - serial: stm32: avoid kernel warning on absence of optional IRQ
    - serial: 8250_exar: Fix number of ports for Commtech PCIe cards
    - serial: 8250: change lock order in serial8250_do_startup()
    - writeback: Protect inode->i_io_list with inode->i_lock
    - writeback: Avoid skipping inode writeback
    - writeback: Fix sync livelock due to b_dirty_time processing
    - XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN
      data pointer which contains XEN specific information.
    - usb: host: xhci: fix ep context print mismatch in debugfs
    - xhci: Do warm-reset when both CAS and XDEV_RESUME are set
    - xhci: Always restore EP_SOFT_CLEAR_TOGGLE even if ep reset failed
    - ARM64: vdso32: Install vdso32 from vdso_install
    - arm64: vdso32: make vdso32 install conditional
    - PM: sleep: core: Fix the handling of pending runtime resume requests
    - powerpc/perf: Fix crashes with generic_compat_pmu & BHRB
    - device property: Fix the secondary firmware node handling in
      set_primary_fwnode()
    - crypto: af_alg - Work around empty control messages without MSG_MORE
    - genirq/matrix: Deal with the sillyness of for_each_cpu() on UP
    - irqchip/stm32-exti: Avoid losing interrupts due to clearing pending bits by
      mistake
    - x86/hotplug: Silence APIC only after all interrupts are migrated
    - drm/amdgpu: Fix buffer overflow in INFO ioctl
    - drm/amdgpu/gfx10: refine mgcg setting
    - drm/amd/powerplay: Fix hardmins not being sent to SMU for RV
    - drm/amd/pm: correct Vega10 swctf limit setting
    - drm/amd/pm: correct Vega12 swctf limit setting
    - drm/amd/pm: correct Vega20 swctf limit setting
    - drm/amd/pm: correct the thermal alert temperature limit settings
    - USB: yurex: Fix bad gfp argument
    - usb: uas: Add quirk for PNY Pro Elite
    - USB: quirks: Ignore duplicate endpoint on Sound Devices MixPre-D
    - USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge
    - usb: host: ohci-exynos: Fix error handling in exynos_ohci_probe()
    - USB: gadget: u_f: add overflow checks to VLA macros
    - USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()
    - USB: gadget: u_f: Unbreak offset calculation in VLAs
    - USB: cdc-acm: rework notification_buffer resizing
    - usb: storage: Add unusual_uas entry for Sony PSZ drives
    - drm/i915: Fix cmd parser desc matching with masks
    - usb: dwc3: gadget: Don't setup more than requested
    - usb: dwc3: gadget: Fix handling ZLP
    - usb: dwc3: gadget: Handle ZLP for sg requests
    - fbmem: pull fbcon_update_vcs() out of fb_set_var()
    - kheaders: remove unneeded 'cat' command piped to 'head' / 'tail'
    - kheaders: optimize md5sum calculation for in-tree builds
    - kheaders: optimize header copy for in-tree builds
    - kheaders: remove the last bashism to allow sh to run it
    - kheaders: explain why include/config/autoconf.h is excluded from md5sum
    - kbuild: add variables for compression tools
    - kbuild: fix broken builds because of GZIP,BZIP2,LZOP variables
    - HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
    - ALSA: usb-audio: Update documentation comment for MS2109 quirk
    - io_uring: Fix NULL pointer dereference in io_sq_wq_submit_work()
    - Linux 5.4.62

* DELL LATITUDE 5491 touchscreen doesn't work (LP: #1889446) // Focal update:
    v5.4.62 upstream stable release (LP: #1895174)
    - USB: quirks: Add no-lpm quirk for another Raydium touchscreen

* [NUC8CCHK][HDA-Intel - HDA Intel PCH, playback] No sound at all
    (LP: #1875199) // Focal update: v5.4.62 upstream stable release
    (LP: #1895174)
    - ALSA: hda/realtek: Fix pin default on Intel NUC 8 Rugged

* Focal update: v5.4.61 upstream stable release (LP: #1893115)
    - Documentation/llvm: add documentation on building w/ Clang/LLVM
    - Documentation/llvm: fix the name of llvm-size
    - net: wan: wanxl: use allow to pass CROSS_COMPILE_M68k for rebuilding
      firmware
    - net: wan: wanxl: use $(M68KCC) instead of $(M68KAS) for rebuilding firmware
    - x86/boot: kbuild: allow readelf executable to be specified
    - kbuild: remove PYTHON2 variable
    - kbuild: remove AS variable
    - kbuild: replace AS=clang with LLVM_IAS=1
    - kbuild: support LLVM=1 to switch the default tools to Clang/LLVM
    - drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset()
    - gfs2: Improve mmap write vs. punch_hole consistency
    - gfs2: Never call gfs2_block_zero_range with an open transaction
    - perf probe: Fix memory leakage when the probe point is not found
    - khugepaged: khugepaged_test_exit() check mmget_still_valid()
    - khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter()
    - bcache: avoid nr_stripes overflow in bcache_device_init()
    - btrfs: export helpers for subvolume name/id resolution
    - btrfs: don't show full path of bind mounts in subvol=
    - btrfs: return EROFS for BTRFS_FS_STATE_ERROR cases
    - btrfs: add wrapper for transaction abort predicate
    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Flex Book
    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion
    - can: j1939: transport: j1939_session_tx_dat(): fix use-after-free read in
      j1939_tp_txtimer()
    - can: j1939: socket: j1939_sk_bind(): make sure ml_priv is allocated
    - [Config] update config for SPI_DYNAMIC
    - spi: Prevent adding devices below an unregistering controller
    - romfs: fix uninitialized memory leak in romfs_dev_read()
    - kernel/relay.c: fix memleak on destroy relay channel
    - uprobes: __replace_page() avoid BUG in munlock_vma_page()
    - mm: include CMA pages in lowmem_reserve at boot
    - mm, page_alloc: fix core hung in free_pcppages_bulk()
    - RDMA/hfi1: Correct an interlock issue for TID RDMA WRITE request
    - ext4: fix checking of directory entry validity for inline directories
    - jbd2: add the missing unlock_buffer() in the error path of
      jbd2_write_superblock()
    - scsi: zfcp: Fix use-after-free in request timeout handlers
    - drm/amdgpu/display: use GFP_ATOMIC in dcn20_validate_bandwidth_internal
    - drm/amd/display: Fix EDID parsing after resume from suspend
    - drm/amd/display: fix pow() crashing when given base 0
    - kthread: Do not preempt current task if it is going to call schedule()
    - opp: Enable resources again if they were disabled earlier
    - scsi: ufs: Add DELAY_BEFORE_LPM quirk for Micron devices
    - scsi: target: tcmu: Fix crash in tcmu_flush_dcache_range on ARM
    - media: budget-core: Improve exception handling in budget_register()
    - rtc: goldfish: Enable interrupt in set_alarm() when necessary
    - media: vpss: clean up resources in init
    - Input: psmouse - add a newline when printing 'proto' by sysfs
    - MIPS: Fix unable to reserve memory for Crash kernel
    - m68knommu: fix overwriting of bits in ColdFire V3 cache control
    - svcrdma: Fix another Receive buffer leak
    - xfs: fix inode quota reservation checks
    - drm/ttm: fix offset in VMAs with a pg_offs in ttm_bo_vm_access
    - jffs2: fix UAF problem
    - ceph: fix use-after-free for fsc->mdsc
    - swiotlb-xen: use vmalloc_to_page on vmalloc virt addresses
    - cpufreq: intel_pstate: Fix cpuinfo_max_freq when MSR_TURBO_RATIO_LIMIT is 0
    - scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases
    - virtio_ring: Avoid loop when vq is broken in virtqueue_poll
    - media: camss: fix memory leaks on error handling paths in probe
    - tools/testing/selftests/cgroup/cgroup_util.c: cg_read_strcmp: fix null
      pointer dereference
    - xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init
    - alpha: fix annotation of io{read,write}{16,32}be()
    - fs/signalfd.c: fix inconsistent return codes for signalfd4
    - ext4: fix potential negative array index in do_split()
    - ext4: don't allow overlapping system zones
    - netfilter: nf_tables: nft_exthdr: the presence return value should be
      little-endian
    - spi: stm32: fixes suspend/resume management
    - ASoC: q6afe-dai: mark all widgets registers as SND_SOC_NOPM
    - ASoC: q6routing: add dummy register read/write function
    - bpf: sock_ops sk access may stomp registers when dst_reg = src_reg
    - can: j1939: fix kernel-infoleak in j1939_sk_sock2sockaddr_can()
    - can: j1939: transport: j1939_simple_recv(): ignore local J1939 messages send
      not by J1939 stack
    - can: j1939: transport: add j1939_session_skb_find_by_offset() function
    - i40e: Set RX_ONLY mode for unicast promiscuous on VLAN
    - i40e: Fix crash during removing i40e driver
    - net: fec: correct the error path for regulator disable in probe
    - bonding: show saner speed for broadcast mode
    - can: j1939: fix support for multipacket broadcast message
    - can: j1939: cancel rxtimer on multipacket broadcast session complete
    - can: j1939: abort multipacket broadcast session when timeout occurs
    - can: j1939: add rxtimer for multipacket broadcast session
    - bonding: fix a potential double-unregister
    - s390/runtime_instrumentation: fix storage key handling
    - s390/ptrace: fix storage key handling
    - ASoC: msm8916-wcd-analog: fix register Interrupt offset
    - ASoC: intel: Fix memleak in sst_media_open
    - vfio/type1: Add proper error unwind for vfio_iommu_replay()
    - kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode
    - kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode
    - Revert "scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe"
    - kconfig: qconf: do not limit the pop-up menu to the first row
    - kconfig: qconf: fix signal connection to invalid slots
    - efi: avoid error message when booting under Xen
    - Fix build error when CONFIG_ACPI is not set/enabled:
    - RDMA/bnxt_re: Do not add user qps to flushlist
    - afs: Fix NULL deref in afs_dynroot_depopulate()
    - bonding: fix active-backup failover for current ARP slave
    - net: ena: Prevent reset after device destruction
    - net: gemini: Fix missing free_netdev() in error path of
      gemini_ethernet_port_probe()
    - hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit()
    - net: dsa: b53: check for timeout
    - powerpc/pseries: Do not initiate shutdown when system is running on UPS
    - efi: add missed destroy_workqueue when efisubsys_init fails
    - epoll: Keep a reference on files added to the check list
    - do_epoll_ctl(): clean the failure exits up a bit
    - mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible
    - xen: don't reschedule in preemption off sections
    - KVM: Pass MMU notifier range flags to kvm_unmap_hva_range()
    - KVM: arm64: Only reschedule if MMU_NOTIFIER_RANGE_BLOCKABLE is not set
    - Linux 5.4.61

* [UBUNTU 20.04] zPCI device hot-plug during boot may result in unusable
    device (LP: #1893778)
    - s390/pci: ignore stale configuration request event

* [SRU] [Focal/OEM-5.6/Groovy]Fix AMD usb host controller lost after stress S3
    (LP: #1893914)
    - SAUCE: xhci: workaround for S3 issue on AMD SNPS 3.0 xHC

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Mon, 05 Oct 2020 15:34:26 +0200

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Frank Heimes (fheimes) on 2020-10-14

Changed in ubuntu-z-systems:
status:	Fix Committed → Fix Released

Revision history for this message

bugproxy (bugproxy) wrote on 2020-10-20:

------- Comment From <email address hidden> 2020-10-20 08:40 EDT-------
IBM Bugzilla status-> closed, Fix Released with all requested Distros

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

[UBUNTU 20.04] zPCI device hot-plug during boot may result in unusable device

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package