Some INVLPG implementations can leave Global translations unflushed when PCIDs are enabled

Bug #2023220 reported by Thadeu Lima de Souza Cascardo
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Status tracked in Mantic
Trusty
Incomplete
Undecided
Unassigned
Xenial
Incomplete
Undecided
Unassigned
Bionic
Incomplete
Undecided
Unassigned
Focal
Fix Released
High
Thadeu Lima de Souza Cascardo
Jammy
Fix Released
High
Thadeu Lima de Souza Cascardo
Kinetic
Fix Released
High
Thadeu Lima de Souza Cascardo
Lunar
Fix Released
High
Thadeu Lima de Souza Cascardo
Mantic
Fix Released
High
Thadeu Lima de Souza Cascardo
linux-oem-6.1 (Ubuntu)
Status tracked in Mantic
Trusty
Invalid
Undecided
Unassigned
Xenial
Invalid
Undecided
Unassigned
Bionic
Invalid
Undecided
Unassigned
Focal
Invalid
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Invalid
Undecided
Unassigned
Lunar
Invalid
Undecided
Unassigned
Mantic
Invalid
Undecided
Unassigned

Bug Description

[Impact]
When PCIDs are enabled on Alder Lake and Raptor Lake, INVLPG will not flush the global TLB entries. This can lead to info leak or undefined behavior.

[Mitigation]
Boot with nopcid on affected systems.

[Test case]
There is no particular test case.

[Potential regressions]
This affects performance on the affected systems. TLB behavior could also be affected.

CVE References

Changed in linux (Ubuntu Mantic):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Lunar):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Kinetic):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Jammy):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Focal):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Mantic):
importance: Undecided → High
Changed in linux (Ubuntu Lunar):
importance: Undecided → High
Changed in linux (Ubuntu Kinetic):
importance: Undecided → High
Changed in linux (Ubuntu Jammy):
importance: Undecided → High
Changed in linux (Ubuntu Focal):
importance: Undecided → High
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 2023220

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Bionic):
status: New → Incomplete
Changed in linux (Ubuntu Focal):
status: New → Incomplete
Changed in linux (Ubuntu Jammy):
status: New → Incomplete
Changed in linux (Ubuntu Kinetic):
status: New → Incomplete
Changed in linux (Ubuntu Lunar):
status: New → Incomplete
Changed in linux (Ubuntu Trusty):
status: New → Incomplete
Changed in linux (Ubuntu Xenial):
status: New → Incomplete
Changed in linux (Ubuntu Mantic):
status: Incomplete → Fix Released
Changed in linux (Ubuntu Lunar):
status: Incomplete → In Progress
Changed in linux (Ubuntu Kinetic):
status: Incomplete → In Progress
Changed in linux (Ubuntu Jammy):
status: Incomplete → In Progress
Changed in linux (Ubuntu Focal):
status: Incomplete → In Progress
Changed in linux-oem-6.1 (Ubuntu Trusty):
status: New → Invalid
Changed in linux-oem-6.1 (Ubuntu Xenial):
status: New → Invalid
Changed in linux-oem-6.1 (Ubuntu Bionic):
status: New → Invalid
Changed in linux-oem-6.1 (Ubuntu Focal):
status: New → Invalid
Changed in linux-oem-6.1 (Ubuntu Kinetic):
status: New → Invalid
Changed in linux-oem-6.1 (Ubuntu Lunar):
status: New → Invalid
Changed in linux-oem-6.1 (Ubuntu Mantic):
status: New → Invalid
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Jammy):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Kinetic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Lunar):
status: In Progress → Fix Committed
Timo Aaltonen (tjaalton)
Changed in linux-oem-6.1 (Ubuntu Jammy):
status: New → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-oem-6.1/6.1.0-1015.15 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-oem-6.1 verification-needed-jammy
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.15.0-77.84 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.4.0-154.171 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux verification-needed-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.2.0-25.25 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar' to 'verification-done-lunar'. If the problem still exists, change the tag 'verification-needed-lunar' to 'verification-failed-lunar'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux verification-needed-lunar
tags: added: verification-done-lunar
removed: verification-needed-lunar
tags: added: verification-done-jammy verification-done-kinetic
removed: verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.15.0-76.83

---------------
linux (5.15.0-76.83) jammy; urgency=medium

  * jammy/linux: 5.15.0-76.83 -proposed tracker (LP: #2023905)

  * cls_flower: off-by-one in fl_set_geneve_opt (LP: #2023577)
    - net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

  * Some INVLPG implementations can leave Global translations unflushed when
    PCIDs are enabled (LP: #2023220)
    - x86/mm: Avoid incomplete Global INVLPG flushes

 -- Thadeu Lima de Souza Cascardo <email address hidden> Thu, 15 Jun 2023 14:47:18 -0300

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 6.2.0-24.24

---------------
linux (6.2.0-24.24) lunar; urgency=medium

  * lunar/linux: 6.2.0-24.24 -proposed tracker (LP: #2024058)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log
    - [Packaging] resync getabis

  * cls_flower: off-by-one in fl_set_geneve_opt (LP: #2023577)
    - net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

  * Some INVLPG implementations can leave Global translations unflushed when
    PCIDs are enabled (LP: #2023220)
    - x86/mm: Avoid incomplete Global INVLPG flushes

 -- Thadeu Lima de Souza Cascardo <email address hidden> Fri, 16 Jun 2023 06:07:20 -0300

Changed in linux (Ubuntu Lunar):
status: Fix Committed → Fix Released
tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-oem-6.1 - 6.1.0-1015.15

---------------
linux-oem-6.1 (6.1.0-1015.15) jammy; urgency=medium

  * jammy/linux-oem-6.1: 6.1.0-1015.15 -proposed tracker (LP: #2024152)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log
    - [Packaging] resync getabis

  * CVE-2023-2430
    - io_uring: get rid of double locking
    - io_uring: extract a io_msg_install_complete helper
    - io_uring/msg_ring: move double lock/unlock helpers higher up
    - io_uring/msg_ring: fix missing lock on overflow for IOPOLL

  * LSM: Configuring Too Many LSMs Causes Kernel Panic on Boot (LP: #1987998)
    - SAUCE: LSM: Change Landlock from LSMBLOB_NEEDED to LSMBLOB_NOT_NEEDED

  * Some INVLPG implementations can leave Global translations unflushed when
    PCIDs are enabled (LP: #2023220)
    - x86/mm: Avoid incomplete Global INVLPG flushes

  * cls_flower: off-by-one in fl_set_geneve_opt (LP: #2023577)
    - net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

  * CVE-2023-2176
    - RDMA/core: Refactor rdma_bind_addr

  * ALSA: hda/realtek: Enable headset onLenovo M70/M90 (LP: #2021449)
    - ALSA: hda/realtek: Enable headset onLenovo M70/M90

  * Add microphone support of the front headphone port on P3 Tower
    (LP: #2023650)
    - ALSA: hda/realtek: Add Lenovo P3 Tower platform

  * Add support of Smart Amplifier IC ALC1319D on Intel platforms
    (LP: #2023201)
    - ASoC: Intel: soc-acpi: add table for RPL Dell SKU 0BDA

  * Fix speaker volume too low on HP G10 laptops (LP: #2023197)
    - ALSA: hda/realtek: Enable 4 amplifiers instead of 2 on a HP platform

  * System hang at reading amdgpu sysfs attribute psp_vbflash (LP: #2023307)
    - SAUCE: drm/amd: Make sure image is written to trigger VBIOS image update
      flow

  * System either hang with black screen or rebooted on entering suspend on AMD
    Ryzen 9 PRO 7940HS w/ Radeon 780M Graphics (LP: #2020685)
    - drm/amdgpu: refine get gpu clock counter method
    - drm/amdgpu/gfx11: update gpu_clock_counter logic

  * Fix Monitor lost after replug WD19TBS to SUT port with VGA/DVI to type-C
    dongle (LP: #2021949)
    - thunderbolt: Increase timeout of DP OUT adapter handshake
    - thunderbolt: Do not touch CL state configuration during discovery
    - thunderbolt: Increase DisplayPort Connection Manager handshake timeout

  * Fix Disable thunderbolt clx make edp-monitor garbage while moving the
    touchpad (LP: #2023004)
    - drm/i915: Explain the magic numbers for AUX SYNC/precharge length
    - drm/i915: Use 18 fast wake AUX sync len

  * Include the MAC address pass through function on RTL8153DD-CG (LP: #2020295)
    - r8152: add USB device driver for config selection

  * FM350(mtk_t7xx) failed to suspend, or early wake while suspending
    (LP: #2020743)
    - net: wwan: t7xx: Ensure init is completed before system sleep

 -- Timo Aaltonen <email address hidden> Fri, 16 Jun 2023 11:51:13 +0300

Changed in linux-oem-6.1 (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.4.0-153.170

---------------
linux (5.4.0-153.170) focal; urgency=medium

  * focal/linux: 5.4.0-153.170 -proposed tracker (LP: #2024108)

  * cls_flower: off-by-one in fl_set_geneve_opt (LP: #2023577)
    - net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

  * Some INVLPG implementations can leave Global translations unflushed when
    PCIDs are enabled (LP: #2023220)
    - x86/mm: Avoid incomplete Global INVLPG flushes

 -- Thadeu Lima de Souza Cascardo <email address hidden> Fri, 16 Jun 2023 10:20:20 -0300

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.19.0-46.47

---------------
linux (5.19.0-46.47) kinetic; urgency=medium

  * kinetic/linux: 5.19.0-46.47 -proposed tracker (LP: #2024043)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log
    - [Packaging] resync getabis

  * CVE-2023-2430
    - io_uring/msg_ring: fix missing lock on overflow for IOPOLL

  * cls_flower: off-by-one in fl_set_geneve_opt (LP: #2023577)
    - net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

  * Some INVLPG implementations can leave Global translations unflushed when
    PCIDs are enabled (LP: #2023220)
    - x86/mm: Avoid incomplete Global INVLPG flushes

 -- Thadeu Lima de Souza Cascardo <email address hidden> Fri, 16 Jun 2023 09:36:59 -0300

Changed in linux (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.19.0-47.49 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-kinetic' to 'verification-done-kinetic'. If the problem still exists, change the tag 'verification-needed-kinetic' to 'verification-failed-kinetic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-kinetic-linux verification-needed-kinetic
removed: verification-done-kinetic
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra/5.15.0-1015.15 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-tegra verification-needed-jammy
removed: verification-done-jammy
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-xilinx-zynqmp/5.15.0-1023.27 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-xilinx-zynqmp
tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-ibm/5.15.0-1035.38 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-ibm verification-needed-jammy
removed: verification-done-jammy
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-riscv/6.2.0-27.28.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar' to 'verification-done-lunar'. If the problem still exists, change the tag 'verification-needed-lunar' to 'verification-failed-lunar'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux-riscv verification-needed-lunar
removed: verification-done-lunar
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure/5.15.0-1043.50 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-azure
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure/6.2.0-1009.9 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar' to 'verification-done-lunar'. If the problem still exists, change the tag 'verification-needed-lunar' to 'verification-failed-lunar'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux-azure
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws/5.15.0-1041.46 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-aws
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-hwe-6.2/6.2.0-26.26~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-hwe-6.2
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure/5.4.0-1113.119 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-azure verification-needed-focal
removed: verification-done-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws/5.4.0-1107.115 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-aws
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws-5.15/5.15.0-1046.51~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-aws-5.15' to 'verification-done-focal-linux-aws-5.15'. If the problem still exists, change the tag 'verification-needed-focal-linux-aws-5.15' to 'verification-failed-focal-linux-aws-5.15'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-aws-5.15-v2 verification-needed-focal-linux-aws-5.15
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.