This bug was fixed in the package linux - 6.11.0-7.7
---------------
linux (6.11.0-7.7) oracular; urgency=medium
* oracular/linux: 6.11.0-7.7 -proposed tracker (LP: #2079949)
* update apparmor and LSM stacking patch set (LP: #2028253)
- SAUCE: apparmor4.0.0 [1/99]: LSM: Infrastructure management of the sock
security
- SAUCE: apparmor4.0.0 [2/99]: LSM: Add the lsmblob data structure.
- SAUCE: apparmor4.0.0 [3/99]: LSM: Use lsmblob in security_audit_rule_match
- SAUCE: apparmor4.0.0 [4/99]: LSM: Call only one hook for audit rules
- SAUCE: apparmor4.0.0 [5/99]: LSM: Add lsmblob_to_secctx hook
- SAUCE: apparmor4.0.0 [6/99]: Audit: maintain an lsmblob in audit_context
- SAUCE: apparmor4.0.0 [7/99]: LSM: Use lsmblob in security_ipc_getsecid
- SAUCE: apparmor4.0.0 [8/99]: Audit: Update shutdown LSM data
- SAUCE: apparmor4.0.0 [9/99]: LSM: Use lsmblob in security_current_getsecid
- SAUCE: apparmor4.0.0 [10/99]: LSM: Use lsmblob in security_inode_getsecid
- SAUCE: apparmor4.0.0 [11/99]: Audit: use an lsmblob in audit_names
- SAUCE: apparmor4.0.0 [12/99]: LSM: Create new security_cred_getlsmblob LSM
hook
- SAUCE: apparmor4.0.0 [13/99]: Audit: Change context data from secid to
lsmblob
- SAUCE: apparmor4.0.0 [14/99]: Netlabel: Use lsmblob for audit data
- SAUCE: apparmor4.0.0 [15/99]: LSM: Ensure the correct LSM context releaser
- SAUCE: apparmor4.0.0 [16/99]: LSM: Use lsmcontext in
security_secid_to_secctx
- SAUCE: apparmor4.0.0 [17/99]: LSM: Use lsmcontext in
security_lsmblob_to_secctx
- SAUCE: apparmor4.0.0 [18/99]: LSM: Use lsmcontext in
security_inode_getsecctx
- SAUCE: apparmor4.0.0 [19/99]: LSM: lsmcontext in
security_dentry_init_security
- SAUCE: apparmor4.0.0 [20/99]: LSM: security_lsmblob_to_secctx module
selection
- SAUCE: apparmor4.0.0 [21/99]: Audit: Create audit_stamp structure
- SAUCE: apparmor4.0.0 [22/99]: Audit: Allow multiple records in an
audit_buffer
- SAUCE: apparmor4.0.0 [23/99]: Audit: Add record for multiple task security
contexts
- SAUCE: apparmor4.0.0 [24/99]: audit: multiple subject lsm values for
netlabel
- SAUCE: apparmor4.0.0 [25/99]: Audit: Add record for multiple object
contexts
- SAUCE: apparmor4.0.0 [26/99]: LSM: Remove unused lsmcontext_init()
- SAUCE: apparmor4.0.0 [27/99]: LSM: Improve logic in security_getprocattr
- SAUCE: apparmor4.0.0 [28/99]: LSM: secctx provider check on release
- SAUCE: apparmor4.0.0 [29/99]: LSM: Single calls in socket_getpeersec hooks
- SAUCE: apparmor4.0.0 [30/99]: LSM: Exclusive secmark usage
- SAUCE: apparmor4.0.0 [31/99]: LSM: Identify which LSM handles the context
string
- SAUCE: apparmor4.0.0 [32/99]: AppArmor: Remove the exclusive flag
- SAUCE: apparmor4.0.0 [33/99]: LSM: Add mount opts blob size tracking
- SAUCE: apparmor4.0.0 [34/99]: LSM: allocate mnt_opts blobs instead of
module
specific data
- SAUCE: apparmor4.0.0 [35/99]: LSM: Infrastructure management of the key
security blob
- SAUCE: apparmor4.0.0 [36/99]: LSM: Infrastructure management of the
mnt_opts
security blob
- SAUCE: apparmor4.0.0 [37/99]: LSM: Remove lsmblob scaffolding
- SAUCE: apparmor4.0.0 [38/99]: LSM: Allow reservation of netlabel
- SAUCE: apparmor4.0.0 [39/99]: LSM: restrict security_cred_getsecid() to a
single LSM
- SAUCE: apparmor4.0.0 [40/99]: Smack: Remove LSM_FLAG_EXCLUSIVE
- SAUCE: apparmor4.0.0 [41/99]: LSM stacking v39: UBUNTU: SAUCE:
apparmor4.0.0
[41/99]: add/use fns to print hash string hex value
- SAUCE: apparmor4.0.0 [42/99]: patch to provide compatibility with v2.x net
rules
- SAUCE: apparmor4.0.0 [43/99]: add unpriviled user ns mediation
- SAUCE: apparmor4.0.0 [44/99]: Add sysctls for additional controls of
unpriv
userns restrictions
- SAUCE: apparmor4.0.0 [45/99]: af_unix mediation
- SAUCE: apparmor4.0.0 [46/99]: Add fine grained mediation of posix mqueues
- SAUCE: apparmor4.0.0 [47/99] fixup inode_set_attr
- SAUCE: apparmor4.0.0 [48/99]: setup slab cache for audit data
- SAUCE: apparmor4.0.0 [49/99]: Improve debug print infrastructure
- SAUCE: apparmor4.0.0 [50/99]: add the ability for profiles to have a
learning cache
- SAUCE: apparmor4.0.0 [51/99]: enable userspace upcall for mediation
- SAUCE: apparmor4.0.0 [52/99]: prompt - lock down prompt interface
- SAUCE: apparmor4.0.0 [53/99]: prompt - allow controlling of caching of a
prompt response
- SAUCE: apparmor4.0.0 [54/99]: prompt - add refcount to audit_node in prep
or
reuse and delete
- SAUCE: apparmor4.0.0 [55/99]: prompt - refactor to moving caching to
uresponse
- SAUCE: apparmor4.0.0 [56/99]: prompt - Improve debug statements
- SAUCE: apparmor4.0.0 [57/99]: prompt - fix caching
- SAUCE: apparmor4.0.0 [58/99]: prompt - rework build to use append fn, to
simplify adding strings
- SAUCE: apparmor4.0.0 [59/99]: prompt - refcount notifications
- SAUCE: apparmor4.0.0 [60/99]: prompt - add the ability to reply with a
profile name
- SAUCE: apparmor4.0.0 [61/99]: prompt - fix notification cache when
updating
- SAUCE: apparmor4.0.0 [62/99]: prompt - add tailglob on name for cache
support
- SAUCE: apparmor4.0.0 [63/99]: prompt - allow profiles to set prompts as
interruptible
- SAUCE: apparmor4.0.0 [64/93] v6.8 prompt:fixup interruptible
- SAUCE: apparmor4.0.0 [65/99]: prompt - add support for advanced filtering
of
notifications
- SAUCE: apparmor4.0.0 [66/99]: userns - add the ability to reference a
global
variable for a feature value
- SAUCE: apparmor4.0.0 [67/99]: userns - make it so special unconfined
profiles can mediate user namespaces
- SAUCE: apparmor4.0.0 [68/99]: add io_uring mediation
- SAUCE: apparmor4.0.0 [69/99]: apparmor: fix oops when racing to retrieve
notification
- SAUCE: apparmor4.0.0 [70/99]: apparmor: fix notification header size
- SAUCE: apparmor4.0.0 [71/99]: apparmor: fix request field from a prompt
reply that denies all access
- SAUCE: apparmor4.0.0 [72/99]: apparmor: open userns related sysctl so lxc
can check if restriction are in place
- SAUCE: apparmor4.0.0 [73/99]: apparmor: cleanup attachment perm lookup to
use lookup_perms()
- SAUCE: apparmor4.0.0 [74/99]: apparmor: remove redundant unconfined check.
- SAUCE: apparmor4.0.0 [75/99]: apparmor: switch signal mediation to using
RULE_MEDIATES
- SAUCE: apparmor4.0.0 [76/99]: apparmor: ensure labels with more than one
entry have correct flags
- SAUCE: apparmor4.0.0 [77/99]: apparmor: remove explicit restriction that
unconfined cannot use change_hat
- SAUCE: apparmor4.0.0 [78/99]: apparmor: cleanup: refactor file_perm() to
provide semantics of some checks
- SAUCE: apparmor4.0.0 [79/99]: apparmor: carry mediation check on label
- SAUCE: apparmor4.0.0 [80/99]: apparmor: convert easy uses of unconfined()
to
label_mediates()
- SAUCE: apparmor4.0.0 [81/99]: apparmor: add additional flags to extended
permission.
- SAUCE: apparmor4.0.0 [82/99]: apparmor: add support for profiles to define
the kill signal
- SAUCE: apparmor4.0.0 [83/99]: apparmor: fix x_table_lookup when stacking
is
not the first entry
- SAUCE: apparmor4.0.0 [84/99]: apparmor: allow profile to be transitioned
when a user ns is created
- SAUCE: apparmor4.0.0 [85/99]: apparmor: add ability to mediate caps with
policy state machine
- SAUCE: apparmor4.0.0 [86/99]: fixup notify
- SAUCE: apparmor4.0.0 [87/99]: apparmor: add fine grained ipv4/ipv6
mediation
- SAUCE: apparmor4.0.0 [88/99]: apparmor: disable tailglob responses for now
- SAUCE: apparmor4.0.0 [89/99]: apparmor: Fix notify build warnings
- SAUCE: apparmor4.0.0 [90/99]: fix reserved mem for when we save ipv6
addresses
- SAUCE: apparmor4.0.0 [91/99]: fix address mapping for recvfrom
- SAUCE: apparmor4.0.0 [92/99]: apparmor: add support for 2^24 states to the
dfa state machine.
- SAUCE: apparmor4.0.0 [93/99]: apparmor: advertise to userspace support of
user upcall for file rules.
- SAUCE: apparmor4.0.0 [94/99]: apparmor: allocate xmatch for nullpdf inside
aa_alloc_null
- SAUCE: apparmor4.0.0 [95/99]: apparmor: properly handle cx/px lookup
failure
for complain
- SAUCE: apparmor4.0.0 [96/99]: apparmor: fix prompt failing during large
down
loads
- SAUCE: apparmor4.0.0 [97/99]: apparmor: fix allow field in notification
- SAUCE: apparmor4.0.0 [98/99]: fix build error with !CONFIG_SECURITY
- SAUCE: apparmor4.0.0 [99/99]: fix build error with in nfs4xdr
* Intel Lunar Lake / Battlemage enablement (LP: #2076209)
- drm/xe/lnl: Drop force_probe requirement
- drm/xe: Support 'nomodeset' kernel command-line option
- drm/i915/display: Plane capability for 64k phys alignment
- drm/xe: Align all VRAM scanout buffers to 64k physical pages when needed.
- drm/xe: Use separate rpm lockdep map for non-d3cold-capable devices
- drm/xe: Fix NPD in ggtt_node_remove()
- drm/xe/bmg: Drop force_probe requirement
- drm/xe/gsc: Fix FW status if the firmware is already loaded
- drm/xe/gsc: Track the platform in the compatibility version
- drm/xe/gsc: Wedge the device if the GSCCS reset fails
- drm/i915/bios: Update new entries in VBT BDB block definitions
- drm/xe/hwmon: Treat hwmon as a per-device concept
- drm/xe: s/xe_tile_migrate_engine/xe_tile_migrate_exec_queue
- drm/xe: Add xe_vm_pgtable_update_op to xe_vma_ops
- drm/xe: Add xe_exec_queue_last_fence_test_dep
- drm/xe: Add timeout to preempt fences
- drm/xe: Convert multiple bind ops into single job
- drm/xe: Update VM trace events
- drm/xe: Update PT layer with better error handling
- drm/xe: Add VM bind IOCTL error injection
- dma-buf: Split out dma fence array create into alloc and arm functions
- drm/xe: Invalidate media_gt TLBs in PT code
- drm/i915/display: Fix BMG CCS modifiers
- drm/xe: Use xe_pm_runtime_get in xe_bo_move() if reclaim-safe.
- drm/xe: Remove extra dma_fence_put on xe_sync_entry_add_deps failure
* [24.10 FEAT] [KRN1911] Vertical CPU Polarization Support Stage 2
(LP: #2072760)
- s390/wti: Introduce infrastructure for warning track interrupt
- s390/wti: Prepare graceful CPU pre-emption on wti reception
- s390/wti: Add wti accounting for missed grace periods
- s390/wti: Add debugfs file to display missed grace periods per cpu
- s390/topology: Add sysctl handler for polarization
- s390/topology: Add config option to switch to vertical during boot
- s390/smp: Add cpu capacities
- s390/hiperdispatch: Introduce hiperdispatch
- s390/hiperdispatch: Add steal time averaging
- s390/hiperdispatch: Add trace events
- s390/hiperdispatch: Add hiperdispatch sysctl interface
- s390/hiperdispatch: Add hiperdispatch debug attributes
- s390/hiperdispatch: Add hiperdispatch debug counters
- [Config] Initial set of new options HIPERDISPATCH_ON and
SCHED_TOPOLOGY_VERTICAL to yes for s390x
* Remove non-LPAE kernel flavor (LP: #2025265)
- [Packaging] Drop control.d/vars.generic-lpae
* generate and ship vmlinux.h to allow packages to build BPF CO-RE
(LP: #2050083)
- [Packaging] Don't call dh_all on linux-bpf-dev unless on master kernel
* Miscellaneous Ubuntu changes
- [Config] updateconfigs following v6.11-rc7 rebase
-- Timo Aaltonen <[email protected]> Mon, 09 Sep 2024
13:38:09 +0300
** Changed in: linux (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2077145
Title:
GDS force mitigation re-enabled in 6.10 (and 6.11) causing crashes
Status in linux package in Ubuntu:
Fix Released
Bug description:
The (supposedly unintended) re-enabling of GDS force migration in the
Ubuntu 6.10 kernels causes the AVX instruction to be disabled on older
CPUs which have no available microcode update. This causes various
programs to crash due to the unconditional use of AVX in libgnutls.so,
libxul.so, etc.
Typically "traps" of "invalid opcode" will be seen in dmesg output
along with the initial notice:
[ 0.121833] GDS: Microcode update needed! Disabling AVX as mitigation.
[ 0.121835] GDS: Mitigation: AVX disabled, no microcode
When GDS force mitigation appeared in the kernel, with default "y", it
created a lot of issues like these and Ubuntu quickly patched all
their kernels, this from the 6.2.0-28.29_6.2.0-31.31 diff:
==========
```
diff -u linux-6.2.0/debian.master/changelog
linux-6.2.0/debian.master/changelog
--- linux-6.2.0/debian.master/changelog
+++ linux-6.2.0/debian.master/changelog
@@ -1,3 +1,13 @@
+linux (6.2.0-31.31) lunar; urgency=medium
+
+ * lunar/linux: 6.2.0-31.31 -proposed tracker (LP: #2031146)
+
+ * libgnutls report "trap invalid opcode" when trying to install packages
over
+ https (LP: #2031093)
+ - [Config]: disable CONFIG_GDS_FORCE_MITIGATION
+
+ -- Thadeu Lima de Souza Cascardo <[email protected]> Mon, 14 Aug 2023
08:29:52 -0300
+
linux (6.2.0-28.29) lunar; urgency=medium
* lunar/linux: 6.2.0-28.29 -proposed tracker (LP: #2030547)
diff -u linux-6.2.0/debian.master/config/annotations
linux-6.2.0/debian.master/config/annotations
--- linux-6.2.0/debian.master/config/annotations
+++ linux-6.2.0/debian.master/config/annotations
@@ -4992,7 +4992,7 @@
CONFIG_GCC_VERSION policy<{'amd64': '120200',
'arm64': '120200', 'armhf': '120200', 'ppc64el': '120200', 'riscv64': '120200',
's390x': '120200'}>
CONFIG_GCOV_KERNEL policy<{'amd64': 'n',
'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 'riscv64': 'n', 's390x': 'n'}>
CONFIG_GDB_SCRIPTS policy<{'amd64': 'y',
'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 'riscv64': 'y', 's390x': 'y'}>
-CONFIG_GDS_FORCE_MITIGATION policy<{'amd64': 'y'}>
+CONFIG_GDS_FORCE_MITIGATION policy<{'amd64': 'n'}>
CONFIG_GEMINI_ETHERNET policy<{'arm64': 'm',
'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm'}>
CONFIG_GENERIC_ADC_BATTERY policy<{'amd64': 'm',
'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm'}>
CONFIG_GENERIC_ADC_THERMAL policy<{'amd64': 'm',
'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm'}>
```
==========
In upstream 6.9 the option was renamed from
CONFIG_GDS_FORCE_MITIGATION to CONFIG_MITIGATION_GDS_FORCE, but when
Ubuntu jumped from 6.8 to 6.10, this customization was lost, seen in
the 6.8.0-31.31_6.10.0-15.15 diff:
==========
```
CONFIG_GDB_SCRIPTS policy<{'amd64': 'y',
'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 'riscv64': 'y', 's390x': 'y'}>
-CONFIG_GDS_FORCE_MITIGATION policy<{'amd64': 'n'}>
CONFIG_GEMINI_ETHERNET policy<{'arm64': 'm',
'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm'}>
...
CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY policy<{'arm64': 'y'}>
+CONFIG_MITIGATION_CALL_DEPTH_TRACKING policy<{'amd64': 'y'}>
+CONFIG_MITIGATION_GDS_FORCE policy<{'amd64': 'y'}>
+CONFIG_MITIGATION_IBPB_ENTRY policy<{'amd64': 'y'}>
+CONFIG_MITIGATION_IBRS_ENTRY policy<{'amd64': 'y'}>
```
==========
I am sure this was an oversight, and that the old option was simply
dropped because it didn't exist any longer, without thinking of it
being renamed (among a lot of other renames).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2077145/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
