140 lines
5.3 KiB
Text
140 lines
5.3 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-18:17.vm Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: Kernel panic under load on Intel "Skylake" CPUs
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2018-12-19
|
|
Credits: Mark Johnston
|
|
Affects: FreeBSD 11.2
|
|
Corrected: 2018-12-02 18:08:27 UTC (stable/11, 11.2-STABLE)
|
|
2018-19-19 18:00:58 UTC (releng/11.2, 11.2-RELEASE-p7)
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The physical page allocator is a component of the kernel responsible for
|
|
tracking usage of the system's RAM by the kernel and by userland
|
|
applications. It maintains lists of unused memory pages which may be
|
|
returned by the allocator upon demand. It also maintains an integer
|
|
count of the number of pages stored in these lists.
|
|
|
|
II. Problem Description
|
|
|
|
The kernel contains handling for an Intel erratum affecting Skylake-X
|
|
CPUs. The erratum description states that a processor may hang when
|
|
performing a certain synchronization operation within a particular 4MB
|
|
region of physical memory. FreeBSD works around the erratum by using
|
|
a blacklisting mechanism to ensure that the physical page allocator
|
|
never returns pages in that region. However, this blacklisting
|
|
mechanism contained a bug such that the removal of pages in the region
|
|
was not reflected in the free page count.
|
|
|
|
III. Impact
|
|
|
|
The discrepancy between the free page count and the physical page
|
|
allocator's state can trigger a NULL pointer dereference when the
|
|
system is under heavy load, resulting in a panic.
|
|
|
|
IV. Workaround
|
|
|
|
Only systems using a Skylake-X or Skylake Server CPU are affected.
|
|
|
|
Affected systems can work around the problem by setting the
|
|
"hw.skz63_enable" to 0 in /boot/loader.conf, causing the handling for
|
|
the Intel erratum to be disabled upon a reboot of the system. However,
|
|
this raises the possibility of being affected by the erratum if software
|
|
running on the system makes use of Intel TSX.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date and reboot the system.
|
|
|
|
2) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
Reboot the system
|
|
|
|
3) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.2]
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:17/vm.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:17/vm.patch.asc
|
|
# gpg --verify vm.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r341401
|
|
releng/11.2/ r342225
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231296>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:17.vm.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwannZfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cKsAxAAkr/ufB1aKSSib0n/e6PXE1FOnjUGgpK+LiiSG+QdW/6oMv/yto+4Qbj2
|
|
3Ht3TPyuoTqwQmHHiSzpnnnRHGDrdffiRYQsziFR89c8iyw7Qni8BYlK2YLYYw9i
|
|
TVyT6sxkorpTPZpGQZNaRBwZoWCLaxBvfKC0wVcli9gByOfb5T5J4puUNT4EXIpb
|
|
eaimCWG24vsIkWlHeC/8ulHsjEEDBatyfWWl95i8JVMqBDdHZypryJkO0jBo5Uig
|
|
PIighKIqDiEwwvjtHfGh4iAn3mFINDbMDdjXyMWYqDbgvX3J6cCv6qaY7p2eizQN
|
|
taN1rbC+7MJIFEkTFASvbJq7KOc/PcXOLU4O3964HZbbowdQNwAxQAuMGN6GNLmJ
|
|
ydHE7Atei1Py8q3gg9uMpX0TVikzfOL6iBmdzEkg2mgXIeyISLn5BTuE/k9hkVwi
|
|
6Boeec1qshtx04gF0xzsp/KPropad4nV09/E4cuo5jHuaq3WgpnDVzVhGEmFZpY7
|
|
Z5B8vHqSc7Ng0xZoQYIcYbGCVBaWNF4WCf/1DZhU44mXkob+CRkv+kROFkfn8lY3
|
|
2Jzjp7LWqPv9CFxIJ7q4BnDTyhxkQksm646tII1JNMcjY0hzFjQDUrVmDRb8ak/E
|
|
LsJNDKicqGdCdrHeA8jZm7RxwAmdkhyF/uumPYxJg64Y9DU23SM=
|
|
=QgI2
|
|
-----END PGP SIGNATURE-----
|