Instability when setting hw.mds_disable=3 as per FreeBSD-SA-19:07.mds

Koen Martens

Koen Martens

I recently, after getting security advisory FreeBSD-SA-19:07.mds, set hw.mds_disable=3 in sysctl.conf on my 11.2-RELEASE-p10 server. I also disabled hyper-threading, as it seems one needs to both disable hyper-threading and set hw.mds_disable to 3 (although another post seems to suggest that if you disable hyperthreading, you don't have to set mds_disable). And I do have the devcpu-data installed and microcode_update_enable="YES" in my /etc/rc.conf.

Anyway, ever since I've been having random and frequent segfaults in random processes. For example, freebsd-update would consistently give me 'File changed while FreeBSD Update running: /rescue/chmod', another file on each run, with dmesg showing segfaults on the stat binary.

I have set hw.mds_disable back to 0, and the segfaults have gone away again.

Is this a known issue?

Do I need hw.mds_disable=3 when I disable hyperthreading?
 
We've also had some servers behaving strangely after upgrading to 11.2-RELEASE-p10 using freebsd-update, like:
* ntp server losing the correct clock synchronization;
* random core dumps (signal 11) for several processes like: bash, fetch, ps, cp, newsyslog, ...

For us, setting hw.mds_disable back to 0 didn't solve the problem, so for now, we decided to boot from the previous kernel version.

Have you received any feedback so far?
 
@hkkobayashi : no, haven't gotten any response yet.. still running with hyperthreading disabled, which incidentally doesn't seem to impact performance at all for my particular workload

@robramsaynz : interesting, I do have 1.21 installed, but 'pkg upgrade' tells me everything is up to date..

It's hard to find information on this vulnerability in relation to FreeBSD - I love FreeBSD but it's things like this that make me itchy about running it in production workloads
 
Koen Martens perhaps try running pkg update first to get the latest list of packages, and then try running pkg upgrade devcpu-data, to update the package. If you want a dry-run instead of installing the package try pkg upgrade -n devcpu-data.

I'm quite new to FreeBSD as well, and found it a little hard to get into too, mostly because I'm so used to the Linux ways of doing things.
 
Koen Martens said:
interesting, I do have 1.21 installed, but 'pkg upgrade' tells me everything is up to date..
Click to expand...
Then you're probably on the "quarterly" pkg repository, while you would need the "latest" for the latest packages...
Koen Martens said:
It's hard to find information on this vulnerability in relation to FreeBSD - I love FreeBSD but it's things like this that make me itchy about running it in production workloads
Click to expand...
Well, it's hard to find in-depth information, like how exactly the mitigation works and what is the remaining risk if you leave HT enabled, that's why I opened a thread here about it ...

But the things you immediately need to know are documented in the advisory, e.g. that setting hw.mds_disable=3 automatically falls back to a "software" mitigation if the VERW instruction is not available in the microcode -- something I explicitly didn't want, that's why I chose to set hw.mds_disable=1 instead, and of course I checked whether it's working:
Code: 
# sysctl hw.mds_disable_state
hw.mds_disable_state: VERW
 
You must log in or register to reply here.
Back
Top