# Instability when setting hw.mds_disable=3 as per FreeBSD-SA-19:07.mds



## Koen Martens (May 26, 2019)

I recently, after getting security advisory FreeBSD-SA-19:07.mds, set hw.mds_disable=3 in sysctl.conf on my 11.2-RELEASE-p10 server. I also disabled hyper-threading, as it seems one needs to both disable hyper-threading and set hw.mds_disable to 3 (although another post seems to suggest that if you disable hyperthreading, you don't have to set mds_disable). And I do have the devcpu-data installed and microcode_update_enable="YES" in my /etc/rc.conf.

Anyway, ever since I've been having random and frequent segfaults in random processes. For example, freebsd-update would consistently give me 'File changed while FreeBSD Update running: /rescue/chmod', another file on each run, with dmesg showing segfaults on the stat binary.

I have set hw.mds_disable back to 0, and the segfaults have gone away again.

Is this a known issue?

Do I need hw.mds_disable=3 when I disable hyperthreading?


----------



## hkkobayashi (May 31, 2019)

We've also had some servers behaving strangely after upgrading to 11.2-RELEASE-p10 using freebsd-update, like:
* ntp server losing the correct clock synchronization;
* random core dumps (signal 11) for several processes like: bash, fetch, ps, cp, newsyslog, ...

For us, setting hw.mds_disable back to 0 didn't solve the problem, so for now, we decided to boot from the previous kernel version.

Have you received any feedback so far?


----------



## robramsaynz (Jun 4, 2019)

It might be worth checking whether you have the v1.22 version of the _devcpu-data _port installed. Some people have had memory/segfault problems because they didn't have the most up to date version. You can check this with, 
	
	



```
pkg info devcpu-data | grep Version
```

See https://forums.freebsd.org/threads/some-questions-about-freebsd-sa-19-07-mds.70780/#post-427007 for more.


----------



## Koen Martens (Jun 10, 2019)

@*hkkobayashi : no, haven't gotten any response yet.. still running with hyperthreading disabled, which incidentally doesn't seem to impact performance at all for my particular workload

@robramsaynz : interesting, I do have 1.21 installed, but 'pkg upgrade' tells me everything is up to date.. 

It's hard to find information on this vulnerability in relation to FreeBSD - I love FreeBSD but it's things like this that make me itchy about running it in production workloads
*


----------



## robramsaynz (Jun 18, 2019)

Koen Martens perhaps try running `pkg update` first to get the latest list of packages, and then try running `pkg upgrade devcpu-data`, to update the package. If you want a dry-run instead of installing the package try `pkg upgrade -n devcpu-data`.

I'm quite new to FreeBSD as well, and found it a little hard to get into too, mostly because I'm so used to the Linux ways of doing things.


----------



## zirias@ (Jun 18, 2019)

Koen Martens said:


> interesting, I do have 1.21 installed, but 'pkg upgrade' tells me everything is up to date..


Then you're probably on the "quarterly" pkg repository, while you would need the "latest" for the latest packages...


Koen Martens said:


> It's hard to find information on this vulnerability in relation to FreeBSD - I love FreeBSD but it's things like this that make me itchy about running it in production workloads


Well, it's hard to find in-depth information, like how exactly the mitigation works and what is the remaining risk if you leave HT enabled, that's why I opened a thread here about it ...

But the things you immediately need to know are documented in the advisory, e.g. that setting `hw.mds_disable=3` automatically falls back to a "software" mitigation if the `VERW` instruction is not available in the microcode -- something I explicitly didn't want, that's why I chose to set `hw.mds_disable=1` instead, and of course I checked whether it's working:

```
# sysctl hw.mds_disable_state
hw.mds_disable_state: VERW
```


----------

