This bug was fixed in the package linux-oem-6.11 - 6.11.0-1007.7
---------------
linux-oem-6.11 (6.11.0-1007.7) noble; urgency=medium
* noble/linux-oem-6.11: 6.11.0-1007.7 -proposed tracker (LP: #2085318)
* iwlwifi 0000:00:14.3: Failed to start RT ucode: -110 (LP: #2085504)
- SAUCE: Revert "wifi: iwlwifi: remove retry loops in start"
* Bluetooth[8086:a876] crash with "hci0: Failed to read MSFT supported
features (-110)" (LP: #2085485)
- Bluetooth: btintel_pcie: Add handshake between driver and firmware
- Bluetooth: btintel_pcie: Add recovery mechanism
* Fix phantom monitor on some machines with kernel 6.11 (LP: #2085456)
- SAUCE: Revert "video/aperture: optionally match the device in
sysfb_disable()"
* BT Switch cannot open under Ubuntu 24.04 on MT7920 (LP: #2085437)
- SAUCE: Bluetooth: btmtk: Remove resetting mt7921 before downloading the fw
* OVTI08F4:00: number of CSI2 data lanes 2 is not supported (LP: #2084059)
- SAUCE: media: ipu-bridge: Add support for additional link frequencies
* Fix USB device suspend failure while HCD in S4 wakeup (LP: #2085410)
- SAUCE: USB: Fix the issue of task recovery failure caused by USB status
when
S4 wakes up
* [SRU] add support of QCA BT 0489:e0fc (LP: #2085406)
- SAUCE: Bluetooth: btusb: add Foxconn 0xe0fc for Qualcomm WCN785x
* The ASPM is disabled on Realtek NIC which prevents the system from entering
s0ix (LP: #2085398)
- SAUCE: r8169: Add Dell platforms to the ASPM quirk
* r8169: transmit queue 0 timed out error when re-plugging the Ethernet cable
(LP: #2084526)
- r8169: disable ALDPS per default for RTL8125
* Service LED will show 1A8W when unplug WD22TB4 with TBT3 HDD then resume
from suspend (LP: #2082225)
- SAUCE: PCI: pciehp: Fix system hang during resume with daisy-chained
hotplug
controllers
* AMD ACP7.1 support (LP: #2077941)
- ASoC: amd: acp: add ZSC control register programming sequence
- ASoC: amd: acp: add legacy driver support for ACP7.1 based platforms
* Support ov05c10 camera sensor in Intel ipu-bridge (LP: #2081866)
- SAUCE: media: Support ov05c10 camera sensor
* Dell Alienware sysytem reports errors of dell_wmi_sysman and dell_smbios in
demsg (LP: #2084808)
- platform/x86: dell-sysman: add support for alienware products
* Intel(R) PRO/1000 I219 ethernet adapter [8086:550c] may block entrance of
modern standby (LP: #2081130)
- platform/x86: intel/pmc: Ignore all LTRs during suspend
- e1000e: change I219 (19) devices to ADP
- x86/apic: Always explicitly disarm TSC-deadline timer
* Fix distorted sound output after suspend more than 30 seconds on Cirrus
audio codec (LP: #2084759)
- SAUCE: mfd: cs42l43: Disable IRQs during suspend
* Dell AIO backlight is not working, dell_uart_backlight module is missing
(LP: #2083800)
- [Config] enable CONFIG_DELL_UART_BACKLIGHT
* Add Intel Arrow Lake-H LPSS PCI IDs (LP: #2083905)
- mfd: intel-lpss: Add Intel Arrow Lake-H LPSS PCI IDs
* Missing device ID for amd_atl driver for AMD Strix platform (LP: #2083292)
- SAUCE: x86/amd_nb: Add new PCI ID for AMD family 1Ah model 20h
* Need driver support for Realtek RTL8126A rev.b 5Gbps ethernet [10ec:8126]
(LP: #2079017)
- r8169: add support for RTL8126A rev.b
- r8169: add missing MODULE_FIRMWARE entry for RTL8126A rev.b
* Missing devices nodes for AMD Instinct MI300 card when installed along with
integrated display (LP: #2078773)
- drm: Use XArray instead of IDR for minors
- accel: Use XArray instead of IDR for minors
- drm: Expand max DRM device number to full MINORBITS
* UBSAN: array-index-out-of-bounds in module mt76 (LP: #2081785)
- wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for
clc
* Support Qualcomm WCN7851 Dual Bluetooth Adapter 0489:E0F3 (LP: #2081796)
- SAUCE: Bluetooth: btusb: Add one more ID 0x0489:0xe0f3 for Qualcomm
WCN785x
* [SRU] uncore: Add ARL and LNL support on 6.11 (LP: #2081810)
- perf/x86/intel/uncore: Add Arrow Lake support
- perf/x86/intel/uncore: Factor out common MMIO init and ops functions
- perf/x86/intel/uncore: Add Lunar Lake support
- perf/x86/intel/uncore: Add LNL uncore iMC freerunning support
- perf/x86/intel/uncore: Use D0:F0 as a default device
[ Ubuntu: 6.11.0-9.9 ]
* oracular/linux: 6.11.0-9.9 -proposed tracker (LP: #2084250)
* re-enable Ubuntu FAN in the Noble kernel (LP: #2064508)
- SAUCE: fan: add VXLAN implementation
- SAUCE: fan: Fix NULL pointer dereference
- SAUCE: fan: support vxlan strict length validation
* update for V3 kernel bits and improved multiple fan slice support
(LP: #1470091) // re-enable Ubuntu FAN in the Noble kernel (LP: #2064508)
- SAUCE: fan: tunnel multiple mapping mode (v3)
* Setting I/O scheduler to 'none' causes error in oracular (LP: #2083845)
- block: Fix elv_iosched_local_module handling of "none" scheduler
* Miscellaneous Ubuntu changes
- [Config] Update toolchain versions
-- Kuan-Ying Lee <[email protected]> Thu, 24 Oct 2024
15:45:12 +0800
** Changed in: linux-oem-6.11 (Ubuntu Noble)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2081785
Title:
UBSAN: array-index-out-of-bounds in module mt76
Status in HWE Next:
New
Status in linux package in Ubuntu:
In Progress
Status in linux-oem-6.11 package in Ubuntu:
Invalid
Status in linux-oem-6.8 package in Ubuntu:
Invalid
Status in linux source package in Noble:
Fix Committed
Status in linux-oem-6.11 source package in Noble:
Fix Released
Status in linux-oem-6.8 source package in Noble:
Fix Released
Status in linux source package in Oracular:
Fix Committed
Status in linux-oem-6.11 source package in Oracular:
Invalid
Status in linux-oem-6.8 source package in Oracular:
Invalid
Bug description:
[SRU Justification]
BugLink: https://bugs.launchpad.net/bugs/2081785
[Impact]
UBSAN warnings in dmesg:
```
UBSAN: array-index-out-of-bounds in
/home/kernel/COD/linux/drivers/net/wireless/mediatek/mt76/mac80211.c:1532:34
index 3 is out of range for type 'mt76_phy *[3]'
```
[Fix]
Proposed fix commit
https://github.com/torvalds/linux/commit/9679ca7326e52282cc923c4d71d81c999cb6cd55
("wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue
for clc"), which fixes commit
https://github.com/torvalds/linux/commit/c948b5da6bbec742b433138e3e3f9537a85af2e5
("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
landed in v6.7.
[Test Case]
UBSAN warning should go away.
[Where problems could occur]
No. This bails out early when error occurs.
[Other Info]
While the affected commit was first introduced in v6.7, nominating all
kernels since then: unstable, oracular, oem-6.11, noble, and oem-6.8.
========== original bug description ==========
[ 33.399506] UBSAN: array-index-out-of-bounds in
/home/kernel/COD/linux/drivers/net/wireless/mediatek/mt76/mac80211.c:1532:34
[ 33.399517] index 3 is out of range for type 'mt76_phy *[3]'
[ 33.399523] CPU: 0 UID: 0 PID: 1153 Comm: NetworkManager Not tainted
6.11.0-061100rc7-generic #202409082235
[ 33.399528] Hardware name: HP HP ZBook Ultra 14 inch G1a Mobile Workstation
PC/8D01, BIOS X89 Ver. 89.17.22 09/11/2024
[ 33.399532] Call Trace:
[ 33.399537] <TASK>
[ 33.399546] show_stack+0x49/0x60
[ 33.399556] dump_stack_lvl+0x5f/0x90
[ 33.399573] dump_stack+0x10/0x18
[ 33.399576] ubsan_epilogue+0x9/0x40
[ 33.399581] __ubsan_handle_out_of_bounds.cold+0x44/0x49
[ 33.399584] mt76_wcid_cleanup+0x269/0x280 [mt76]
[ 33.399603] ? mt76_connac_mcu_uni_add_dev+0x15a/0x200 [mt76_connac_lib]
[ 33.399620] mt792x_mac_link_bss_remove+0x136/0x190 [mt792x_lib]
[ 33.399627] mt792x_remove_interface+0x7f/0xd0 [mt792x_lib]
[ 33.399633] drv_remove_interface+0xf1/0x1b0 [mac80211]
[ 33.399686] ieee80211_do_stop+0x5c0/0x990 [mac80211]
[ 33.399727] ? synchronize_rcu_expedited+0x1f4/0x220
[ 33.399733] ieee80211_stop+0x5c/0x1c0 [mac80211]
[ 33.399765] __dev_close_many+0xae/0x140
[ 33.399768] __dev_change_flags+0xe6/0x230
[ 33.399773] dev_change_flags+0x27/0x80
[ 33.399775] do_setlink+0x39e/0xd90
[ 33.399780] ? genl_family_rcv_msg_doit+0x11c/0x160
[ 33.399785] ? __nla_validate_parse+0x49/0x1b0
[ 33.399790] ? inode_sub_bytes+0x72/0x90
[ 33.399797] __rtnl_newlink+0x5c8/0x760
[ 33.399802] rtnl_newlink+0x77/0xa0
[ 33.399805] rtnetlink_rcv_msg+0x160/0x460
[ 33.399808] ? __legitimize_path+0x30/0x80
[ 33.399812] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 33.399815] netlink_rcv_skb+0x52/0x100
[ 33.399818] rtnetlink_rcv+0x15/0x30
[ 33.399820] netlink_unicast+0x245/0x390
[ 33.399823] netlink_sendmsg+0x214/0x460
[ 33.399826] ____sys_sendmsg+0x3b1/0x3f0
[ 33.399830] ___sys_sendmsg+0x9a/0xf0
[ 33.399834] __sys_sendmsg+0xe5/0x120
[ 33.399839] __x64_sys_sendmsg+0x1d/0x30
[ 33.399842] x64_sys_call+0x7da/0x22b0
[ 33.399848] do_syscall_64+0x7e/0x170
[ 33.399851] ? syscall_exit_to_user_mode+0x4e/0x250
[ 33.399855] ? do_syscall_64+0x8a/0x170
[ 33.399858] ? syscall_exit_to_user_mode+0x4e/0x250
[ 33.399860] ? do_syscall_64+0x8a/0x170
[ 33.399863] ? do_epoll_wait+0xa8/0x100
[ 33.399867] ? __x64_sys_epoll_wait+0x6d/0x110
[ 33.399870] ? __task_pid_nr_ns+0x6c/0xc0
[ 33.399875] ? syscall_exit_to_user_mode+0x4e/0x250
[ 33.399878] ? do_syscall_64+0x8a/0x170
[ 33.399879] ? irqentry_exit+0x43/0x50
[ 33.399882] ? sysvec_apic_timer_interrupt+0x57/0xc0
[ 33.399885] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 33.399889] RIP: 0033:0x7317e512c03b
[ 33.399894] Code: 48 89 e5 48 83 ec 20 89 55 ec 48 89 75 f0 89 7d f8 e8 19
c5 f6 ff 8b 55 ec 48 8b 75 f0 41 89 c0 8b 7d f8 b8 2e 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 2d 44 89 c7 48 89 45 f8 e8 71 c5 f6 ff 48 8b
[ 33.399897] RSP: 002b:00007ffd8d677b20 EFLAGS: 00000293 ORIG_RAX:
000000000000002e
[ 33.399902] RAX: ffffffffffffffda RBX: 000055c29094d8e0 RCX: 00007317e512c03b
[ 33.399904] RDX: 0000000000000000 RSI: 00007ffd8d677b60 RDI: 000000000000000d
[ 33.399906] RBP: 00007ffd8d677b40 R08: 0000000000000000 R09: 0000000000000000
[ 33.399907] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000001c
[ 33.399908] R13: 000055c29094d8e0 R14: 0000000000000001 R15: 0000000000000000
[ 33.399910] </TASK>
[ 33.399912] ---[ end trace ]---
Proposed fix in
https://github.com/torvalds/linux/commit/9679ca7326e52282cc923c4d71d81c999cb6cd55
("wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue
for clc"), which fixes
https://github.com/torvalds/linux/commit/c948b5da6bbec742b433138e3e3f9537a85af2e5
("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
landed in v6.7.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/2081785/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
