Poking some more at this, I think I've found the root cause. The panic comes from runtime bounds checking, and somehow the compiler is convinced there is `0` bytes left in the struct ip_tunnel_info options member. Had it not been able to determine this information it would think `SIZE_MAX` [0], so this has to come from somewhere.
GCC 15 added a `counted_by` attribute[1]. And sure enough, the `struct ip_tunnel_info` recently gained one of those[2]. Reading the GCC commit message [3]() it seems the ordering of updating the counter and referencing the array is significant, so it could be the issue is that the current code is doing this in a reverse order from the perspective of the compiler implementation. From cursory view just making sure struct ip_tunnel_info options_len is set prior to attempt to access options solves the issue. There are higher layer helpers to set the entire options field that does this in the right order, but the GRE ERSPAN code appears to need to do a partial copy of data, so it probably needs to keep this special handling. Will formally test and produce a patch and submit upstream at first convenience. 0: https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html#Object-Size-Checking-Built-in-Functions 1: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=f824acd0e807546a733c122ab6340f18cef88766 2: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/include/net/ip_tunnels.h?id=bb5e62f2d547c4de6d1b144cbce2373a76c33f18 3: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=f824acd0e807546a733c122ab6340f18cef88766 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2129580 Title: [questing] kernel BUG at lib/string_helpers.c:1043! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gcc-15/+bug/2129580/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
