This bug was fixed in the package linux - 5.4.0-195.215
---------------
linux (5.4.0-195.215) focal; urgency=medium
* focal/linux: 5.4.0-195.215 -proposed tracker (LP: #2075954)
* Focal update: v5.4.280 upstream stable release (LP: #2075175)
- Compiler Attributes: Add __uninitialized macro
- drm/lima: fix shared irq handling on driver remove
- media: dvb: as102-fe: Fix as10x_register_addr packing
- media: dvb-usb: dib0700_devices: Add missing release_firmware()
- IB/core: Implement a limit on UMAD receive List
- scsi: qedf: Make qedf_execute_tmf() non-preemptible
- drm/amdgpu: Initialize timestamp for some legacy SOCs
- drm/amd/display: Skip finding free audio for unknown engine_id
- media: dw2102: Don't translate i2c read into write
- sctp: prefer struct_size over open coded arithmetic
- firmware: dmi: Stop decoding on broken entry
- Input: ff-core - prefer struct_size over open coded arithmetic
- net: dsa: mv88e6xxx: Correct check for empty list
- media: dvb-frontends: tda18271c2dd: Remove casting during div
- media: s2255: Use refcount_t instead of atomic_t for num_channels
- media: dvb-frontends: tda10048: Fix integer overflow
- i2c: i801: Annotate apanel_addr as __ro_after_init
- powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n
- orangefs: fix out-of-bounds fsid access
- powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#"
- jffs2: Fix potential illegal address access in jffs2_free_inode
- s390/pkey: Wipe sensitive data on failure
- tcp: tcp_mark_head_lost is only valid for sack-tcp
- tcp: add ece_ack flag to reno sack functions
- net: tcp better handling of reordering then loss cases
- UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()
- tcp_metrics: validate source addr length
- wifi: wilc1000: fix ies_len type in connect path
- bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
- selftests: fix OOM in msg_zerocopy selftest
- selftests: make order checking verbose in msg_zerocopy selftest
- inet_diag: Initialize pad field in struct inet_diag_req_v2
- nilfs2: fix inode number range checks
- nilfs2: add missing check for inode numbers on directory entries
- mm: optimize the redundant loop of mm_update_owner_next()
- can: kvaser_usb: Explicitly initialize family in leafimx driver_info
struct
- fsnotify: Do not generate events for O_PATH file descriptors
- Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),
again"
- drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes
- drm/amdgpu/atomfirmware: silence UBSAN warning
- media: dw2102: fix a potential buffer overflow
- i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr
- ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897
- nvme-multipath: find NUMA path only for online numa-node
- nilfs2: fix incorrect inode allocation from reserved inodes
- filelock: fix potential use-after-free in posix_lock_inode
- fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading
- vfs: don't mod negative dentry count when on shrinker list
- tcp: add TCP_INFO status for failed client TFO
- tcp: fix incorrect undo caused by DSACK of TLP retransmit
- octeontx2-af: Fix incorrect value output on error path in
rvu_check_rsrc_availability()
- net: lantiq_etop: add blank line after declaration
- net: ethernet: lantiq_etop: fix double free in detach
- ppp: reject claimed-as-LCP but actually malformed packets
- udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().
- s390: Mark psw in __load_psw_mask() as __unitialized
- ARM: davinci: Convert comma to semicolon
- octeontx2-af: fix detection of IP layer
- USB: serial: option: add Telit generic core-dump composition
- USB: serial: option: add Telit FN912 rmnet compositions
- USB: serial: option: add Fibocom FM350-GL
- USB: serial: option: add support for Foxconn T99W651
- USB: serial: option: add Netprisma LCUK54 series modules
- USB: serial: option: add Rolling RW350-GL variants
- USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k
- usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()
- USB: core: Fix duplicate endpoint bug by clearing reserved bits in the
descriptor
- hpet: Support 32-bit userspace
- nvmem: meson-efuse: Fix return value of nvmem callbacks
- ALSA: hda/realtek: Limit mic boost on VAIO PRO PX
- libceph: fix race between delayed_work() and ceph_monc_stop()
- SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
- tcp: refactor tcp_retransmit_timer()
- net: tcp: fix unexcepted socket die when snd_wnd is 0
- tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()
- tcp: avoid too many retransmit packets
- nilfs2: fix kernel bug on rename operation of broken directory
- i2c: rcar: bring hardware to known state when probing
- Linux 5.4.280
* [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Focal update:
v5.4.280 upstream stable release (LP: #2075175)
- bnx2x: Fix multiple UBSAN array-index-out-of-bounds
* Focal update: v5.4.279 upstream stable release (LP: #2073621)
- wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
- wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
- wifi: cfg80211: pmsr: use correct nla_get_uX functions
- wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64
- wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef
- wifi: iwlwifi: mvm: don't read past the mfuart notifcation
- ipv6: sr: block BH in seg6_output_core() and seg6_input_core()
- net: sched: sch_multiq: fix possible OOB write in multiq_tune()
- vxlan: Fix regression when dropping packets due to invalid src addresses
- tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB
- net/mlx5: Stop waiting for PCI if pci channel is offline
- net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP
- ptp: Fix error message on failed pin verification
- af_unix: Annotate data-race of sk->sk_state in unix_inq_len().
- af_unix: Annotate data-races around sk->sk_state in unix_write_space() and
poll().
- af_unix: Annotate data-races around sk->sk_state in sendmsg() and
recvmsg().
- af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.
- af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.
- af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().
- af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().
- af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().
- ipv6: fix possible race in __fib6_drop_pcpu_from()
- usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete
- ASoC: ti: davinci-mcasp: remove redundant assignment to variable ret
- ASoC: ti: davinci-mcasp: remove always zero of davinci_mcasp_get_dt_params
- ASoC: ti: davinci-mcasp: Use platform_get_irq_byname_optional
- ASoC: ti: davinci-mcasp: Remove legacy dma_request parsing
- ASoC: ti: davinci-mcasp: Simplify the configuration parameter handling
- ASoC: ti: davinci-mcasp: Handle missing required DT properties
- ASoC: ti: davinci-mcasp: Fix race condition during probe
- drm/amd/display: Handle Y carry-over in VCP X.Y calculation
- serial: sc16is7xx: replace hardcoded divisor value with BIT() macro
- serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler
- selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages
- selftests/mm: conform test to TAP format output
- selftests/mm: compaction_test: fix bogus test success on Aarch64
- nilfs2: Remove check for PageError
- nilfs2: return the mapped address from nilfs_get_page()
- nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors
- USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
- mei: me: release irq in mei_me_pci_resume error path
- jfs: xattr: fix buffer overflow for invalid xattr
- xhci: Set correct transferred length for cancelled bulk transfers
- xhci: Apply reset resume quirk to Etron EJ188 xHCI host
- xhci: Apply broken streams quirk to Etron EJ188 xHCI host
- scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
- Input: try trimming too long modalias strings
- SUNRPC: return proper error from gss_wrap_req_priv
- gpio: tqmx86: fix typo in Kconfig label
- HID: core: remove unnecessary WARN_ON() in implement()
- iommu/amd: Fix sysfs leak in iommu init
- iommu: Return right value in iommu_sva_bind_device()
- HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()
- liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
- drm/komeda: check for error-valued pointer
- drm/bridge/panel: Fix runtime warning on panel bridge release
- tcp: fix race in tcp_v6_syn_recv_sock()
- net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN)
packets
- Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ
- netfilter: ipset: Fix race between namespace cleanup and gc in the
list:set
type
- net/ipv6: Fix the RT cache flush via sysctl using a previous delay
- ionic: fix use after netif_napi_del()
- drivers: core: synchronize really_probe() and dev_uevent()
- drm/exynos/vidi: fix memory leak in .get_modes()
- drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID
found
- tracing/selftests: Fix kprobe event name test for .isra. functions
- vmci: prevent speculation leaks by sanitizing event in event_deliver()
- fs/proc: fix softlockup in __read_vmcore
- ocfs2: use coarse time for new created files
- ocfs2: fix races between hole punching and AIO+DIO
- PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id
- dmaengine: axi-dmac: fix possible race in remove()
- intel_th: pci: Add Granite Rapids support
- intel_th: pci: Add Granite Rapids SOC support
- intel_th: pci: Add Sapphire Rapids SOC support
- intel_th: pci: Add Meteor Lake-S support
- intel_th: pci: Add Lunar Lake support
- nilfs2: fix potential kernel bug due to lack of writeback flag waiting
- tick/nohz_full: Don't abuse smp_call_function_single() in
tick_setup_device()
- hv_utils: drain the timesync packets on onchannelcallback
- hugetlb_encode.h: fix undefined behaviour (34 << 26)
- greybus: Fix use-after-free bug in gb_interface_release due to race
condition.
- usb-storage: alauda: Check whether the media is initialized
- i2c: at91: Fix the functionality flags of the slave-only interface
- rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment
- selftests/bpf: Prevent client connect before server bind in
test_tc_tunnel.sh
- batman-adv: bypass empty buckets in batadv_purge_orig_ref()
- drop_monitor: replace spin_lock by raw_spin_lock
- scsi: qedi: Fix crash while reading debugfs attribute
- Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl
- powerpc/pseries: Enforce hcall result buffer validity and size
- powerpc/io: Avoid clang null pointer arithmetic warnings
- usb: misc: uss720: check for incompatible versions of the Belkin F5U002
- udf: udftime: prevent overflow in udf_disk_stamp_to_time()
- PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports
- MIPS: Octeon: Add PCIe link status check
- MIPS: Routerboard 532: Fix vendor retry check code
- mips: bmips: BCM6358: make sure CBR is correctly set
- cipso: fix total option length computation
- netrom: Fix a memory leak in nr_heartbeat_expiry()
- ipv6: prevent possible NULL deref in fib6_nh_init()
- ipv6: prevent possible NULL dereference in rt6_probe()
- xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
- netns: Make get_net_ns() handle zero refcount net
- net/sched: act_api: rely on rcu in tcf_idr_check_alloc
- net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()
- virtio_net: checksum offloading handling fix
- netfilter: ipset: Fix suspicious rcu_dereference_protected()
- net: usb: rtl8150 fix unintiatilzed variables in
rtl8150_get_link_ksettings
- regulator: core: Fix modpost error "regulator_get_regmap" undefined
- dmaengine: ioatdma: Fix missing kmem_cache_destroy()
- ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is
fine."
- drm/radeon: fix UBSAN warning in kv_dpm.c
- gcov: add support for GCC 14
- i2c: ocores: set IACK bit after core is enabled
- ARM: dts: samsung: smdkv310: fix keypad no-autorepeat
- ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat
- ARM: dts: samsung: smdk4412: fix keypad no-autorepeat
- arm64: dts: qcom: qcs404: fix bluetooth device address
- tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test
- Revert "kheaders: substituting --sort in archive creation"
- kheaders: explicitly define file modes for archived headers
- perf/core: Fix missing wakeup when waiting for context reference
- PCI: Add PCI_ERROR_RESPONSE and related definitions
- x86/amd_nb: Check for invalid SMN reads
- iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock
- iio: dac: ad5592r: un-indent code-block for scale read
- iio: dac: ad5592r: fix temperature channel scaling value
- pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER
- pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins
- pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins
- pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set
- drm/amdgpu: fix UBSAN warning in kv_dpm.c
- netfilter: nf_tables: validate family when identifying table via handle
- ASoC: fsl-asoc-card: set priv->pdev before using it
- net: dsa: microchip: fix initial port flush problem
- net: phy: mchp: Add support for LAN8814 QUAD PHY
- net: phy: micrel: add Microchip KSZ 9477 to the device table
- sparc: fix old compat_sys_select()
- parisc: use correct compat recv/recvfrom syscalls
- netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data
registers
- drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep
- mtd: partitions: redboot: Added conversion of operands to a larger type
- net/iucv: Avoid explicit cpumask var allocation on stack
- net/dpaa2: Avoid explicit cpumask var allocation on stack
- ALSA: emux: improve patch ioctl data validation
- media: dvbdev: Initialize sbuf
- soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message
- nvme: fixup comment for nvme RDMA Provider Type
- gpio: davinci: Validate the obtained number of IRQs
- x86: stop playing stack games in profile_pc()
- mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos
- mmc: sdhci: Do not invert write-protect twice
- mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()
- iio: adc: ad7266: Fix variable checking bug
- iio: chemical: bme680: Fix pressure value output
- iio: chemical: bme680: Fix calibration data variable
- iio: chemical: bme680: Fix overflows in compensate() functions
- iio: chemical: bme680: Fix sensor data read operation
- net: usb: ax88179_178a: improve link status logs
- usb: gadget: printer: SS+ support
- usb: musb: da8xx: fix a resource leak in probe()
- usb: atm: cxacru: fix endpoint checking in cxacru_bind()
- tty: mcf: MCF54418 has 10 UARTS
- net: can: j1939: Initialize unused data in j1939_send_one()
- net: can: j1939: recover socket queue on CAN bus error during BAM
transmission
- net: can: j1939: enhanced error handling for tightly received RTS messages
in xtp_rx_rts_session_new
- csky, hexagon: fix broken sys_sync_file_range
- hexagon: fix fadvise64_64 calling conventions
- drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes
- drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes
- batman-adv: Don't accept TT entries for out-of-spec VIDs
- ata: libata-core: Fix double free on error
- ftruncate: pass a signed offset
- mtd: spinand: macronix: Add support for serial NAND flash
- pwm: stm32: Refuse too small period requests
- nfs: Leave pages in the pagecache if readpage failed
- ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node
- arm64: dts: rockchip: Add sound-dai-cells for RK3368
- Linux 5.4.279
* CVE-2024-26921
- skbuff: introduce skb_expand_head()
- skb_expand_head() adjust skb->truesize incorrectly
- inet: inet_defrag: prevent sk release while still in use
* CVE-2024-26929
- scsi: qla2xxx: Fix double free of fcport
* CVE-2024-39484
- mmc: davinci: Don't strip remove function when driver is builtin
* CVE-2024-36901
- ipv6: prevent NULL dereference in ip6_output()
* CVE-2024-26830
- i40e: Refactoring VF MAC filters counting to make more reliable
- i40e: Fix MAC address setting for a VF via Host/VM
- i40e: Do not allow untrusted VF to remove administratively set MAC
* CVE-2024-24860
- Bluetooth: Fix atomicity violation in {min, max}_key_size_set
* CVE-2023-52760
- gfs2: Fix slab-use-after-free in gfs2_qd_dealloc
* CVE-2024-2201
- [Config] Set SPECTRE_BHI_ON=y
* CVE-2023-52629
- sh: push-switch: Reorder cleanup operations to avoid use-after-free bug
* CVE-2021-46926
- ALSA: hda: intel-sdw-acpi: harden detection of controller
-- Roxana Nicolescu <roxana.nicole...@canonical.com> Fri, 02 Aug 2024
20:11:01 +0200
** Changed in: linux (Ubuntu Focal)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-46926
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-52629
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-52760
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-2201
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-24860
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26830
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26921
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26929
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-36901
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-39484
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2074215
Title:
[SRU] UBSAN warnings in bnx2x kernel driver
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Focal:
Fix Released
Status in linux source package in Jammy:
Fix Committed
Status in linux source package in Noble:
Fix Committed
Status in linux source package in Oracular:
Fix Released
Bug description:
[impact]
Currently in the bnx2x kernel driver there are reads/writes that occur out of
bounds that have the possibility to cause kernel crashes. No meaningful impact
has been observed yet other than UBSAN stack traces.
I have posted a patch upstream to resolve this issue (134061163ee5 bnx2x: Fix
multiple UBSAN array-index-out-of-bounds) and it has been accepted and merged.
Although these traces appear only on linux version 6.5 and up, this bug also
affects kernels 6.x and 5.x as well but no UBSAN warnings will be printed on
these kernels since they were not enforced in these kernels.
[Test Plan]
There are multiple ways to reproduce the issue. But the most hands
free way to reproduce it would be to utilize a Qlogic NIC that makes
use of the E2 controller on a system with more than 32 cores. Below
are both ways this can be reproduced. Please note that both will
require a NIC that makes use of the bnx2x driver.
* Normal Reproduction:
1. start a machine running kernel 6.5 or higher with a a number of cores
above 32. Please note that these need to be physical cores not threads. The
machine also needs to be using a NIC that utilizes an E2 controller.
2. In dmesg the following UBSAN warnings can be seen:
UBSAN: array-index-out-of-bounds in
drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11
index 20 is out of range for type 'stats_query_entry [19]'
CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic
#202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
BIOS P89 10/21/2019
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
dump_stack+0x10/0x20
__ubsan_handle_out_of_bounds+0xcb/0x110
bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x]
bnx2x_stats_init+0x156/0x320 [bnx2x]
bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
bnx2x_open+0x16b/0x290 [bnx2x]
__dev_open+0x10e/0x1d0
RIP: 0033:0x736223927a0a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca
64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
</TASK>
---[ end trace ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in
drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11
index 28 is out of range for type 'stats_query_entry [19]'
CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic
#202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
BIOS P89 10/21/2019
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
dump_stack+0x10/0x20
__ubsan_handle_out_of_bounds+0xcb/0x110
bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x]
bnx2x_stats_init+0x156/0x320 [bnx2x]
bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
bnx2x_open+0x16b/0x290 [bnx2x]
__dev_open+0x10e/0x1d0
RIP: 0033:0x736223927a0a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca
64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
</TASK>
---[ end trace ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8
index 29 is out of range for type 'stats_query_entry [19]'
CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic
#202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
BIOS P89 10/21/2019
Workqueue: bnx2x bnx2x_sp_task [bnx2x]
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
dump_stack+0x10/0x20
__ubsan_handle_out_of_bounds+0xcb/0x110
bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x]
bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x]
? bnx2x_hw_stats_post+0x231/0x250 [bnx2x]
bnx2x_stats_start+0x44/0x70 [bnx2x]
bnx2x_stats_handle+0x149/0x350 [bnx2x]
bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x]
bnx2x_sp_task+0x491/0x5c0 [bnx2x]
process_one_work+0x18d/0x3f0
</TASK>
---[ end trace ]---
* Forced reproducer:
1. Make sure you have a machine running kernel 6.5 and higher with any
NIC that makes use of the bnx2x driver (No need for a NIC that
utilizes the E2 controller). Also the number of cores the machine has
is not important.
2. once the machine is booted unload the bnx2x module from the kernel:
$ sudo modprobe -r bnx2x
3. then load back the driver but while specifying the number of ethernet
queues to a value above 16:
$ sudo modprobe bnx2x num_queues=20
4. The same stack traces shown above will show up in dmesg.
[Fix]
The fix already upstream and provided by:
* 134061163ee5 bnx2x: Fix multiple UBSAN array-index-out-of-bounds
[where problems could occur]
* Since the patch increases the firmware stats array size, the driver
will utilize slightly more memory, however this is still an
insignificant amount.
* Since no logic change has been done to the driver the regression
risk is minimal
[workaround]
As stated earlier I have already written a patch to solve the issue, but in
the meantime one way to avoid this problem would be to unload the driver and
then load it back with a value for num_queues below 16:
$ sudo modprobe bnx2x num_queues=15
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2074215/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
