This bug was fixed in the package linux-oem-6.11 - 6.11.0-1016.16
---------------
linux-oem-6.11 (6.11.0-1016.16) noble; urgency=medium
* noble/linux-oem-6.11: 6.11.0-1016.16 -proposed tracker (LP:
#2097999)
* Enable AMD ACP70/ACP71 and relevant soundwire support (LP: #2098457)
- ASoC: amd: Add acpi machine id for acp7.0 version based platform
- ASoC: SOF: amd: add support for acp7.0 based platform
- ASoC: SOF: amd: Fix for incorrect DMA ch status register offset
- soundwire: sdw_intel: include linux/acpi.h
- ASoC/soundwire: remove sdw_slave_extended_id
- drm/amd: Add some missing straps from NBIO 7.11.0
- drm/amd: Fix initialization mistake for NBIO 7.11 devices
- ASoC: amd: ps: rename structure names, variable and other macros
- ASoC: amd: ps: use macro for ACP6.3 pci revision id
- ASoC: amd: ps: add acp pci driver hw_ops for acp6.3 platform
- ASoC: amd: ps: add callback functions for acp pci driver pm ops
- ASoC: amd: ps: add callback to read acp pin configuration
- ASoC: amd: ps: add soundwire dma irq thread callback
- ASoC: amd: ps: refactor soundwire dma interrupt handling
- ASoC: amd: ps: store acp revision id in SoundWire dma driver private data
- ASoC: amd: ps: refactor soundwire dma driver code
- ASoC: amd: ps: refactor soundwire dma interrupts enable/disable sequence
- ASoC: amd: ps: rename acp_restore_sdw_dma_config() function
- ASoC: amd: ps: add pci driver hw_ops for ACP7.0 & ACP7.1 variants
- ASoC: amd: ps: add pm ops related hw_ops for ACP7.0 & ACP7.1 platforms
- ASoC: amd: ps: add ACP7.0 & ACP7.1 specific soundwire dma driver changes
- ASoC: amd: ps: implement function to restore dma config for ACP7.0
platform
- ASoC: amd: ps: add soundwire dma interrupts handling for ACP7.0 platform
- ASoC: amd: ps: add soundwire wake interrupt handling
- ASoC: amd: ps: update file description and copyright year
- ASoC: amd: update Pink Sardine platform Kconfig description
- ASoC: amd: acp: add machine driver changes for ACP7.0 and ACP7.1 platforms
- ASoC: amd: acp: add RT711, RT714 & RT1316 support for ACP7.0 platform
- ASoC: amd: acp: amd-acp70-acpi-match: Add rt722 support
- ASoC: amd: acp: amd-acp70-acpi-match: Add RT1320 & RT722 combination
soundwire machine
- ASoC: amd: amd_sdw: Add quirks for Dell SKU's
- [Config] Enable ACP70-related configs form AMD platforms
- soundwire: amd: change the soundwire wake enable/disable sequence
- soundwire: amd: add debug log for soundwire wake event
- soundwire: amd: add support for ACP7.0 & ACP7.1 platforms
- soundwire: amd: set device power state during suspend/resume sequence
- soundwire: amd: set ACP_PME_EN during runtime suspend sequence
- soundwire: amd: add soundwire host wake interrupt enable/disable sequence
- ASoC: amd: ps: use switch statements for acp pci revision id check
* OLED panel screen backlight brightness does not change with brightness
hotkey(F6&F7 Key) (LP: #2097818)
- drm/i915/display: convert dp aux backlight to struct intel_display
- drm/dp: Add eDP 1.5 bit definition
- drm/dp: Increase eDP display control capability size
- drm/i915/backlight: Use proper interface based on eDP version
- drm/i915/backlight: Check Luminance based brightness control for VESA
- drm/i915/backlight: Modify function to get VESA brightness in Nits
- drm/i915/backlight: Add function to change brightness in nits for VESA
- drm/i915/backlight: Setup nits based luminance via VESA
- drm/i915/backlight: Enable nits based luminance
* Remove genphy_config_eee_advert() that accesses eee_broken_modes in buggy
manners (LP: #2098171)
- net: phy: make genphy_c45_write_eee_adv() static
- net: phy: export genphy_c45_an_config_eee_aneg
- net: phy: broadcom: use genphy_c45_an_config_eee_aneg in
bcm_config_lre_aneg
- net: phy: remove genphy_config_eee_advert
* Add version information for Intel ISH firmware (LP: #2095390)
- HID: intel-ish-hid: Add firmware version sysfs attributes
* Respect _WOV entry in BIOS when enabling microphone on AMD acp6x platforms
(LP: #2093162)
- ASoC: amd: yc: Fix the wrong return value
- ASoC: amd: ps: Fix for enabling DMIC on acp63 platform via _DSD entry
* [Enablement] TI AMP TAS2781 Enablement (LP: #2098176)
- ALSA: hda/tas2781: Add tas2781 hda SPI driver
- [Config] Enable CONFIG_SND_HDA_SCODEC_TAS2781_SPI
* Add missing ARL IDs for intel_rapl and intel_rapl_msr drivers (LP: #2097821)
- powercap: intel_rapl_msr: Add PL4 support for ArrowLake-H
- powercap: intel_rapl: Add support for ArrowLake-U platform
* [SRU] Add Intel Touch Host Controller drivers (LP: #2096624)
- HID: THC: Add documentation
- HID: intel-thc-hid: Add basic THC driver skeleton
- HID: intel-thc-hid: intel-thc: Add THC registers definition
- HID: intel-thc-hid: intel-thc: Add THC PIO operation APIs
- HID: intel-thc-hid: intel-thc: Add APIs for interrupt
- HID: intel-thc-hid: intel-thc: Add THC DMA interfaces
- HID: intel-thc-hid: intel-thc: Add THC LTR interfaces
- HID: intel-thc-hid: intel-thc: Add THC interrupt handler
- HID: intel-thc-hid: intel-thc: Add THC SPI config interfaces
- HID: intel-thc-hid: intel-thc: Add THC I2C config interfaces
- HID: intel-thc-hid: intel-quickspi: Add THC QuickSPI driver skeleton
- HID: intel-thc-hid: intel-quickspi: Add THC QuickSPI driver hid layer
- HID: intel-thc-hid: intel-quickspi: Add THC QuickSPI ACPI interfaces
- HID: intel-thc-hid: intel-quickspi: Add HIDSPI protocol implementation
- HID: intel-thc-hid: intel-quickspi: Complete THC QuickSPI driver
- HID: intel-thc-hid: intel-quickspi: Add PM implementation
- HID: intel-thc-hid: intel-quicki2c: Add THC QuickI2C driver skeleton
- HID: intel-thc-hid: intel-quicki2c: Add THC QuickI2C driver hid layer
- HID: intel-thc-hid: intel-quicki2c: Add THC QuickI2C ACPI interfaces
- HID: intel-thc-hid: intel-quicki2c: Add HIDI2C protocol implementation
- HID: intel-thc-hid: intel-quicki2c: Complete THC QuickI2C driver
- HID: intel-thc-hid: intel-quicki2c: Add PM implementation
- HID: Wacom: Add PCI Wacom device support
- HID: intel-thc-hid: intel-thc: Fix error code in thc_i2c_subip_init()
- HID: intel-thc-hid: intel-quicki2c: fix potential memory corruption
- HID: intel-thc-hid: fix build errors in um mode
- [Config] Enable Intel THC HID Support
[ Ubuntu: 6.11.0-19.19 ]
* oracular/linux: 6.11.0-19.19 -proposed tracker (LP: #2098000)
* python perf module missing in realtime kernel (LP: #2089411)
- [Packaging] linux-tools: Add missing python perf symlink
- [Packaging] linux-tools: Fix python perf library packaging
- [Packaging] linux-tools: Fall back to old python perf path
* CVE-2024-56672
- blk-cgroup: Fix UAF in blkcg_unpin_online()
* CVE-2024-56658
- net: defer final 'struct net' free in netns dismantle
-- Kuan-Ying Lee <kuan-ying....@canonical.com> Thu, 20 Feb 2025
13:47:09 +0800
** Changed in: linux-oem-6.11 (Ubuntu Noble)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-56658
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-56672
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-6.11 in Ubuntu.
https://bugs.launchpad.net/bugs/2098171
Title:
Remove genphy_config_eee_advert() that accesses eee_broken_modes in
buggy manners
Status in linux-oem-6.11 package in Ubuntu:
New
Status in linux-oem-6.11 source package in Noble:
Fix Released
Bug description:
[ Impact ]
genphy_config_eee_advert() was removed in "net: phy: remove
genphy_config_eee_advert"[1] before the phydev->eee_broken_modes was
converted from a u32 to bitmap (underlyingly an array of unsigned
long) in "net: phy: switch eee_broken_modes to linkmode bitmap and add
accessor"[2]. The later one was backported to the OEM 6.11 kernel, but
the former one wasn't.
In the remaining genphy_config_eee_advert() in the OEM kernel, it will
pass phy_device->eee_broken_modes to phy_modify_mmd_changed(), which
assumes that eee_broken_modes is still an integer, leading to a bug
that converts a pointer to an integer.
gcc 13.3 will emit warning, while clang 18.1.3 and gcc 14 catch this
error:
drivers/net/phy/phy_device.c:2196:15: warning: address of array
'phydev->eee_broken_modes' will always evaluate to 'true'
[-Wpointer-bool-conversion]
2196 | if (!phydev->eee_broken_modes)
| ~~~~~~~~~^~~~~~~~~~~~~~~~
drivers/net/phy/phy_device.c:2200:10: error: incompatible pointer to integer
conversion passing 'unsigned long[2]' to parameter of type 'u16' (aka 'unsigned
short') [-Wint-conversion]
2200 | phydev->eee_broken_modes, 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/phy.h:1438:11: note: passing argument to parameter 'mask' here
1438 | u16 mask, u16 set);
| ^
1 warning and 1 error generated.
This can be resolved by backporting [1] that fully replaces the
genphy_config_eee_advert() in the 6.11 oem kernel.
[ Test plan ]
Compile the relevant part by the said compilers. For example on Noble:
$ make LLVM=1 drivers/net/phy/
The above error/warning message shouldn’t appear.
This was introduced only in the 6.11 OEM kernel, which is intended for
PCs under Noble certification. According to records from the
certification team website, currently there’s no PC with Broadcom
ethernet devices under certification, so in theory there’s no actual
user for the relevant code.
[ Where the problems could occur ]
This access pattern to the phydev->eee_broken_modes happens only in
genphy_config_eee_advert() in drivers/net/phy/bcm-phy-lib.c, which is
also its only user. There’s only one place in the code where this
function is used, and from the record on the certification website
there hasn’t been any PC with Broadcom components undergoing Noble
certification. So the impact should be limited.
[1]
https://lore.kernel.org/all/69d22b31-57d1-4b01-bfde-0c6a1df1e...@gmail.com/#r
[2]
https://lore.kernel.org/all/405734c5-0ed4-40e4-9ac9-91084b953...@gmail.com/#r
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-oem-6.11/+bug/2098171/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
