From: "Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>
To: Felix Fietkau <nbd@nbd.name>,
Lorenzo Bianconi <lorenzo@kernel.org>,
Ryder Lee <ryder.lee@mediatek.com>,
Shayne Chen <shayne.chen@mediatek.com>,
Sean Wang <sean.wang@mediatek.com>
Cc: "open list:MEDIATEK MT76 WIRELESS LAN DRIVER"
<linux-wireless@vger.kernel.org>,
"moderated list:ARM/Mediatek SoC support"
<linux-mediatek@lists.infradead.org>,
regressions@lists.linux.dev
Subject: strnlen buffer overflow in mt76_connac2_load_patch - 6.19-rc2
Date: Sat, 27 Dec 2025 21:31:15 +0100 [thread overview]
Message-ID: <aVBCFKub6vCFsFVB@mail-itl> (raw)
[-- Attachment #1: Type: text/plain, Size: 6114 bytes --]
Hi,
After updating to 6.19-rc2 I'm hitting the following panic on boot. It
worked in 6.18.2. It is a Xen HVM domU with PCI device attached, this
one specifically:
02:00.0 Network controller [0280]: MEDIATEK Corp. MT7921K (RZ608) Wi-Fi 6E 80MHz [14c3:0608]
And the crash is:
------------[ cut here ]------------
strnlen: detected buffer overflow: 17 byte read of buffer size 16
WARNING: lib/string_helpers.c:1035 at __fortify_report+0x4f/0x90, CPU#1: kworker/1:1/51
Modules linked in: mt7921e mt7921_common mt792x_lib mt76_connac_lib mt76 intel_rapl_msr intel_rapl_common mac80211 ghash_clmulni_intel cfg80211 rfkill ehci_pci libarc4 pcspkr ehci_hcd igc ata_generic i2c_piix4 pata_acpi i2c_smbus serio_raw xen_scsiback target_core_mod xen_netback xen_privcmd xen_gntdev xen_gntalloc xen_blkback xen_evtchn i2c_dev fuse loop nfnetlink overlay xen_blkfront
CPU: 1 UID: 0 PID: 51 Comm: kworker/1:1 Not tainted 6.19.0-0.rc2.1.qubes.1001.fc41.x86_64 #1 PREEMPT(full)
Hardware name: Xen HVM domU, BIOS 4.19.4 12/21/2025
Workqueue: events mt7921_init_work [mt7921_common]
RIP: 0010:__fortify_report+0x4f/0x90
Code: 48 83 fb 11 73 34 40 84 ed 48 c7 c0 02 62 d4 86 48 c7 c1 0c 62 d4 86 48 8b 34 dd 40 3d 54 86 48 0f 44 c8 48 8d 3d e1 af a5 01 <67> 48 0f b9 3a 48 83 c4 10 5b 5d e9 1c fb 4d ff 48 89 34 24 48 c7
RSP: 0018:ffffd1b3801bbd38 EFLAGS: 00010246
RAX: ffffffff86d46202 RBX: 0000000000000001 RCX: ffffffff86d46202
RDX: 0000000000000011 RSI: ffffffff86d15c86 RDI: ffffffff8747f5c0
RBP: 0000000000000000 R08: 0000000000000010 R09: ffffd1b380389000
R10: ffffd1b3801bbc40 R11: 00000000ffffffff R12: 0000000000000000
R13: ffffd1b380389000 R14: 0000000000001000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8d0ac8c52000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000076de8e89f001 CR3: 000000000f4bb000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? request_firmware+0x3e/0x50
__fortify_panic+0xd/0xf
mt76_connac2_load_patch.cold+0x2b/0xe4 [mt76_connac_lib]
mt792x_load_firmware+0x36/0x150 [mt792x_lib]
mt7921_run_firmware+0x23/0xd0 [mt7921_common]
mt7921e_mcu_init+0x4c/0x7a [mt7921e]
mt7921_init_work+0x51/0x190 [mt7921_common]
process_one_work+0x18d/0x340
worker_thread+0x256/0x3a0
? __pfx_worker_thread+0x10/0x10
kthread+0xfc/0x240
? __pfx_kthread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x126/0x190
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kernel BUG at lib/string_helpers.c:1043!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
CPU: 1 UID: 0 PID: 51 Comm: kworker/1:1 Tainted: G W 6.19.0-0.rc2.1.qubes.1001.fc41.x86_64 #1 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Xen HVM domU, BIOS 4.19.4 12/21/2025
Workqueue: events mt7921_init_work [mt7921_common]
RIP: 0010:__fortify_panic+0xd/0xf
Code: 44 8b 14 24 e9 12 dc 9c 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 40 0f b6 ff e8 e3 f3 9c 00 <0f> 0b 48 8b 54 24 10 48 8b 74 24 08 4c 89 e9 48 c7 c7 16 5d d1 86
RSP: 0018:ffffd1b3801bbd60 EFLAGS: 00010286
RAX: ffffffff86d46202 RBX: 0000000000000000 RCX: ffffffff86d46202
RDX: 0000000000000011 RSI: ffffffff86d15c86 RDI: ffffffff8747f5c0
RBP: ffff8d0a4b752060 R08: 0000000000000010 R09: ffffd1b380389000
R10: ffffd1b3801bbc40 R11: 00000000ffffffff R12: 0000000000000000
R13: ffffd1b380389000 R14: 0000000000001000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8d0ac8c52000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000076de8e89f001 CR3: 000000000f4bb000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
mt76_connac2_load_patch.cold+0x2b/0xe4 [mt76_connac_lib]
mt792x_load_firmware+0x36/0x150 [mt792x_lib]
mt7921_run_firmware+0x23/0xd0 [mt7921_common]
mt7921e_mcu_init+0x4c/0x7a [mt7921e]
mt7921_init_work+0x51/0x190 [mt7921_common]
process_one_work+0x18d/0x340
worker_thread+0x256/0x3a0
? __pfx_worker_thread+0x10/0x10
kthread+0xfc/0x240
? __pfx_kthread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x126/0x190
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in: mt7921e mt7921_common mt792x_lib mt76_connac_lib mt76 intel_rapl_msr intel_rapl_common mac80211 ghash_clmulni_intel cfg80211 rfkill ehci_pci libarc4 pcspkr ehci_hcd igc ata_generic i2c_piix4 pata_acpi i2c_smbus serio_raw xen_scsiback target_core_mod xen_netback xen_privcmd xen_gntdev xen_gntalloc xen_blkback xen_evtchn i2c_dev fuse loop nfnetlink overlay xen_blkfront
---[ end trace 0000000000000000 ]---
RIP: 0010:__fortify_panic+0xd/0xf
Code: 44 8b 14 24 e9 12 dc 9c 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 40 0f b6 ff e8 e3 f3 9c 00 <0f> 0b 48 8b 54 24 10 48 8b 74 24 08 4c 89 e9 48 c7 c7 16 5d d1 86
RSP: 0018:ffffd1b3801bbd60 EFLAGS: 00010286
RAX: ffffffff86d46202 RBX: 0000000000000000 RCX: ffffffff86d46202
RDX: 0000000000000011 RSI: ffffffff86d15c86 RDI: ffffffff8747f5c0
RBP: ffff8d0a4b752060 R08: 0000000000000010 R09: ffffd1b380389000
R10: ffffd1b3801bbc40 R11: 00000000ffffffff R12: 0000000000000000
R13: ffffd1b380389000 R14: 0000000000001000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8d0ac8c52000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00006225eb492548 CR3: 000000000e1b3000 CR4: 0000000000750ef0
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x4c00000 from 0xffffffff80200000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next reply other threads:[~2025-12-27 20:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-27 20:31 Marek Marczykowski-Górecki [this message]
2026-01-05 13:44 ` strnlen buffer overflow in mt76_connac2_load_patch - 6.19-rc2 Thorsten Leemhuis
2026-01-07 2:57 ` Marek Marczykowski-Górecki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aVBCFKub6vCFsFVB@mail-itl \
--to=marmarek@invisiblethingslab.com \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lorenzo@kernel.org \
--cc=nbd@nbd.name \
--cc=regressions@lists.linux.dev \
--cc=ryder.lee@mediatek.com \
--cc=sean.wang@mediatek.com \
--cc=shayne.chen@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.