linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [REGRESSION] mt76: fortify panic on mt7921e during firmware load (bisected)
@ 2025-12-05 11:06 Mikhail Gavrilov
  2025-12-05 15:45 ` [PATCH] [PATCH] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch Mikhail Gavrilov
  2025-12-05 16:12 ` [PATCH v2] " Mikhail Gavrilov
  0 siblings, 2 replies; 9+ messages in thread
From: Mikhail Gavrilov @ 2025-12-05 11:06 UTC (permalink / raw)
  To: superm1, Felix Fietkau, Linux List Kernel Mailing,
	Linux List Kernel Mailing, Linux regressions mailing list

[-- Attachment #1: Type: text/plain, Size: 2971 bytes --]

Hi,

After updating to a kernel containing commit

    f804a5895eba ("wifi: mt76: Strip whitespace from build date")

the MediaTek MT7921e (PCIe) Wi-Fi card triggers a fortify buffer-overrun
warning followed by a kernel BUG/panic very early during boot while the
driver is loading firmware:

[   22.955210] strnlen: detected buffer overflow: 17 byte read of buffer size 16
[   22.955519] kernel BUG at lib/string_helpers.c:1043!
[   22.955523] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
...
[   22.955544]  mt76_connac2_load_patch.cold+0x180/0x1ea [mt76_connac_lib]
[   22.955560]  mt792x_load_firmware+0x85/0x420 [mt792x_lib]
[   22.955563]  mt7921_run_firmware+0x67/0x180 [mt7921_common]
[   22.955567]  mt7921e_mcu_init+0xba/0x18d [mt7921e]
...

Full dmesg and .config are attached (dmesg-6.18.0-559e608c4655.txt,
.config). The system is an ASUS ROG STRIX B650E-I GAMING WIFI with a Ryzen 9
7950 (non-X3D); the Wi-Fi card is the onboard MediaTek MT7921e. Full probe:
https://linux-hardware.org/?probe=e7346d94e1

Bisection cleanly points to the offending commit:
Author: Mario Limonciello (AMD) <superm1@kernel.org>
Date:   Thu Nov 20 09:58:27 2025 -0600

    wifi: mt76: Strip whitespace from build ddate

    On systems I have with mt7925 cards I've been noticing a blank line in my
    kernel logs.  IE:
    ```
    [   17.294105] mt7925e 0000:c3:00.0: HW/SW Version: 0x8a108a10,
Build Time: 20250721232852a

    [   17.314233] r8169 0000:c4:00.0 enp196s0f0: Link is Down
    ```

    This is because the build_date from the header has a newline character
    as does the dev_info() print.  As the firmware isn't guaranteed to always
    have a newline but the print is, copy the firmware build date to a
    temporary variable and strip any whitespace from it before showing it in
    the logs.

    Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
    Link: https://patch.msgid.link/20251120155829.3494747-1-superm1@kernel.org
    Signed-off-by: Felix Fietkau <nbd@nbd.name>

 drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Reverting f804a5895eba on top of 559e608c4655 makes the panic disappear
completely and the Wi-Fi card works normally again.

The problem is caused by the new code in mt76_connac_mcu.c that copies
the firmware build-date string into a stack buffer of size 16 and then
calls str_replace(build_date, " ", "") (and later dev_info() with the
modified buffer). The firmware on the MT7921e card apparently contains
a build-date string that is exactly 16 bytes long plus the trailing NUL,
so after the first space is replaced with a NUL the following strim()
(or any other string function) still walks past the end of the 16-byte
buffer when it looks for more whitespace, triggering the fortify check.

I do not have a proposed fix yet, but reverting the commit is a reliable
workaround for now.

#regzbot introduced: f804a5895eba

-- 
Best Regards,
Mike Gavrilov.

[-- Attachment #2: dmesg-6.18.0-559e608c4655.zip --]
[-- Type: application/zip, Size: 49239 bytes --]

[-- Attachment #3: .config.zip --]
[-- Type: application/zip, Size: 70746 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Re: [PATCH v2] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch
@ 2025-12-22 10:48 Filippo Rossoni
  0 siblings, 0 replies; 9+ messages in thread
From: Filippo Rossoni @ 2025-12-22 10:48 UTC (permalink / raw)
  To: matthew.schwartz
  Cc: linux-kernel, linux-mediatek, linux-wireless, lorenzo,
	mikhail.v.gavrilov, nbd, superm1

[-- Attachment #1: Type: text/plain, Size: 299 bytes --]

Hello
What is the status of this patch
I'm compiling the latest kernel with this patch to have wifi working
The current status in not working if there are problem with this patch
I propose to revert the commit
[f804a5895ebad2b2d4fb8a3688d2115926e993d5] wifi: mt76: Strip
whitespace from build ddate

[-- Attachment #2: wifi.patch --]
[-- Type: text/x-patch, Size: 1383 bytes --]

diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
index ea99167765b0..0fbfa449d6fe 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
@@ -3101,7 +3101,7 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
 	int i, ret, sem, max_len = mt76_is_sdio(dev) ? 2048 : 4096;
 	const struct mt76_connac2_patch_hdr *hdr;
 	const struct firmware *fw = NULL;
-	char build_date[17];
+
 
 	sem = mt76_connac_mcu_patch_sem_ctrl(dev, true);
 	switch (sem) {
@@ -3125,12 +3125,14 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
 	}
 
 	hdr = (const void *)fw->data;
-	strscpy(build_date, hdr->build_date, sizeof(build_date));
-	build_date[16] = '\0';
-	strim(build_date);
-	dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
-		 be32_to_cpu(hdr->hw_sw_ver), build_date);
-
+	{
+		char build_date[sizeof(hdr->build_date)+1];
+		memcpy(build_date, hdr->build_date, sizeof(hdr->build_date));
+		build_date[sizeof(hdr->build_date)] = '\0';
+		strim(build_date);
+		dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
+			be32_to_cpu(hdr->hw_sw_ver), build_date);
+	}
 	for (i = 0; i < be32_to_cpu(hdr->desc.n_region); i++) {
 		struct mt76_connac2_patch_sec *sec;
 		u32 len, addr, mode;

^ permalink raw reply related	[flat|nested] 9+ messages in thread
end of thread, other threads:[~2025-12-23 21:54 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-05 11:06 [REGRESSION] mt76: fortify panic on mt7921e during firmware load (bisected) Mikhail Gavrilov
2025-12-05 15:45 ` [PATCH] [PATCH] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch Mikhail Gavrilov
2025-12-05 16:12 ` [PATCH v2] " Mikhail Gavrilov
2025-12-05 18:14   ` Mario Limonciello
2025-12-13  2:35   ` Eric Biggers
2025-12-13  2:50     ` Mario Limonciello (AMD) (kernel.org)
2025-12-19 20:49   ` Matthew Schwartz
2025-12-23 21:54   ` Nathan Chancellor
  -- strict thread matches above, loose matches on Subject: below --
2025-12-22 10:48 Filippo Rossoni

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).