From: "Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>
To: Felix Fietkau <nbd@nbd.name>,
Lorenzo Bianconi <lorenzo@kernel.org>,
Ryder Lee <ryder.lee@mediatek.com>,
Shayne Chen <shayne.chen@mediatek.com>,
Sean Wang <sean.wang@mediatek.com>
Cc: "open list:MEDIATEK MT76 WIRELESS LAN DRIVER"
<linux-wireless@vger.kernel.org>,
"moderated list:ARM/Mediatek SoC support"
<linux-mediatek@lists.infradead.org>,
regressions@lists.linux.dev
Subject: strnlen buffer overflow in mt76_connac2_load_patch - 6.19-rc2
Date: Sat, 27 Dec 2025 21:31:15 +0100 [thread overview]
Message-ID: <aVBCFKub6vCFsFVB@mail-itl> (raw)
[-- Attachment #1: Type: text/plain, Size: 6114 bytes --]
Hi,
After updating to 6.19-rc2 I'm hitting the following panic on boot. It
worked in 6.18.2. It is a Xen HVM domU with PCI device attached, this
one specifically:
02:00.0 Network controller [0280]: MEDIATEK Corp. MT7921K (RZ608) Wi-Fi 6E 80MHz [14c3:0608]
And the crash is:
------------[ cut here ]------------
strnlen: detected buffer overflow: 17 byte read of buffer size 16
WARNING: lib/string_helpers.c:1035 at __fortify_report+0x4f/0x90, CPU#1: kworker/1:1/51
Modules linked in: mt7921e mt7921_common mt792x_lib mt76_connac_lib mt76 intel_rapl_msr intel_rapl_common mac80211 ghash_clmulni_intel cfg80211 rfkill ehci_pci libarc4 pcspkr ehci_hcd igc ata_generic i2c_piix4 pata_acpi i2c_smbus serio_raw xen_scsiback target_core_mod xen_netback xen_privcmd xen_gntdev xen_gntalloc xen_blkback xen_evtchn i2c_dev fuse loop nfnetlink overlay xen_blkfront
CPU: 1 UID: 0 PID: 51 Comm: kworker/1:1 Not tainted 6.19.0-0.rc2.1.qubes.1001.fc41.x86_64 #1 PREEMPT(full)
Hardware name: Xen HVM domU, BIOS 4.19.4 12/21/2025
Workqueue: events mt7921_init_work [mt7921_common]
RIP: 0010:__fortify_report+0x4f/0x90
Code: 48 83 fb 11 73 34 40 84 ed 48 c7 c0 02 62 d4 86 48 c7 c1 0c 62 d4 86 48 8b 34 dd 40 3d 54 86 48 0f 44 c8 48 8d 3d e1 af a5 01 <67> 48 0f b9 3a 48 83 c4 10 5b 5d e9 1c fb 4d ff 48 89 34 24 48 c7
RSP: 0018:ffffd1b3801bbd38 EFLAGS: 00010246
RAX: ffffffff86d46202 RBX: 0000000000000001 RCX: ffffffff86d46202
RDX: 0000000000000011 RSI: ffffffff86d15c86 RDI: ffffffff8747f5c0
RBP: 0000000000000000 R08: 0000000000000010 R09: ffffd1b380389000
R10: ffffd1b3801bbc40 R11: 00000000ffffffff R12: 0000000000000000
R13: ffffd1b380389000 R14: 0000000000001000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8d0ac8c52000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000076de8e89f001 CR3: 000000000f4bb000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? request_firmware+0x3e/0x50
__fortify_panic+0xd/0xf
mt76_connac2_load_patch.cold+0x2b/0xe4 [mt76_connac_lib]
mt792x_load_firmware+0x36/0x150 [mt792x_lib]
mt7921_run_firmware+0x23/0xd0 [mt7921_common]
mt7921e_mcu_init+0x4c/0x7a [mt7921e]
mt7921_init_work+0x51/0x190 [mt7921_common]
process_one_work+0x18d/0x340
worker_thread+0x256/0x3a0
? __pfx_worker_thread+0x10/0x10
kthread+0xfc/0x240
? __pfx_kthread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x126/0x190
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kernel BUG at lib/string_helpers.c:1043!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
CPU: 1 UID: 0 PID: 51 Comm: kworker/1:1 Tainted: G W 6.19.0-0.rc2.1.qubes.1001.fc41.x86_64 #1 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Xen HVM domU, BIOS 4.19.4 12/21/2025
Workqueue: events mt7921_init_work [mt7921_common]
RIP: 0010:__fortify_panic+0xd/0xf
Code: 44 8b 14 24 e9 12 dc 9c 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 40 0f b6 ff e8 e3 f3 9c 00 <0f> 0b 48 8b 54 24 10 48 8b 74 24 08 4c 89 e9 48 c7 c7 16 5d d1 86
RSP: 0018:ffffd1b3801bbd60 EFLAGS: 00010286
RAX: ffffffff86d46202 RBX: 0000000000000000 RCX: ffffffff86d46202
RDX: 0000000000000011 RSI: ffffffff86d15c86 RDI: ffffffff8747f5c0
RBP: ffff8d0a4b752060 R08: 0000000000000010 R09: ffffd1b380389000
R10: ffffd1b3801bbc40 R11: 00000000ffffffff R12: 0000000000000000
R13: ffffd1b380389000 R14: 0000000000001000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8d0ac8c52000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000076de8e89f001 CR3: 000000000f4bb000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
mt76_connac2_load_patch.cold+0x2b/0xe4 [mt76_connac_lib]
mt792x_load_firmware+0x36/0x150 [mt792x_lib]
mt7921_run_firmware+0x23/0xd0 [mt7921_common]
mt7921e_mcu_init+0x4c/0x7a [mt7921e]
mt7921_init_work+0x51/0x190 [mt7921_common]
process_one_work+0x18d/0x340
worker_thread+0x256/0x3a0
? __pfx_worker_thread+0x10/0x10
kthread+0xfc/0x240
? __pfx_kthread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x126/0x190
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in: mt7921e mt7921_common mt792x_lib mt76_connac_lib mt76 intel_rapl_msr intel_rapl_common mac80211 ghash_clmulni_intel cfg80211 rfkill ehci_pci libarc4 pcspkr ehci_hcd igc ata_generic i2c_piix4 pata_acpi i2c_smbus serio_raw xen_scsiback target_core_mod xen_netback xen_privcmd xen_gntdev xen_gntalloc xen_blkback xen_evtchn i2c_dev fuse loop nfnetlink overlay xen_blkfront
---[ end trace 0000000000000000 ]---
RIP: 0010:__fortify_panic+0xd/0xf
Code: 44 8b 14 24 e9 12 dc 9c 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 40 0f b6 ff e8 e3 f3 9c 00 <0f> 0b 48 8b 54 24 10 48 8b 74 24 08 4c 89 e9 48 c7 c7 16 5d d1 86
RSP: 0018:ffffd1b3801bbd60 EFLAGS: 00010286
RAX: ffffffff86d46202 RBX: 0000000000000000 RCX: ffffffff86d46202
RDX: 0000000000000011 RSI: ffffffff86d15c86 RDI: ffffffff8747f5c0
RBP: ffff8d0a4b752060 R08: 0000000000000010 R09: ffffd1b380389000
R10: ffffd1b3801bbc40 R11: 00000000ffffffff R12: 0000000000000000
R13: ffffd1b380389000 R14: 0000000000001000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8d0ac8c52000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00006225eb492548 CR3: 000000000e1b3000 CR4: 0000000000750ef0
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x4c00000 from 0xffffffff80200000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next reply other threads:[~2025-12-27 20:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-27 20:31 Marek Marczykowski-Górecki [this message]
2026-01-05 13:44 ` strnlen buffer overflow in mt76_connac2_load_patch - 6.19-rc2 Thorsten Leemhuis
2026-01-07 2:57 ` Marek Marczykowski-Górecki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aVBCFKub6vCFsFVB@mail-itl \
--to=marmarek@invisiblethingslab.com \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lorenzo@kernel.org \
--cc=nbd@nbd.name \
--cc=regressions@lists.linux.dev \
--cc=ryder.lee@mediatek.com \
--cc=sean.wang@mediatek.com \
--cc=shayne.chen@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).