strnlen buffer overflow in mt76_connac2_load_patch

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* strnlen buffer overflow in mt76_connac2_load_patch - 6.19-rc2
@ 2025-12-27 20:31 Marek Marczykowski-Górecki
  0 siblings, 0 replies; only message in thread
From: Marek Marczykowski-Górecki @ 2025-12-27 20:31 UTC (permalink / raw)
  To: Felix Fietkau, Lorenzo Bianconi, Ryder Lee, Shayne Chen,
	Sean Wang
  Cc: open list:MEDIATEK MT76 WIRELESS LAN DRIVER,
	moderated list:ARM/Mediatek SoC support, regressions

[-- Attachment #1: Type: text/plain, Size: 6114 bytes --]

Hi,

After updating to 6.19-rc2 I'm hitting the following panic on boot. It
worked in 6.18.2. It is a Xen HVM domU with PCI device attached, this
one specifically:

02:00.0 Network controller [0280]: MEDIATEK Corp. MT7921K (RZ608) Wi-Fi 6E 80MHz [14c3:0608]

And the crash is:

    ------------[ cut here ]------------
    strnlen: detected buffer overflow: 17 byte read of buffer size 16
    WARNING: lib/string_helpers.c:1035 at __fortify_report+0x4f/0x90, CPU#1: kworker/1:1/51
    Modules linked in: mt7921e mt7921_common mt792x_lib mt76_connac_lib mt76 intel_rapl_msr intel_rapl_common mac80211 ghash_clmulni_intel cfg80211 rfkill ehci_pci libarc4 pcspkr ehci_hcd igc ata_generic i2c_piix4 pata_acpi i2c_smbus serio_raw xen_scsiback target_core_mod xen_netback xen_privcmd xen_gntdev xen_gntalloc xen_blkback xen_evtchn i2c_dev fuse loop nfnetlink overlay xen_blkfront
    CPU: 1 UID: 0 PID: 51 Comm: kworker/1:1 Not tainted 6.19.0-0.rc2.1.qubes.1001.fc41.x86_64 #1 PREEMPT(full) 
    Hardware name: Xen HVM domU, BIOS 4.19.4 12/21/2025
    Workqueue: events mt7921_init_work [mt7921_common]
    RIP: 0010:__fortify_report+0x4f/0x90
    Code: 48 83 fb 11 73 34 40 84 ed 48 c7 c0 02 62 d4 86 48 c7 c1 0c 62 d4 86 48 8b 34 dd 40 3d 54 86 48 0f 44 c8 48 8d 3d e1 af a5 01 <67> 48 0f b9 3a 48 83 c4 10 5b 5d e9 1c fb 4d ff 48 89 34 24 48 c7
    RSP: 0018:ffffd1b3801bbd38 EFLAGS: 00010246
    RAX: ffffffff86d46202 RBX: 0000000000000001 RCX: ffffffff86d46202
    RDX: 0000000000000011 RSI: ffffffff86d15c86 RDI: ffffffff8747f5c0
    RBP: 0000000000000000 R08: 0000000000000010 R09: ffffd1b380389000
    R10: ffffd1b3801bbc40 R11: 00000000ffffffff R12: 0000000000000000
    R13: ffffd1b380389000 R14: 0000000000001000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff8d0ac8c52000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000076de8e89f001 CR3: 000000000f4bb000 CR4: 0000000000750ef0
    PKRU: 55555554
    Call Trace:
     <TASK>
     ? request_firmware+0x3e/0x50
     __fortify_panic+0xd/0xf
     mt76_connac2_load_patch.cold+0x2b/0xe4 [mt76_connac_lib]
     mt792x_load_firmware+0x36/0x150 [mt792x_lib]
     mt7921_run_firmware+0x23/0xd0 [mt7921_common]
     mt7921e_mcu_init+0x4c/0x7a [mt7921e]
     mt7921_init_work+0x51/0x190 [mt7921_common]
     process_one_work+0x18d/0x340
     worker_thread+0x256/0x3a0
     ? __pfx_worker_thread+0x10/0x10
     kthread+0xfc/0x240
     ? __pfx_kthread+0x10/0x10
     ? __pfx_kthread+0x10/0x10
     ret_from_fork+0x126/0x190
     ? __pfx_kthread+0x10/0x10
     ret_from_fork_asm+0x1a/0x30
     </TASK>
    ---[ end trace 0000000000000000 ]---
    ------------[ cut here ]------------
    kernel BUG at lib/string_helpers.c:1043!
    Oops: invalid opcode: 0000 [#1] SMP NOPTI
    CPU: 1 UID: 0 PID: 51 Comm: kworker/1:1 Tainted: G        W           6.19.0-0.rc2.1.qubes.1001.fc41.x86_64 #1 PREEMPT(full) 
    Tainted: [W]=WARN
    Hardware name: Xen HVM domU, BIOS 4.19.4 12/21/2025
    Workqueue: events mt7921_init_work [mt7921_common]
    RIP: 0010:__fortify_panic+0xd/0xf
    Code: 44 8b 14 24 e9 12 dc 9c 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 40 0f b6 ff e8 e3 f3 9c 00 <0f> 0b 48 8b 54 24 10 48 8b 74 24 08 4c 89 e9 48 c7 c7 16 5d d1 86
    RSP: 0018:ffffd1b3801bbd60 EFLAGS: 00010286
    RAX: ffffffff86d46202 RBX: 0000000000000000 RCX: ffffffff86d46202
    RDX: 0000000000000011 RSI: ffffffff86d15c86 RDI: ffffffff8747f5c0
    RBP: ffff8d0a4b752060 R08: 0000000000000010 R09: ffffd1b380389000
    R10: ffffd1b3801bbc40 R11: 00000000ffffffff R12: 0000000000000000
    R13: ffffd1b380389000 R14: 0000000000001000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff8d0ac8c52000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000076de8e89f001 CR3: 000000000f4bb000 CR4: 0000000000750ef0
    PKRU: 55555554
    Call Trace:
     <TASK>
     mt76_connac2_load_patch.cold+0x2b/0xe4 [mt76_connac_lib]
     mt792x_load_firmware+0x36/0x150 [mt792x_lib]
     mt7921_run_firmware+0x23/0xd0 [mt7921_common]
     mt7921e_mcu_init+0x4c/0x7a [mt7921e]
     mt7921_init_work+0x51/0x190 [mt7921_common]
     process_one_work+0x18d/0x340
     worker_thread+0x256/0x3a0
     ? __pfx_worker_thread+0x10/0x10
     kthread+0xfc/0x240
     ? __pfx_kthread+0x10/0x10
     ? __pfx_kthread+0x10/0x10
     ret_from_fork+0x126/0x190
     ? __pfx_kthread+0x10/0x10
     ret_from_fork_asm+0x1a/0x30
     </TASK>
    Modules linked in: mt7921e mt7921_common mt792x_lib mt76_connac_lib mt76 intel_rapl_msr intel_rapl_common mac80211 ghash_clmulni_intel cfg80211 rfkill ehci_pci libarc4 pcspkr ehci_hcd igc ata_generic i2c_piix4 pata_acpi i2c_smbus serio_raw xen_scsiback target_core_mod xen_netback xen_privcmd xen_gntdev xen_gntalloc xen_blkback xen_evtchn i2c_dev fuse loop nfnetlink overlay xen_blkfront
    ---[ end trace 0000000000000000 ]---
    RIP: 0010:__fortify_panic+0xd/0xf
    Code: 44 8b 14 24 e9 12 dc 9c 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 40 0f b6 ff e8 e3 f3 9c 00 <0f> 0b 48 8b 54 24 10 48 8b 74 24 08 4c 89 e9 48 c7 c7 16 5d d1 86
    RSP: 0018:ffffd1b3801bbd60 EFLAGS: 00010286
    RAX: ffffffff86d46202 RBX: 0000000000000000 RCX: ffffffff86d46202
    RDX: 0000000000000011 RSI: ffffffff86d15c86 RDI: ffffffff8747f5c0
    RBP: ffff8d0a4b752060 R08: 0000000000000010 R09: ffffd1b380389000
    R10: ffffd1b3801bbc40 R11: 00000000ffffffff R12: 0000000000000000
    R13: ffffd1b380389000 R14: 0000000000001000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff8d0ac8c52000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00006225eb492548 CR3: 000000000e1b3000 CR4: 0000000000750ef0
    PKRU: 55555554
    Kernel panic - not syncing: Fatal exception
    Kernel Offset: 0x4c00000 from 0xffffffff80200000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2025-12-27 20:31 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-27 20:31 strnlen buffer overflow in mt76_connac2_load_patch - 6.19-rc2 Marek Marczykowski-Górecki

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).