Ubuntu
linux-raspi package

array index out of bounds in brcmfmac driver

Bug #2037059 reported by Dave Jones
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-raspi (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Activating wifi on the current Mantic Beta images, on a Raspberry Pi 4B with 4GB or 8GB of RAM (the only two I've tested thus far) causes the following to show up in dmesg:

[ 10.384021] ================================================================================
[ 10.393418] UBSAN: array-index-out-of-bounds in /build/linux-raspi-dZDMS4/linux-raspi-6.5.0/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1126:27
[ 10.408653] index 1 is out of range for type '__le16 [1]'
[ 10.414856] CPU: 2 PID: 581 Comm: wpa_supplicant Tainted: G C E 6.5.0-1002-raspi #2-Ubuntu
[ 10.414876] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)
[ 10.414881] Call trace:
[ 10.414884] dump_backtrace+0x9c/0x128
[ 10.414897] show_stack+0x20/0x38
[ 10.414903] dump_stack_lvl+0xbc/0x120
[ 10.414911] dump_stack+0x18/0x28
[ 10.414916] __ubsan_handle_out_of_bounds+0xac/0xe8
[ 10.414922] brcmf_escan_prep+0x31c/0x338 [brcmfmac]
[ 10.415003] brcmf_run_escan+0xac/0x1c8 [brcmfmac]
[ 10.415050] brcmf_do_escan+0x90/0x100 [brcmfmac]
[ 10.415096] brcmf_cfg80211_scan+0x108/0x2b0 [brcmfmac]
[ 10.415142] rdev_scan+0x38/0x158 [cfg80211]
[ 10.415348] cfg80211_scan+0x134/0x178 [cfg80211]
[ 10.415453] nl80211_trigger_scan+0x438/0x9d8 [cfg80211]
[ 10.415557] genl_family_rcv_msg_doit.isra.0+0xc0/0x130
[ 10.415568] genl_family_rcv_msg+0x1c8/0x240
[ 10.415574] genl_rcv_msg+0x64/0xe8
[ 10.415580] netlink_rcv_skb+0x64/0x138
[ 10.415586] genl_rcv+0x40/0x60
[ 10.415592] netlink_unicast+0x2f0/0x350
[ 10.415598] netlink_sendmsg+0x26c/0x490
[ 10.415603] sock_sendmsg+0x64/0xc0
[ 10.415610] ____sys_sendmsg+0x260/0x318
[ 10.415615] ___sys_sendmsg+0x88/0xf0
[ 10.415621] __sys_sendmsg+0x70/0xd8
[ 10.415626] __arm64_sys_sendmsg+0x2c/0x40
[ 10.415632] invoke_syscall+0x50/0x120
[ 10.415638] el0_svc_common.constprop.0+0x6c/0x140
[ 10.415642] do_el0_svc+0x34/0x50
[ 10.415646] el0_svc+0x30/0xc8
[ 10.415654] el0t_64_sync_handler+0x120/0x130
[ 10.415659] el0t_64_sync+0x1a8/0x1b0
[ 10.415668] ================================================================================

However, the wifi still works afterward, so it's not entirely fatal!

Tags: iso-testing
Revision history for this message
Dave Jones (waveform) wrote :

Also occurs on the 3B+ (which isn't terribly surprising given it shares the same wifi chipset as the 4B)

Revision history for this message
Dave Jones (waveform) wrote :

Something very similar on the Pi 2 Zero W as well, which is interesting as it has a different wifi chipset to the 3B+ and the 4B:

[ 18.959819] ================================================================================
[ 18.968950] UBSAN: array-index-out-of-bounds in /build/linux-raspi-dZDMS4/linux-raspi-6.5.0/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1126:27
[ 18.983850] index 1 is out of range for type '__le16 [1]'
[ 18.989615] CPU: 1 PID: 519 Comm: wpa_supplicant Tainted: G C E 6.5.0-1002-raspi #2-Ubuntu
[ 18.989647] Hardware name: Raspberry Pi Zero 2 W Rev 1.0 (DT)
[ 18.989655] Call trace:
[ 18.989661] dump_backtrace+0x9c/0x128
[ 18.989686] show_stack+0x20/0x38
[ 18.989698] dump_stack_lvl+0xbc/0x120
[ 18.989715] dump_stack+0x18/0x28
[ 18.989727] __ubsan_handle_out_of_bounds+0xac/0xe8
[ 18.989743] brcmf_escan_prep+0x31c/0x338 [brcmfmac]
[ 18.989923] brcmf_run_escan+0xac/0x1c8 [brcmfmac]
[ 18.990052] brcmf_do_escan+0x90/0x100 [brcmfmac]
[ 18.990176] brcmf_cfg80211_scan+0x108/0x2b0 [brcmfmac]
[ 18.990299] rdev_scan+0x38/0x158 [cfg80211]
[ 18.990922] cfg80211_scan+0x134/0x178 [cfg80211]
[ 18.991412] nl80211_trigger_scan+0x438/0x9d8 [cfg80211]
[ 18.991839] genl_family_rcv_msg_doit.isra.0+0xc0/0x130
[ 18.991867] genl_family_rcv_msg+0x1c8/0x240
[ 18.991884] genl_rcv_msg+0x64/0xe8
[ 18.991898] netlink_rcv_skb+0x64/0x138
[ 18.991913] genl_rcv+0x40/0x60
[ 18.991928] netlink_unicast+0x2f0/0x350
[ 18.991942] netlink_sendmsg+0x26c/0x490
[ 18.991957] sock_sendmsg+0x64/0xc0
[ 18.991971] ____sys_sendmsg+0x260/0x318
[ 18.991981] ___sys_sendmsg+0x88/0xf0
[ 18.991994] __sys_sendmsg+0x70/0xd8
[ 18.992007] __arm64_sys_sendmsg+0x2c/0x40
[ 18.992020] invoke_syscall+0x50/0x120
[ 18.992034] el0_svc_common.constprop.0+0x6c/0x140
[ 18.992044] do_el0_svc+0x34/0x50
[ 18.992054] el0_svc+0x30/0xc8
[ 18.992068] el0t_64_sync_handler+0x120/0x130
[ 18.992081] el0t_64_sync+0x1a8/0x1b0
[ 18.992590] ================================================================================

Revision history for this message
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
https://iso.qa.ubuntu.com/qatracker/reports/bugs/2037059

tags: added: iso-testing
Revision history for this message
Juerg Haefliger (juergh) wrote :

Yes, known issues. Is fixed and will show up in the next kernel.

Revision history for this message
Juerg Haefliger (juergh) wrote :

https://patchwork.kernel.org/project<email address hidden>/

Revision history for this message
Dave Jones (waveform) wrote :

Excellent! Thanks :)

Dave Jones (waveform)
Changed in linux-raspi (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.