[SRU] UBSAN warnings in bnx2x kernel driver

Bug #2074215 reported by Ghadi Rahme
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Status tracked in Oracular
Focal
Fix Released
High
Ghadi Rahme
Jammy
Fix Released
High
Ghadi Rahme
Noble
Fix Committed
High
Ghadi Rahme
Oracular
Fix Released
High
Ghadi Rahme

Bug Description

[impact]

Currently in the bnx2x kernel driver there are reads/writes that occur out of bounds that have the possibility to cause kernel crashes. No meaningful impact has been observed yet other than UBSAN stack traces.
I have posted a patch upstream to resolve this issue (134061163ee5 bnx2x: Fix multiple UBSAN array-index-out-of-bounds) and it has been accepted and merged. Although these traces appear only on linux version 6.5 and up, this bug also affects kernels 6.x and 5.x as well but no UBSAN warnings will be printed on these kernels since they were not enforced in these kernels.

[Test Plan]

There are multiple ways to reproduce the issue. But the most hands free way to reproduce it would be to utilize a Qlogic NIC that makes use of the E2 controller on a system with more than 32 cores. Below are both ways this can be reproduced. Please note that both will require a NIC that makes use of the bnx2x driver.

* Normal Reproduction:

1. start a machine running kernel 6.5 or higher with a a number of cores above 32. Please note that these need to be physical cores not threads. The machine also needs to be using a NIC that utilizes an E2 controller.
2. In dmesg the following UBSAN warnings can be seen:

UBSAN: array-index-out-of-bounds in
       drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11
index 20 is out of range for type 'stats_query_entry [19]'
CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic
      #202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
        BIOS P89 10/21/2019
Call Trace:
 <TASK>
 dump_stack_lvl+0x76/0xa0
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xcb/0x110
 bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x]
 bnx2x_stats_init+0x156/0x320 [bnx2x]
 bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
 bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
 bnx2x_open+0x16b/0x290 [bnx2x]
 __dev_open+0x10e/0x1d0
RIP: 0033:0x736223927a0a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca
      64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00
      f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
</TASK>
---[ end trace ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in
       drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11
index 28 is out of range for type 'stats_query_entry [19]'
CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic
      #202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
        BIOS P89 10/21/2019
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
dump_stack+0x10/0x20
__ubsan_handle_out_of_bounds+0xcb/0x110
bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x]
bnx2x_stats_init+0x156/0x320 [bnx2x]
bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
bnx2x_open+0x16b/0x290 [bnx2x]
__dev_open+0x10e/0x1d0
RIP: 0033:0x736223927a0a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca
      64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00
      f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
 </TASK>
---[ end trace ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in
       drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8
index 29 is out of range for type 'stats_query_entry [19]'
CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic
      #202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
        BIOS P89 10/21/2019
Workqueue: bnx2x bnx2x_sp_task [bnx2x]
Call Trace:
 <TASK>
 dump_stack_lvl+0x76/0xa0
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xcb/0x110
 bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x]
 bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x]
 ? bnx2x_hw_stats_post+0x231/0x250 [bnx2x]
 bnx2x_stats_start+0x44/0x70 [bnx2x]
 bnx2x_stats_handle+0x149/0x350 [bnx2x]
 bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x]
 bnx2x_sp_task+0x491/0x5c0 [bnx2x]
 process_one_work+0x18d/0x3f0
 </TASK>
---[ end trace ]---

* Forced reproducer:

1. Make sure you have a machine running kernel 6.5 and higher with any NIC that makes use of the bnx2x driver (No need for a NIC that utilizes the E2 controller). Also the number of cores the machine has is not important.

2. once the machine is booted unload the bnx2x module from the kernel:
$ sudo modprobe -r bnx2x

3. then load back the driver but while specifying the number of ethernet queues to a value above 16:
$ sudo modprobe bnx2x num_queues=20

4. The same stack traces shown above will show up in dmesg.

[Fix]

The fix already upstream and provided by:

* 134061163ee5 bnx2x: Fix multiple UBSAN array-index-out-of-bounds

[where problems could occur]

* Since the patch increases the firmware stats array size, the driver will utilize slightly more memory, however this is still an insignificant amount.

* Since no logic change has been done to the driver the regression risk is minimal

[workaround]

As stated earlier I have already written a patch to solve the issue, but in the meantime one way to avoid this problem would be to unload the driver and then load it back with a value for num_queues below 16:
$ sudo modprobe bnx2x num_queues=15

Changed in linux (Ubuntu):
importance: Undecided → High
assignee: nobody → Ghadi Rahme (ghadi-rahme)
description: updated
description: updated
AaronMa (mapengyu)
summary: - UBSAN warnings in bnx2x kernel driver
+ [SRU] UBSAN warnings in bnx2x kernel driver
Stefan Bader (smb)
Changed in linux (Ubuntu Oracular):
status: New → Triaged
Changed in linux (Ubuntu Noble):
status: New → Triaged
Changed in linux (Ubuntu Jammy):
status: New → Triaged
Changed in linux (Ubuntu Focal):
status: New → Triaged
Changed in linux (Ubuntu Noble):
importance: Undecided → High
Changed in linux (Ubuntu Jammy):
importance: Undecided → High
Changed in linux (Ubuntu Focal):
importance: Undecided → High
Stefan Bader (smb)
Changed in linux (Ubuntu Focal):
status: Triaged → Fix Committed
Changed in linux (Ubuntu Jammy):
status: Triaged → Fix Committed
Changed in linux (Ubuntu Oracular):
status: Triaged → Fix Released
Changed in linux (Ubuntu Noble):
status: Triaged → Fix Committed
Changed in linux (Ubuntu Focal):
assignee: nobody → Ghadi Rahme (ghadi-rahme)
Changed in linux (Ubuntu Jammy):
assignee: nobody → Ghadi Rahme (ghadi-rahme)
Changed in linux (Ubuntu Noble):
assignee: nobody → Ghadi Rahme (ghadi-rahme)
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.15.0-120.130 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux' to 'verification-done-jammy-linux'. If the problem still exists, change the tag 'verification-needed-jammy-linux' to 'verification-failed-jammy-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-v2 verification-needed-jammy-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.4.0-195.215 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux' to 'verification-done-focal-linux'. If the problem still exists, change the tag 'verification-needed-focal-linux' to 'verification-failed-focal-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-v2 verification-needed-focal-linux
Revision history for this message
Ghadi Rahme (ghadi-rahme) wrote :
Download full text (5.7 KiB)

verification for focal:
$ nproc: 24

Current machine settings before using -proposed:

1. $uname -r: 5.4.0-192-generic

2. sudo dmesg | grep bnx2x :

[ 5.636662] bnx2x: QLogic 5771x/578xx 10/20-Gigabit Ethernet Driver bnx2x 1.713.36-0 (2014/02/10)
[ 5.735751] bnx2x 0000:04:00.0: msix capability found
[ 5.750740] bnx2x 0000:04:00.0: part number 0-0-0-0
[ 6.135089] bnx2x 0000:04:00.0: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 6.160661] bnx2x 0000:04:00.1: msix capability found
[ 6.199296] bnx2x 0000:04:00.1: part number 0-0-0-0
[ 6.872498] bnx2x 0000:04:00.1: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 7.002297] bnx2x 0000:04:00.1 eno50: renamed from eth0
[ 7.045651] bnx2x 0000:04:00.0 eno49: renamed from eth3

3. We can see that there are two interfaces on this machine utilizing the bnx2x driver. As noted in the description increasing the num_queue variable value will not result in any UBSAN warnings since 5.4 has them disabled:
$ sudo modprobe -r bnx2x # remove the driver
$ sudo modprobe bnx2x num_queues=20 # reload the driver while exceeding the 15 queue size limit
$ sudo dmesg | grep bnx2x
...<cut output>...
[ 1916.385403] bnx2x: QLogic 5771x/578xx 10/20-Gigabit Ethernet Driver bnx2x 1.713.36-0 (2014/02/10)
[ 1916.385657] bnx2x 0000:04:00.0: msix capability found
[ 1916.405826] bnx2x 0000:04:00.0: part number 0-0-0-0
[ 1916.571785] bnx2x 0000:04:00.0: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 1916.571889] bnx2x 0000:04:00.1: msix capability found
[ 1916.576504] bnx2x 0000:04:00.0 eno49: renamed from eth0
[ 1916.589777] bnx2x 0000:04:00.1: part number 0-0-0-0
[ 1917.291516] bnx2x 0000:04:00.0 eno49: using MSI-X IRQs: sp 67 fp[0] 69 ... fp[19] 118
[ 1918.062391] bnx2x 0000:04:00.1: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 1918.064708] bnx2x 0000:04:00.1 eno50: renamed from eth0
[ 1918.711960] bnx2x 0000:04:00.1 eno50: using MSI-X IRQs: sp 119 fp[0] 121 ... fp[19] 140
[ 1925.737490] bnx2x 0000:04:00.0 eno49: NIC Link is Up, 10000 Mbps full duplex, Flow control: none
[ 1926.017458] bnx2x 0000:04:00.1 eno50: NIC Link is Up, 10000 Mbps full duplex, Flow control: none

$ sudo dmesg | grep UBSAN
<no result>
4. We know that the machine is accessing data out of bounds but the kernel is not reporting it. Let's upgrade to -proposed and see if the machine remains stable.

After upgrading to -proposed:

1. $uname -r: 5.4.0-195-generic

2. sudo dmesg | grep bnx2x :

[ 5.506585] bnx2x: QLogic 5771x/578xx 10/20-Gigabit Ethernet Driver bnx2x 1.713.36-0 (2014/02/10)
[ 5.558991] bnx2x 0000:04:00.0: msix capability found
[ 5.574191] bnx2x 0000:04:00.0: part number 0-0-0-0
[ 5.987916] bnx2x 0000:04:00.0: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 6.009746] bnx2x 0000:04:00.1: msix capability found
[ 6.056350] bnx2x 0000:04:00.1: part number 0-0-0-0
[ 6.751651] bnx2x 0000:04:00.1: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 6.885873] bnx2x 0000:04:00.0 eno49: renamed from eth2
[ 6.929575] bnx2x 0000:04:00.1 eno50: renamed from eth0
[ 19.510740] bnx2x 0000:04:00.1 eno50: using MSI-X ...

Read more...

tags: added: verification-done-focal-linux
removed: verification-needed-focal-linux
Revision history for this message
Ghadi Rahme (ghadi-rahme) wrote :
Download full text (5.2 KiB)

verification Jammy:
nproc: 24

Before using -proposed:
1. $ uname -r: 5.15.0-118-generic
2. $ sudo dmesg | grep bnx2x:

[ 2.656536] bnx2x 0000:04:00.0: msix capability found
[ 2.669166] bnx2x 0000:04:00.0: part number 0-0-0-0
[ 3.133782] bnx2x 0000:04:00.0: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 3.201230] bnx2x 0000:04:00.1: msix capability found
[ 3.201815] bnx2x 0000:04:00.1: part number 0-0-0-0
[ 3.402127] bnx2x 0000:04:00.1: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 3.407664] bnx2x 0000:04:00.0 eno49: renamed from eth0
[ 3.492325] bnx2x 0000:04:00.1 eno50: renamed from eth1
[ 56.145698] bnx2x 0000:04:00.1 eno50: using MSI-X IRQs: sp 78 fp[0] 80 ... fp[7] 87
[ 57.381769] bnx2x 0000:04:00.0 eno49: using MSI-X IRQs: sp 68 fp[0] 70 ... fp[7] 77
[ 64.772106] bnx2x 0000:04:00.0 eno49: NIC Link is Up, 10000 Mbps full duplex, Flow control: none
[ 65.732116] bnx2x 0000:04:00.1 eno50: NIC Link is Up, 10000 Mbps full duplex, Flow control: none

3. We can see that there are two interfaces on this machine utilizing the bnx2x driver. As noted in the description increasing the num_queue variable value will not result in any UBSAN warnings since 5.15 has them disabled:

$ sudo modprobe -r bnx2x
$ sudo modprobe bnx2x num_queues=20
$ sduo dmesg | grep bnx2x
...<cut output>...
[ 621.562054] bnx2x 0000:04:00.0: msix capability found
[ 621.581949] bnx2x 0000:04:00.0: part number 0-0-0-0
[ 621.754136] bnx2x 0000:04:00.0: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 621.754254] bnx2x 0000:04:00.1: msix capability found
[ 621.758926] bnx2x 0000:04:00.0 eno49: renamed from eth0
[ 621.773993] bnx2x 0000:04:00.1: part number 0-0-0-0
[ 622.513115] bnx2x 0000:04:00.0 eno49: using MSI-X IRQs: sp 68 fp[0] 70 ... fp[19] 119
[ 623.282738] bnx2x 0000:04:00.1: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 623.284540] bnx2x 0000:04:00.1 eno50: renamed from eth0

$ sudo dmesg | grep UBSAN
<no result>

4. We know that the machine is accessing data out of bounds but the kernel is not reporting it. Let's upgrade to -proposed and see if the machine remains stable.

After upgrading to -proposed:

1. $ uname -r: 5.15.0-120-generic

2. sudo dmesg | grep bnx2x

[ 4.303867] bnx2x 0000:04:00.0: msix capability found
[ 4.317050] bnx2x 0000:04:00.0: part number 0-0-0-0
[ 4.883254] bnx2x 0000:04:00.0: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 4.951123] bnx2x 0000:04:00.1: msix capability found
[ 4.951779] bnx2x 0000:04:00.1: part number 0-0-0-0
[ 5.200782] bnx2x 0000:04:00.1: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
[ 5.206714] bnx2x 0000:04:00.0 eno49: renamed from eth0
[ 5.293926] bnx2x 0000:04:00.1 eno50: renamed from eth1
[ 19.194753] bnx2x 0000:04:00.1 eno50: using MSI-X IRQs: sp 78 fp[0] 80 ... fp[7] 87
[ 20.430462] bnx2x 0000:04:00.0 eno49: using MSI-X IRQs: sp 68 fp[0] 70 ... fp[7] 77
[ 27.457468] bnx2x 0000:04:00.1 eno50: NIC Link is Up, 10000 Mbps full duplex, Flow control: none
[ 27.637478] bnx2x 0000:04:00.0 eno49: NIC Link is Up, 10000 Mbps full duplex, Flow control: none
...

Read more...

tags: added: verification-done-jammy-linux
removed: verification-needed-jammy-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra/5.15.0-1028.28 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-tegra' to 'verification-done-jammy-linux-nvidia-tegra'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-tegra' to 'verification-failed-jammy-linux-nvidia-tegra'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-tegra-v2 verification-needed-jammy-linux-nvidia-tegra
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra-igx/5.15.0-1016.16 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-tegra-igx' to 'verification-done-jammy-linux-nvidia-tegra-igx'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-tegra-igx' to 'verification-failed-jammy-linux-nvidia-tegra-igx'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-tegra-igx-v2 verification-needed-jammy-linux-nvidia-tegra-igx
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-hwe-6.8/6.8.0-44.44~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-hwe-6.8' to 'verification-done-jammy-linux-hwe-6.8'. If the problem still exists, change the tag 'verification-needed-jammy-linux-hwe-6.8' to 'verification-failed-jammy-linux-hwe-6.8'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-hwe-6.8-v2 verification-needed-jammy-linux-hwe-6.8
Revision history for this message
Ghadi Rahme (ghadi-rahme) wrote (last edit ):

After internal discussions it was decided to set the status of jammy-HWE to verification done due to the inability to access the hardware

tags: added: verification-done-jammy-linux-hwe-6.8
removed: verification-needed-jammy-linux-hwe-6.8
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (17.6 KiB)

This bug was fixed in the package linux - 5.4.0-195.215

---------------
linux (5.4.0-195.215) focal; urgency=medium

  * focal/linux: 5.4.0-195.215 -proposed tracker (LP: #2075954)

  * Focal update: v5.4.280 upstream stable release (LP: #2075175)
    - Compiler Attributes: Add __uninitialized macro
    - drm/lima: fix shared irq handling on driver remove
    - media: dvb: as102-fe: Fix as10x_register_addr packing
    - media: dvb-usb: dib0700_devices: Add missing release_firmware()
    - IB/core: Implement a limit on UMAD receive List
    - scsi: qedf: Make qedf_execute_tmf() non-preemptible
    - drm/amdgpu: Initialize timestamp for some legacy SOCs
    - drm/amd/display: Skip finding free audio for unknown engine_id
    - media: dw2102: Don't translate i2c read into write
    - sctp: prefer struct_size over open coded arithmetic
    - firmware: dmi: Stop decoding on broken entry
    - Input: ff-core - prefer struct_size over open coded arithmetic
    - net: dsa: mv88e6xxx: Correct check for empty list
    - media: dvb-frontends: tda18271c2dd: Remove casting during div
    - media: s2255: Use refcount_t instead of atomic_t for num_channels
    - media: dvb-frontends: tda10048: Fix integer overflow
    - i2c: i801: Annotate apanel_addr as __ro_after_init
    - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n
    - orangefs: fix out-of-bounds fsid access
    - powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#"
    - jffs2: Fix potential illegal address access in jffs2_free_inode
    - s390/pkey: Wipe sensitive data on failure
    - tcp: tcp_mark_head_lost is only valid for sack-tcp
    - tcp: add ece_ack flag to reno sack functions
    - net: tcp better handling of reordering then loss cases
    - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()
    - tcp_metrics: validate source addr length
    - wifi: wilc1000: fix ies_len type in connect path
    - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
    - selftests: fix OOM in msg_zerocopy selftest
    - selftests: make order checking verbose in msg_zerocopy selftest
    - inet_diag: Initialize pad field in struct inet_diag_req_v2
    - nilfs2: fix inode number range checks
    - nilfs2: add missing check for inode numbers on directory entries
    - mm: optimize the redundant loop of mm_update_owner_next()
    - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct
    - fsnotify: Do not generate events for O_PATH file descriptors
    - Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),
      again"
    - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes
    - drm/amdgpu/atomfirmware: silence UBSAN warning
    - media: dw2102: fix a potential buffer overflow
    - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr
    - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897
    - nvme-multipath: find NUMA path only for online numa-node
    - nilfs2: fix incorrect inode allocation from reserved inodes
    - filelock: fix potential use-after-free in posix_lock_inode
    - fs/dcache: Re-use value stored to dentry->d_f...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-raspi/5.4.0-1116.128 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-raspi' to 'verification-done-focal-linux-raspi'. If the problem still exists, change the tag 'verification-needed-focal-linux-raspi' to 'verification-failed-focal-linux-raspi'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-raspi-v2 verification-needed-focal-linux-raspi
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-xilinx-zynqmp/5.4.0-1051.55 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-xilinx-zynqmp' to 'verification-done-focal-linux-xilinx-zynqmp'. If the problem still exists, change the tag 'verification-needed-focal-linux-xilinx-zynqmp' to 'verification-failed-focal-linux-xilinx-zynqmp'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-xilinx-zynqmp-v2 verification-needed-focal-linux-xilinx-zynqmp
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-hwe-5.4/5.4.0-195.215~18.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic-linux-hwe-5.4' to 'verification-done-bionic-linux-hwe-5.4'. If the problem still exists, change the tag 'verification-needed-bionic-linux-hwe-5.4' to 'verification-failed-bionic-linux-hwe-5.4'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-bionic-linux-hwe-5.4-v2 verification-needed-bionic-linux-hwe-5.4
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (55.9 KiB)

This bug was fixed in the package linux - 5.15.0-121.131

---------------
linux (5.15.0-121.131) jammy; urgency=medium

  * jammy/linux: 5.15.0-121.131 -proposed tracker (LP: #2076347)

  * jammy:linux bpf selftest do not build (LP: #2076334)
    - SAUCE: Revert "bpf: Allow reads from uninit stack"

linux (5.15.0-120.130) jammy; urgency=medium

  * jammy/linux: 5.15.0-120.130 -proposed tracker (LP: #2075903)

  * Packaging resync (LP: #1786013)
    - [Packaging] debian.master/dkms-versions -- update from kernel-versions
      (main/2024.08.05)

  * Jammy update: v5.15.163 upstream stable release (LP: #2075170)
    - Compiler Attributes: Add __uninitialized macro
    - locking/mutex: Introduce devm_mutex_init()
    - drm/lima: fix shared irq handling on driver remove
    - media: dvb: as102-fe: Fix as10x_register_addr packing
    - media: dvb-usb: dib0700_devices: Add missing release_firmware()
    - IB/core: Implement a limit on UMAD receive List
    - scsi: qedf: Make qedf_execute_tmf() non-preemptible
    - crypto: aead,cipher - zeroize key buffer after use
    - drm/amdgpu: Initialize timestamp for some legacy SOCs
    - drm/amd/display: Check index msg_id before read or write
    - drm/amd/display: Check pipe offset before setting vblank
    - drm/amd/display: Skip finding free audio for unknown engine_id
    - media: dw2102: Don't translate i2c read into write
    - sctp: prefer struct_size over open coded arithmetic
    - firmware: dmi: Stop decoding on broken entry
    - Input: ff-core - prefer struct_size over open coded arithmetic
    - wifi: mt76: replace skb_put with skb_put_zero
    - net: dsa: mv88e6xxx: Correct check for empty list
    - media: dvb-frontends: tda18271c2dd: Remove casting during div
    - media: s2255: Use refcount_t instead of atomic_t for num_channels
    - media: dvb-frontends: tda10048: Fix integer overflow
    - i2c: i801: Annotate apanel_addr as __ro_after_init
    - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n
    - orangefs: fix out-of-bounds fsid access
    - kunit: Fix timeout message
    - powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#"
    - igc: fix a log entry using uninitialized netdev
    - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD
    - jffs2: Fix potential illegal address access in jffs2_free_inode
    - s390/pkey: Wipe sensitive data on failure
    - tools/power turbostat: Remember global max_die_id
    - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()
    - tcp_metrics: validate source addr length
    - KVM: s390: fix LPSWEY handling
    - e1000e: Fix S0ix residency on corporate systems
    - net: allow skb_datagram_iter to be called from any context
    - wifi: wilc1000: fix ies_len type in connect path
    - riscv: kexec: Avoid deadlock in kexec crash path
    - netfilter: nf_tables: unconditionally flush pending work before notifier
    - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
    - selftests: fix OOM in msg_zerocopy selftest
    - selftests: make order checking verbose in msg_zerocopy selftest
    - inet_diag: Initialize pad field in struct inet_diag_req_v2
    - gpiolib: of: factor...

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.