Bug #1958770 “Aquantia GbE LAN driver causes UBSAN error during ...” : Bugs : linux package : Ubuntu

Revision history for this message

bsdz (blairuk) wrote on 2022-01-23:

#1

AlsaInfo.txt Edit (68.0 KiB, text/plain; charset="utf-8")
AudioDevicesInUse.txt Edit (308 bytes, text/plain; charset="utf-8")
CRDA.txt Edit (2.9 KiB, text/plain; charset="utf-8")
CurrentDmesg.txt Edit (128.8 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (2.8 KiB, text/plain; charset="utf-8")
IwConfig.txt Edit (719 bytes, text/plain; charset="utf-8")
Lspci.txt Edit (41.2 KiB, text/plain; charset="utf-8")
Lspci-vt.txt Edit (6.1 KiB, text/plain; charset="utf-8")
Lsusb.txt Edit (1.2 KiB, text/plain; charset="utf-8")
Lsusb-t.txt Edit (1.4 KiB, text/plain; charset="utf-8")
Lsusb-v.txt Edit (39.8 KiB, text/plain; charset="utf-8")
PaInfo.txt Edit (117.7 KiB, text/plain; charset="utf-8")
ProcCpuinfo.txt Edit (33.4 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.4 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (137 bytes, text/plain; charset="utf-8")
ProcInterrupts.txt Edit (37.3 KiB, text/plain; charset="utf-8")
ProcModules.txt Edit (9.3 KiB, text/plain; charset="utf-8")
PulseList.txt Edit (26.7 KiB, text/plain; charset="utf-8")
RfKill.txt Edit (112 bytes, text/plain; charset="utf-8")
UdevDb.txt Edit (409.2 KiB, text/plain; charset="utf-8")
WifiSyslog.txt Edit (170.7 KiB, text/plain; charset="utf-8")
acpidump.txt Edit (660.1 KiB, text/plain; charset="utf-8")

Revision history for this message

Sigmund Ørjavik (lurulf) wrote on 2022-01-27:

#2

Same in my system:
[ 294.432996] UBSAN: array-index-out-of-bounds in /build/linux-Qow4fL/linux-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:484:48
[ 294.433695] index 8 is out of range for type 'aq_vec_s *[8]'
[ 294.434372] CPU: 5 PID: 1341 Comm: systemd-network Tainted: P O 5.15.0-17-generic #17-Ubuntu
[ 294.434374] Hardware name: System manufacturer System Product Name/Z170-PRO, BIOS 3801 03/14/2018
[ 294.434374] Call Trace:
[ 294.434376] <TASK>
[ 294.434377] show_stack+0x52/0x58
[ 294.434380] dump_stack_lvl+0x4a/0x5f
[ 294.434383] dump_stack+0x10/0x12
[ 294.434384] ubsan_epilogue+0x9/0x45
[ 294.434385] __ubsan_handle_out_of_bounds.cold+0x44/0x49
[ 294.434386] ? aq_nic_get_link_ksettings+0x58/0x380 [atlantic]
[ 294.434393] ? aq_vec_start+0x94/0xb0 [atlantic]
[ 294.434398] aq_nic_start+0x3af/0x3d0 [atlantic]
[ 294.434402] aq_ndev_open+0x49/0x70 [atlantic]
[ 294.434405] __dev_open+0xf3/0x1c0
[ 294.434408] __dev_change_flags+0x1a3/0x220
[ 294.434410] dev_change_flags+0x26/0x60
[ 294.434411] do_setlink+0x28a/0xc50
[ 294.434414] ? __nla_validate_parse+0x4c/0x1a0
[ 294.434416] rtnl_setlink+0xf6/0x170
[ 294.434419] rtnetlink_rcv_msg+0x15d/0x400
[ 294.434421] ? rtnl_calcit.isra.0+0x130/0x130
[ 294.434422] netlink_rcv_skb+0x55/0x100
[ 294.434424] rtnetlink_rcv+0x15/0x20
[ 294.434426] netlink_unicast+0x21d/0x330
[ 294.434427] netlink_sendmsg+0x24c/0x4c0
[ 294.434428] sock_sendmsg+0x65/0x70
[ 294.434430] __sys_sendto+0x113/0x190
[ 294.434433] __x64_sys_sendto+0x24/0x30
[ 294.434435] do_syscall_64+0x5c/0xc0
[ 294.434437] ? syscall_exit_to_user_mode+0x27/0x50
[ 294.434439] ? do_syscall_64+0x69/0xc0
[ 294.434440] ? __secure_computing+0x42/0xe0
[ 294.434442] ? syscall_trace_enter.constprop.0+0xa3/0x1c0
[ 294.434444] ? exit_to_user_mode_prepare+0x37/0xb0
[ 294.434446] ? syscall_exit_to_user_mode+0x27/0x50
[ 294.434447] ? __do_sys_gettid+0x1b/0x20
[ 294.434449] ? do_syscall_64+0x69/0xc0
[ 294.434450] ? do_syscall_64+0x69/0xc0
[ 294.434451] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 294.434453] RIP: 0033:0x7feeaf99146a
[ 294.434455] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
[ 294.434456] RSP: 002b:00007ffc9cf72cf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 294.434458] RAX: ffffffffffffffda RBX: 000055afe2a315e8 RCX: 00007feeaf99146a
[ 294.434458] RDX: 0000000000000020 RSI: 000055afe2a30290 RDI: 0000000000000003
[ 294.434459] RBP: 000055afe2a11900 R08: 00007ffc9cf72d00 R09: 0000000000000080
[ 294.434460] R10: 0000000000000000 R11: 0000000000000246 R12: 000055afe2a32bf0
[ 294.434461] R13: 000000000000053d R14: 000055afe2a315a0 R15: 000055afe13b0e40
[ 294.434462] </TASK>

Same in my system:
[  294.432996] UBSAN: array-index-out-of-bounds in /build/linux-Qow4fL/linux-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:484:48
[  294.433695] index 8 is out of range for type 'aq_vec_s *[8]'
[  294.434372] CPU: 5 PID: 1341 Comm: systemd-network Tainted: P           O      5.15.0-17-generic #17-Ubuntu
[  294.434374] Hardware name: System manufacturer System Product Name/Z170-PRO, BIOS 3801 03/14/2018
[  294.434374] Call Trace:
[  294.434376]  <TASK>
[  294.434377]  show_stack+0x52/0x58
[  294.434380]  dump_stack_lvl+0x4a/0x5f
[  294.434383]  dump_stack+0x10/0x12
[  294.434384]  ubsan_epilogue+0x9/0x45
[  294.434385]  __ubsan_handle_out_of_bounds.cold+0x44/0x49
[  294.434386]  ? aq_nic_get_link_ksettings+0x58/0x380 [atlantic]
[  294.434393]  ? aq_vec_start+0x94/0xb0 [atlantic]
[  294.434398]  aq_nic_start+0x3af/0x3d0 [atlantic]
[  294.434402]  aq_ndev_open+0x49/0x70 [atlantic]
[  294.434405]  __dev_open+0xf3/0x1c0
[  294.434408]  __dev_change_flags+0x1a3/0x220
[  294.434410]  dev_change_flags+0x26/0x60
[  294.434411]  do_setlink+0x28a/0xc50
[  294.434414]  ? __nla_validate_parse+0x4c/0x1a0
[  294.434416]  rtnl_setlink+0xf6/0x170
[  294.434419]  rtnetlink_rcv_msg+0x15d/0x400
[  294.434421]  ? rtnl_calcit.isra.0+0x130/0x130
[  294.434422]  netlink_rcv_skb+0x55/0x100
[  294.434424]  rtnetlink_rcv+0x15/0x20
[  294.434426]  netlink_unicast+0x21d/0x330
[  294.434427]  netlink_sendmsg+0x24c/0x4c0
[  294.434428]  sock_sendmsg+0x65/0x70
[  294.434430]  __sys_sendto+0x113/0x190
[  294.434433]  __x64_sys_sendto+0x24/0x30
[  294.434435]  do_syscall_64+0x5c/0xc0
[  294.434437]  ? syscall_exit_to_user_mode+0x27/0x50
[  294.434439]  ? do_syscall_64+0x69/0xc0
[  294.434440]  ? __secure_computing+0x42/0xe0
[  294.434442]  ? syscall_trace_enter.constprop.0+0xa3/0x1c0
[  294.434444]  ? exit_to_user_mode_prepare+0x37/0xb0
[  294.434446]  ? syscall_exit_to_user_mode+0x27/0x50
[  294.434447]  ? __do_sys_gettid+0x1b/0x20
[  294.434449]  ? do_syscall_64+0x69/0xc0
[  294.434450]  ? do_syscall_64+0x69/0xc0
[  294.434451]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  294.434453] RIP: 0033:0x7feeaf99146a
[  294.434455] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
[  294.434456] RSP: 002b:00007ffc9cf72cf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[  294.434458] RAX: ffffffffffffffda RBX: 000055afe2a315e8 RCX: 00007feeaf99146a
[  294.434458] RDX: 0000000000000020 RSI: 000055afe2a30290 RDI: 0000000000000003
[  294.434459] RBP: 000055afe2a11900 R08: 00007ffc9cf72d00 R09: 0000000000000080
[  294.434460] R10: 0000000000000000 R11: 0000000000000246 R12: 000055afe2a32bf0
[  294.434461] R13: 000000000000053d R14: 000055afe2a315a0 R15: 000055afe13b0e40
[  294.434462]  </TASK>

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-01-27:

#3

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status:	New → Confirmed

Revision history for this message

Sigmund Ørjavik (lurulf) wrote on 2022-01-27:

#4

dmesg.log Edit (121.9 KiB, text/html)

dmesg logfile

Revision history for this message

Sigmund Ørjavik (lurulf) wrote on 2022-01-27:

#5

lspci logfile Edit (101.2 KiB, text/plain)

lspci logfile

Revision history for this message

Sigmund Ørjavik (lurulf) wrote on 2022-01-27:

#6

uname logfile Edit (108 bytes, text/plain)

uname logfile

Revision history for this message

Sigmund Ørjavik (lurulf) wrote on 2022-01-28:

#7

Updated to 5.15.0-18-generic and now the network adapter doesn't work at all.

Revision history for this message

Sigmund Ørjavik (lurulf) wrote on 2022-01-29:

#8

reverted to 5.13.0-28-generic from impish and aqc107 is still broken. is this caused by some updated firmware blob in jammy?

Revision history for this message

bsdz (blairuk) wrote on 2022-01-29:

#9

My system seems to be working now. My dmesg shows the driver as loading:

[ 1.439880] atlantic 0000:07:00.0 enp7s0: renamed from eth0

I had some problems with my distribution upgrade and had to re-run it, ie "apt dist-upgrade" along with other commands.

Revision history for this message

Mario Limonciello (superm1) wrote on 2022-01-31:

#10

Out of bounds still happens to me in 5.15.0-18.18.

Revision history for this message

bsdz (blairuk) wrote on 2022-02-24:

#11

This bug returned on my machine. Not sure why it disappeared & reappeared. Also now on 5.15.0-18-generic.

Revision history for this message

Kai-Heng Feng (kaihengfeng) wrote on 2022-03-02:

#12

Does latest mainline kernel have this issue?

Revision history for this message

Mario Limonciello (superm1) wrote on 2022-03-02:

#13

I checked on 5.17-rc3 most recently and reproduced it. AFAICT this code hasn't changed since 5.16-rc4.

Revision history for this message

Kai-Heng Feng (kaihengfeng) wrote on 2022-03-03:

#14

0001-net-atlantic-Fix-LP-1958770.patch Edit (1.3 KiB, text/plain)

Please give this patch a try, thanks!

Ubuntu Foundations Team Bug Bot (crichton) on 2022-03-03

tags:

added: patch

Revision history for this message

Mario Limonciello (superm1) wrote on 2022-03-03:

#15

@KH:
Yeah that fixes it for me. I applied on top of a 5.15 kernel and would have seen UBSAN error at bootup.

Feel free to added a "Tested-by: Mario Limonciello <email address hidden>" tag for it when you submit up if you don't change it.

Revision history for this message

bsdz (blairuk) wrote on 2022-03-04:

#16

Download full text (5.5 KiB)

This doesn't seem to resolve it for me. It's been a long time since I recompiled kernel modules, these are the steps I took:

# module compile instructions from https://wiki.ubuntu.com/Kernel/SourceCode

$ uname -r
5.15.0-18-generic
$ git clone git://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/jammy linux-jammy
$ cd linux-jammy
$ git checkout Ubuntu-5.15.0-18.18
$ cd drivers/net/ethernet/aquantia/atlantic
# edit Makefile and add fq path to Include:
# ccflags-y += -I$(srctree)/$(src) -I/blahblah/linux-jammy/drivers/net/ethernet/aquantia/atlantic
$ make -C /lib/modules/`uname -r`/build M=$PWD
...
$ sudo modprobe -v -r atlantic
rmmod atlantic
rmmod macsec
$ sudo cp atlantic.ko /lib/modules/5.15.0-18-generic/kernel/drivers/net/ethernet/aquantia/atlantic/
$ sudo modprobe -v atlantic
insmod /lib/modules/5.15.0-18-generic/kernel/drivers/net/macsec.ko
insmod /lib/modules/5.15.0-18-generic/kernel/drivers/net/ethernet/aquantia/atlantic/atlantic.ko
$ sudo dmesg
14218.647296] ================================================================================
[14218.647297] UBSAN: array-index-out-of-bounds in /blahblah/linux-jammy/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:515:49
[14218.647299] index 8 is out of range for type 'aq_vec_s *[8]'
[14218.647300] CPU: 4 PID: 2680 Comm: NetworkManager Tainted: P OE 5.15.0-18-generic #18-Ubuntu
[14218.647301] Hardware name: Gigabyte Technology Co., Ltd. X399 AORUS XTREME/X399 AORUS XTREME-CF, BIOS F5 12/11/2019
[14218.647302] Call Trace:
[14218.647302] <TASK>
[14218.647303] show_stack+0x52/0x58
[14218.647304] dump_stack_lvl+0x4a/0x5f
[14218.647306] dump_stack+0x10/0x12
[14218.647307] ubsan_epilogue+0x9/0x45
[14218.647308] __ubsan_handle_out_of_bounds.cold+0x44/0x49
[14218.647309] ? aq_vec_ring_free+0x80/0x80 [atlantic]
[14218.647316] aq_nic_start+0x3c3/0x3d0 [atlantic]
[14218.647322] aq_ndev_open+0x49/0x70 [atlantic]
[14218.647329] __dev_open+0xf3/0x1c0
[14218.647331] __dev_change_flags+0x1a3/0x220
[14218.647332] ? __nla_validate_parse+0x14b/0x1a0
[14218.647334] dev_change_flags+0x26/0x60
[14218.647335] do_setlink+0x28a/0xc50
[14218.647337] ? inet6_set_link_af+0x4e/0xb0
[14218.647338] ? cpumask_next+0x23/0x30
[14218.647340] ? __nla_validate_parse+0x4c/0x1a0
[14218.647341] ? __snmp6_fill_stats64.constprop.0+0x121/0x150
[14218.647342] __rtnl_newlink+0x608/0xa10
[14218.647344] ? __nla_reserve+0x41/0x50
[14218.647345] ? skb_free_head+0x68/0x80
[14218.647347] ? cpumask_next_and+0x24/0x30
[14218.647348] ? update_sg_lb_stats+0x7c/0x4f0
[14218.647349] ? cpufreq_driver_resolve_freq+0x10/0x20
[14218.647351] ? get_next_freq+0x65/0x90
[14218.647352] ? sugov_get_util+0x77/0xa0
[14218.647353] ? sugov_update_single_freq+0xf1/0x220
[14218.647354] ? sugov_exit+0xb0/0xb0
[14218.647357] ? kmem_cache_alloc_trace+0x19e/0x2e0
[14218.647359] rtnl_newlink+0x49/0x70
[14218.647360] rtnetlink_rcv_msg+0x15d/0x400
[14218.647362] ? rtnl_calcit.isra.0+0x130/0x130
[14218.647363] netlink_rcv_skb+0x55/0x100
[14218.647365] rtnetlink_rcv+0x15/0x20
[14218.647366] netlink_unicast+0x21d/0x330
[14218.647367] netlink_sendmsg+0x24c/0x4c0
[14218.647369] sock_sendmsg+0x65/0x70
[14218.64...

This doesn't seem to resolve it for me. It's been a long time since I recompiled kernel modules, these are the steps I took:

# module compile instructions from https://wiki.ubuntu.com/Kernel/SourceCode

$ uname -r
5.15.0-18-generic
$ git clone git://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/jammy linux-jammy
$ cd linux-jammy
$ git checkout Ubuntu-5.15.0-18.18
$ cd drivers/net/ethernet/aquantia/atlantic
# edit Makefile and add fq path to Include:
# ccflags-y += -I$(srctree)/$(src) -I/blahblah/linux-jammy/drivers/net/ethernet/aquantia/atlantic
$ make -C /lib/modules/`uname -r`/build M=$PWD
...
$ sudo modprobe -v -r atlantic
rmmod atlantic
rmmod macsec
$ sudo cp atlantic.ko /lib/modules/5.15.0-18-generic/kernel/drivers/net/ethernet/aquantia/atlantic/
$ sudo modprobe -v  atlantic
insmod /lib/modules/5.15.0-18-generic/kernel/drivers/net/macsec.ko 
insmod /lib/modules/5.15.0-18-generic/kernel/drivers/net/ethernet/aquantia/atlantic/atlantic.ko 
$ sudo dmesg
14218.647296] ================================================================================
[14218.647297] UBSAN: array-index-out-of-bounds in /blahblah/linux-jammy/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:515:49
[14218.647299] index 8 is out of range for type 'aq_vec_s *[8]'
[14218.647300] CPU: 4 PID: 2680 Comm: NetworkManager Tainted: P           OE     5.15.0-18-generic #18-Ubuntu
[14218.647301] Hardware name: Gigabyte Technology Co., Ltd. X399 AORUS XTREME/X399 AORUS XTREME-CF, BIOS F5 12/11/2019
[14218.647302] Call Trace:
[14218.647302]  <TASK>
[14218.647303]  show_stack+0x52/0x58
[14218.647304]  dump_stack_lvl+0x4a/0x5f
[14218.647306]  dump_stack+0x10/0x12
[14218.647307]  ubsan_epilogue+0x9/0x45
[14218.647308]  __ubsan_handle_out_of_bounds.cold+0x44/0x49
[14218.647309]  ? aq_vec_ring_free+0x80/0x80 [atlantic]
[14218.647316]  aq_nic_start+0x3c3/0x3d0 [atlantic]
[14218.647322]  aq_ndev_open+0x49/0x70 [atlantic]
[14218.647329]  __dev_open+0xf3/0x1c0
[14218.647331]  __dev_change_flags+0x1a3/0x220
[14218.647332]  ? __nla_validate_parse+0x14b/0x1a0
[14218.647334]  dev_change_flags+0x26/0x60
[14218.647335]  do_setlink+0x28a/0xc50
[14218.647337]  ? inet6_set_link_af+0x4e/0xb0
[14218.647338]  ? cpumask_next+0x23/0x30
[14218.647340]  ? __nla_validate_parse+0x4c/0x1a0
[14218.647341]  ? __snmp6_fill_stats64.constprop.0+0x121/0x150
[14218.647342]  __rtnl_newlink+0x608/0xa10
[14218.647344]  ? __nla_reserve+0x41/0x50
[14218.647345]  ? skb_free_head+0x68/0x80
[14218.647347]  ? cpumask_next_and+0x24/0x30
[14218.647348]  ? update_sg_lb_stats+0x7c/0x4f0
[14218.647349]  ? cpufreq_driver_resolve_freq+0x10/0x20
[14218.647351]  ? get_next_freq+0x65/0x90
[14218.647352]  ? sugov_get_util+0x77/0xa0
[14218.647353]  ? sugov_update_single_freq+0xf1/0x220
[14218.647354]  ? sugov_exit+0xb0/0xb0
[14218.647357]  ? kmem_cache_alloc_trace+0x19e/0x2e0
[14218.647359]  rtnl_newlink+0x49/0x70
[14218.647360]  rtnetlink_rcv_msg+0x15d/0x400
[14218.647362]  ? rtnl_calcit.isra.0+0x130/0x130
[14218.647363]  netlink_rcv_skb+0x55/0x100
[14218.647365]  rtnetlink_rcv+0x15/0x20
[14218.647366]  netlink_unicast+0x21d/0x330
[14218.647367]  netlink_sendmsg+0x24c/0x4c0
[14218.647369]  sock_sendmsg+0x65/0x70
[14218.647370]  ____sys_sendmsg+0x24e/0x290
[14218.647372]  ? import_iovec+0x31/0x40
[14218.647374]  ? sendmsg_copy_msghdr+0x7b/0xa0
[14218.647375]  ? rtnl_unlock+0xe/0x10
[14218.647376]  ___sys_sendmsg+0x81/0xc0
[14218.647378]  ? kvfree+0x2a/0x30
[14218.647380]  ? proc_sys_call_handler+0x1c9/0x290
[14218.647381]  ? __fget_files+0xa3/0xd0
[14218.647383]  ? __fget_light+0x32/0x80
[14218.647384]  __sys_sendmsg+0x62/0xb0
[14218.647386]  __x64_sys_sendmsg+0x1d/0x20
[14218.647388]  do_syscall_64+0x5c/0xc0
[14218.647389]  ? exit_to_user_mode_prepare+0x37/0xb0
[14218.647391]  ? syscall_exit_to_user_mode+0x27/0x50
[14218.647392]  ? __do_sys_gettid+0x1b/0x20
[14218.647394]  ? do_syscall_64+0x69/0xc0
[14218.647395]  ? exit_to_user_mode_loop+0x10d/0x160
[14218.647396]  ? exit_to_user_mode_prepare+0x37/0xb0
[14218.647398]  ? syscall_exit_to_user_mode+0x27/0x50
[14218.647399]  ? __do_sys_gettid+0x1b/0x20
[14218.647400]  ? do_syscall_64+0x69/0xc0
[14218.647401]  ? exit_to_user_mode_prepare+0x37/0xb0
[14218.647403]  ? syscall_exit_to_user_mode+0x27/0x50
[14218.647404]  ? __x64_sys_close+0x11/0x40
[14218.647406]  ? do_syscall_64+0x69/0xc0
[14218.647407]  ? __do_sys_gettid+0x1b/0x20
[14218.647408]  ? do_syscall_64+0x69/0xc0
[14218.647409]  ? sysvec_apic_timer_interrupt+0x4e/0x90
[14218.647410]  ? asm_sysvec_apic_timer_interrupt+0xa/0x20
[14218.647412]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[14218.647413] RIP: 0033:0x7efccf117ccd
[14218.647414] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ba 8d f6 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 fe 8d f6 ff 48
[14218.647415] RSP: 002b:00007ffe6ee42d70 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
[14218.647417] RAX: ffffffffffffffda RBX: 00000000000000f5 RCX: 00007efccf117ccd
[14218.647418] RDX: 0000000000000000 RSI: 00007ffe6ee42db0 RDI: 000000000000000c
[14218.647419] RBP: 000055d5609c6040 R08: 0000000000000000 R09: 0000000000000000
[14218.647419] R10: 0000000000000000 R11: 0000000000000293 R12: 00007efcb4005500
[14218.647420] R13: 00007ffe6ee42f00 R14: 0000000000000000 R15: 0000000000000000
[14218.647422]  </TASK>
[14218.647422] ================================================================================

(some steps might be missed, eg I had to play around with module signing too as well as run depmod shell script).

Admittedly, I could be missing something.

Revision history for this message

bsdz (blairuk) wrote on 2022-03-04:

#17

Oh I forgot to add that i also applied the patch before compiling.

Revision history for this message

Kai-Heng Feng (kaihengfeng) wrote on 2022-03-04:

#18

Please try this one:
https://<email address hidden>/

which converts all the usage pattern to a safer form.

Revision history for this message

bsdz (blairuk) wrote on 2022-03-04 (last edit on 2022-03-04):

#19

This new patch doesn't appear to resolve issue either. However, I did get it to work if I extended your technique to aq_nic.c. See following comment with patch.

Then I see the following in my dmesg:

[ 2991.604548] atlantic 0000:07:00.0 enp7s0: renamed from eth0

Revision history for this message

bsdz (blairuk) wrote on 2022-03-04:

#20

aq_nic.patch Edit (1.0 KiB, text/plain)

Patch as file.

Mario Limonciello (superm1) on 2022-04-08

Changed in linux-oem-5.17 (Ubuntu):
status:	New → Confirmed

Revision history for this message

Nikolaus Vladutescu-Zopp (populationless) wrote on 2022-04-25:

#21

dmesg.log Edit (4.7 KiB, text/html)

I'm gonna chime in too. I have applied both patches from #18 and #20 and recompiled the module, however I still get the UBSAN: array-index-out-of-bounds messsage. NIC seems to work though. I am not a programmer, so unfortunately I can't come up with a solution, but I am willing to test.

Kernel: 5.15.0-25-generic
MB: ASRock Fatal1ty X399 Professional Gaming
NIC: Aquantia AQC107

Revision history for this message

bsdz (blairuk) wrote on 2022-04-25:

#22

This might be fixed in a future kernel release. I see the above patches in github (18 days old).

https://github.com/torvalds/linux/commit/8d3a6c37d50d5a0504c126c932cc749e6dd9c78f

I can see aq_vec_stop in your stack trace and I can see the above patch addresses that frame.

That said, are you sure you've successfully loaded the module after patching and compiling? (like in my comment #16 but also including step to patch the files). One thing I did was add a printf statement as well as patch code to be sure (you might need to include stdio.h).

Revision history for this message

Nikolaus Vladutescu-Zopp (populationless) wrote on 2022-04-26:

#23

I'm not 100% sure if I loaded the new module correctly, but I believe that I did. Here are the steps I took to compile the module and load it, which resulted in the output of #21:

git clone git://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/jammy linux-jammy
cd linux-jammy/
uname -r
git checkout Ubuntu-5.15.0-25.25
cd drivers/net/ethernet/aquantia/atlantic
nano Makefile # added PWD to ccflags line
nano aq_vec.c.patch
nano aq_nic.c.patch
patch < aq_vec.c.patch
patch < aq_nic.c.patch
nano aq_vec.c
make -C /lib/modules/`uname -r`/build M=$PWD
sudo modprobe -v -r atlantic
sudo rmmod atlantic
sudo rmmod macsec
sudo cp atlantic.ko /lib/modules/5.15.0-25-generic/kernel/drivers/net/ethernet/aquantia/atlantic/
sudo modprobe -v atlantic
sudo dmesg

I have tried including stdio.h and adding a printf to verify the new module was indeed loaded, but that kept failing with "no such file" errors when trying to compile, even though I have build-essentials installed.

I have tried compiling the module with the files from https://github.com/torvalds/linux/tree/master/drivers/net/ethernet/aquantia/atlantic, however that errors out with "implicit declaration of function ‘platform_get_ethdev_address’ [-Werror=implicit-function-declaration]". A quick google search revealed that this is supposedly a 'new' function which isn't present in 5.15.0 yet, though I might be wrong.

Revision history for this message

bsdz (blairuk) wrote on 2022-04-26:

#24

Just a couple of other suggestions.

You can generate a patch file from the upstream kernel repo. eg

cd linux-jammy
curl https://github.com/torvalds/linux/commit/8d3a6c37d50d5a0504c126c932cc749e6dd9c78f.patch -o ./atlantic.patch
git diff
git apply ./atlantic.patch
git diff

I was wrong about printf. You need to use printk

printk(KERN_INFO "HERE!\n");

I expect printk just will work although you might need to "#include <linux/kernel.h>"

Revision history for this message

Nikolaus Vladutescu-Zopp (populationless) wrote on 2022-05-10:

#25

Sorry for the delay, life happened...

After mucking about with this for the past few days and not being able to get the module to compile on 5.15 for the life of me (always same error "implicit declaration of function ‘platform_get_ethdev_address’ [-Werror=implicit-function-declaration]"), I have decided to just build 5.18-rc6 out of desperation. I figured the changes should be included by now, though I'm not sure and don't know how to check...

This is what I did:

sudo apt install alien autoconf bison build-essential ccache fakeroot flex gawk git libattr1-dev libblkid-dev libdevmapper-dev libelf-dev libncurses5-dev libselinux-dev libssl-dev libtool libudev-dev linux-headers-$(uname -r) uuid-dev zlib1g-dev
mkdir build
cd build
git clone git://git.launchpad.net/~ubuntu-kernel-test/ubuntu/+source/linux/+git/mainline-crack ubuntu_kernel
cd ubuntu_kernel
git checkout tags/v5.18-rc6
cp /boot/config-"$(uname -r)" .config
yes '' | make oldconfig
make prepare scripts
cd ..
git clone https://github.com/zfsonlinux/zfs.git
cd zfs
git checkout zfs-2.1.5-staging
sh autogen.sh
./configure --prefix=/ --libdir=/lib --includedir=/usr/include --datarootdir=/usr/share --enable-linux-builtin=yes --with-linux=$HOME/build/ubuntu_kernel --with-linux-obj=$HOME/build/ubuntu_kernel
./copy-builtin $HOME/build/ubuntu_kernel
cd ../ubuntu_kernel
make menuconfig # include zfs
scripts/config --set-str SYSTEM_TRUSTED_KEYS ""
scripts/config --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""
make clean
make -j 16 bindeb-pkg LOCALVERSION=-aq107-test
cd ..
sudo apt install ./linux-headers-5.18.0-rc6-aq107-test_5.18.0-rc6-aq107-test-1_amd64.deb ./linux-image-5.18.0-rc6-aq107-test_5.18.0-rc6-aq107-test-1_amd64.deb

After a reboot I seem to get exactly the same error, stack trace is near the bottom of the log.
What should I do now?

Revision history for this message

Nikolaus Vladutescu-Zopp (populationless) wrote on 2022-05-10:

#26

dmesg.log Edit (138.6 KiB, text/html)

Revision history for this message

bsdz (blairuk) wrote on 2022-05-10:

#27

Actually I took a look at the aq_nic.c and it looks like there are still places in the code that need patching to avoid UB. For example, from your dmesg I see it pointing to this section of code (https://github.com/torvalds/linux/blob/8d3a6c37d50d5a0504c126c932cc749e6dd9c78f/drivers/net/ethernet/aquantia/atlantic/aq_nic.c#L1267-L1269).

Which looks like this:

for (i = 0U, aq_vec = self->aq_vec[0];
self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i])
aq_vec_stop(aq_vec);

And, to avoid UBSAN, should be rewritten as:

for (i = 0U; self->aq_vecs > i; ++i) {
  aq_vec = self->aq_vec[i];
  aq_vec_stop(aq_vec);
        }

And, in fact, looks like there are another two places in that file that require the same treatment.

Revision history for this message

Kai-Heng Feng (kaihengfeng) wrote on 2022-05-10:

#28

Nice catch, mind to send a patch to fix it?

Revision history for this message

Nikolaus Vladutescu-Zopp (populationless) wrote on 2022-05-11 (last edit on 2022-05-11):

#29

I tried changing the function, now the module doesn't compile.

EDIT: Sorry, forgot to close the curly bracket...

Revision history for this message

Nikolaus Vladutescu-Zopp (populationless) wrote on 2022-05-11:

#30

I have successfully modified two of the mentioned three functions and tested the module, so far UBSAN does not complain anymore :)

Unfdortunately I can't rewrite the third function, since it does not match the pattern (and I have no idea what I'm doing)

for (tc = 0U; tc < self->aq_nic_cfg.tcs; tc++) {
    for (i = 0U, aq_vec = self->aq_vec[0];
        aq_vec && self->aq_vecs > i;
        ++i, aq_vec = self->aq_vec[i]) {
            data += count;
            count = aq_vec_get_sw_stats(aq_vec, tc, data);
    }
}

I have included a diff for the other two functions.

Revision history for this message

bsdz (blairuk) wrote on 2022-05-11:

#31

I think the last/3rd one might be rewritten like:

for (tc = 0U; tc < self->aq_nic_cfg.tcs; tc++) {
  for (i = 0U; self->aq_vecs > i; ++i) {
   aq_vec = self->aq_vec[i];
   if (aq_vec) {
    data += count;
    count = aq_vec_get_sw_stats(aq_vec, tc, data);
   }
  }
}

Have tested whether it compiles sorry.

Revision history for this message

Nikolaus Vladutescu-Zopp (populationless) wrote on 2022-05-12:

#32

aq_nic.c.patch Edit (1.2 KiB, text/plain)

Thank you @bsdz, compiles and works flawlessly since yesterday. UBSAN is happy, performance is as expected.

@kaihengfeng, is this patch suitable for inclusion upstream?

Revision history for this message

Kai-Heng Feng (kaihengfeng) wrote on 2022-05-13:

#33

I think that's a bit different to the original version, which breaks out the loop as soon as "aq_vec" evaluates to false.

So, instead of

if (aq_vec) {
...
}

Should be

if (!aq_vec)
break;

Revision history for this message

Nikolaus Vladutescu-Zopp (populationless) wrote on 2022-05-13:

#34

aq_nic.c.patch Edit (1.4 KiB, text/plain)

I have implemented your suggestion, so far no issues. I'm going to kick off my backup now and do some more testing later.

Revision history for this message

Kai-Heng Feng (kaihengfeng) wrote on 2022-05-13:

#35

The following two lines shouldn't be omitted:
data += count;
count = aq_vec_get_sw_stats(aq_vec, tc, data);

Revision history for this message

Nikolaus Vladutescu-Zopp (populationless) wrote on 2022-05-13:

#36

Sorry. Like this?

for (tc = 0U; tc < self->aq_nic_cfg.tcs; tc++) {
  for (i = 0U; self->aq_vecs > i; ++i) {
   aq_vec = self->aq_vec[i];
   if (!aq_vec)
    break;
    data += count;
    count = aq_vec_get_sw_stats(aq_vec, tc, data);
  }
}

Revision history for this message

Kai-Heng Feng (kaihengfeng) wrote on 2022-05-13:

#37

Yes, that one looks correct.

Revision history for this message

Nikolaus Vladutescu-Zopp (populationless) wrote on 2022-05-13:

#38

aq_nic.c.patch Edit (1.4 KiB, text/plain)

OK, so far everything seems to be working great. Performance is good, no UBSAN messages, no other abnormalities. I think we are good now.

Revision history for this message

Kai-Heng Feng (kaihengfeng) wrote on 2022-05-16:

#39

Great! Please consider to send it to upstream mailing list.

Revision history for this message

Nikolaus Vladutescu-Zopp (populationless) wrote on 2022-05-18:

#40

How would I go about doing so, while giving credit to bsdz and you?

Revision history for this message

Mario Limonciello (superm1) wrote on 2022-05-18:

#41

https://www.kernel.org/doc/html/latest/process/submitting-patches.html
You can use tags like "Suggested-by:" for the email of KH and bsdz.

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-05-20:

#42

This bug is awaiting verification that the linux-oem-5.17/5.17.0-1006.6 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-jammy

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-05-27:

#43

This bug is awaiting verification that the linux-oem-5.14/5.14.0-1040.44 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Revision history for this message

bsdz (blairuk) wrote on 2022-05-29:

#44

I followed instructions under the wiki (https://wiki.ubuntu.com/Testing/EnableProposed) using the "Developer Options" to enable pre-released updates (jammy-proposed); I then also followed section "Selective upgrading from -proposed" to set a pin-priority of 400. I then installed proposed kernel as follows:

sudo apt-get install linux-generic/jammy-proposed linux-headers-generic/jammy-proposed

However, inspection of dmesg shows the proposed/installed kernel is 5.15.0-35-generic (not the version from the above Ubuntu kernel bot, i.e. linux-oem-5.17/5.17.0-1006.6 or linux-oem-5.14/5.14.0-1040.44).

Also, the UBSAN issue still persists.

Do I need to do something else?

Revision history for this message

Kay-Michael Voit (kmvoit) wrote on 2022-05-31:

#45

I experience this with Ubuntu kernel 5.15.0-33, but not with 5.15.0-25.
I installed the system with the latter, and then updated to the former, with which it stopped working. Selecting 5.15.0-25 in grub still works.

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2022-06-01:

#46

the fix for oem-5.14 comes via stable updates

Changed in linux (Ubuntu Focal):
status:	New → Invalid
Changed in linux-oem-5.14 (Ubuntu Jammy):
status:	New → Invalid
Changed in linux-oem-5.17 (Ubuntu Focal):
status:	New → Invalid
Changed in linux-oem-5.14 (Ubuntu):
status:	New → Invalid
tags:	added: verification-done-focal removed: verification-needed-focal

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2022-06-03:

#47

oem-5.17 verification missing

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2022-06-06:

#48

oh well, the fix came via stable backports, so marking verified

Changed in linux-oem-5.17 (Ubuntu):
status:	Confirmed → Invalid
tags:	added: verification-done-jammy removed: verification-needed-jammy

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-06-07:

#49

This bug was fixed in the package linux-oem-5.17 - 5.17.0-1011.12

---------------
linux-oem-5.17 (5.17.0-1011.12) jammy; urgency=medium

* CVE-2022-1972
- netfilter: nf_tables: sanitize nft_set_desc_concat_parse()

* CVE-2022-1966
- netfilter: nf_tables: disallow non-stateful expression in sets earlier

-- Thadeu Lima de Souza Cascardo <email address hidden> Fri, 03 Jun 2022 14:17:23 -0300

Changed in linux-oem-5.17 (Ubuntu Jammy):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-06-07:

#50

This bug was fixed in the package linux-oem-5.14 - 5.14.0-1042.47

---------------
linux-oem-5.14 (5.14.0-1042.47) focal; urgency=medium

* CVE-2022-1972
- netfilter: nf_tables: sanitize nft_set_desc_concat_parse()

* CVE-2022-1966
- netfilter: nf_tables: disallow non-stateful expression in sets earlier

-- Thadeu Lima de Souza Cascardo <email address hidden> Fri, 03 Jun 2022 15:00:01 -0300

Changed in linux-oem-5.14 (Ubuntu Focal):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-06-18:

#51

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu Jammy):
status:	New → Confirmed

Stefan Bader (smb) on 2022-06-22

Changed in linux (Ubuntu Jammy):
importance:	Undecided → Medium
status:	Confirmed → Fix Committed

Revision history for this message

Bruce Campbell (yakman2020) wrote on 2022-06-29:

#52

What package/version is this release in? I tried (among others) linux-oem-22.04 from the proposed ppa with no luck. I still see this issue. When I looked at the source, it appeared the problem cod (++i, aq_vec = self->aq_vec[i]) is still present in the aq_nic.c file in three places, including line 1268. I get an UBSAN error on boot for aq_nic.c:1268

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-07-11:

#53

Download full text (31.7 KiB)

This bug was fixed in the package linux - 5.15.0-41.44

---------------
linux (5.15.0-41.44) jammy; urgency=medium

* jammy/linux: 5.15.0-41.44 -proposed tracker (LP: #1979448)

  * Fix can't boot up after change to vmd (LP: #1976587)
    - PCI: vmd: Assign VMD IRQ domain before enumeration
    - PCI: vmd: Revert 2565e5b69c44 ("PCI: vmd: Do not disable MSI-X remapping if
      interrupt remapping is enabled by IOMMU.")

* [SRU][Jammy/OEM-5.17][PATCH 0/1] Fix calltrace in mac80211 (LP: #1978297)
- mac80211: fix struct ieee80211_tx_info size

  * [SRU][Jammy][PATCH 0/1] Fix amd display corruption on s2idle resume
    (LP: #1978244)
    - drm/amd/display: Don't reinitialize DMCUB on s0ix resume

* pl2303 serial adapter not recognized (LP: #1967493)
- USB: serial: pl2303: fix type detection for odd device

  * Remove SAUCE patches from test_vxlan_under_vrf.sh in net of
    ubuntu_kernel_selftests (LP: #1975691)
    - Revert "UBUNTU: SAUCE: selftests: net: Don't fail test_vxlan_under_vrf on
      xfail"
    - Revert "UBUNTU: SAUCE: selftests: net: Make test for VXLAN underlay in non-
      default VRF an expected failure"

* Fix hp_wmi_read_int() reporting error (0x05) (LP: #1979051)
- platform/x86: hp-wmi: Fix hp_wmi_read_int() reporting error (0x05)

  * Request to back port vmci patches to Ubuntu kernel (LP: #1978145)
    - VMCI: dma dg: whitespace formatting change for vmci register defines
    - VMCI: dma dg: add MMIO access to registers
    - VMCI: dma dg: detect DMA datagram capability
    - VMCI: dma dg: set OS page size
    - VMCI: dma dg: register dummy IRQ handlers for DMA datagrams
    - VMCI: dma dg: allocate send and receive buffers for DMA datagrams
    - VMCI: dma dg: add support for DMA datagrams sends
    - VMCI: dma dg: add support for DMA datagrams receive
    - VMCI: Fix some error handling paths in vmci_guest_probe_device()
    - VMCI: Release notification_bitmap in error path
    - VMCI: Check exclusive_vectors when freeing interrupt 1
    - VMCI: Add support for ARM64
    - [Config] Update policies for VMWARE_VMCI and VMWARE_VMCI_VSOCKETS

  * [UBUNTU 20.04] rcu stalls with many storage key guests (LP: #1975582)
    - s390/gmap: voluntarily schedule during key setting
    - s390/mm: use non-quiescing sske for KVM switch to keyed guest

  * [SRU][OEM-5.14/OEM-5.17/Jammy][PATCH 0/1] Fix i915 calltrace on new ADL BIOS
    (LP: #1976214)
    - drm/i915: update new TMDS clock setting defined by VBT

* Revert PPC get_user workaround (LP: #1976248)
- powerpc: Export mmu_feature_keys[] as non-GPL

  * Jammy update: v5.15.39 upstream stable release (LP: #1978240)
    - MIPS: Fix CP0 counter erratum detection for R4k CPUs
    - parisc: Merge model and model name into one line in /proc/cpuinfo
    - ALSA: hda/realtek: Add quirk for Yoga Duet 7 13ITL6 speakers
    - ALSA: fireworks: fix wrong return count shorter than expected by 4 bytes
    - mmc: sdhci-msm: Reset GCC_SDCC_BCR register for SDHC
    - mmc: sunxi-mmc: Fix DMA descriptors allocated above 32 bits
    - mmc: core: Set HS clock speed before sending HS CMD13
    - gpiolib: of: fix bounds check for 'gpio-reserved-ranges'
    - x86/fpu: Prevent FPU s...

This bug was fixed in the package linux - 5.15.0-41.44

---------------
linux (5.15.0-41.44) jammy; urgency=medium

* jammy/linux: 5.15.0-41.44 -proposed tracker (LP: #1979448)

* Fix can't boot up after change to vmd  (LP: #1976587)
    - PCI: vmd: Assign VMD IRQ domain before enumeration
    - PCI: vmd: Revert 2565e5b69c44 ("PCI: vmd: Do not disable MSI-X remapping if
      interrupt remapping is enabled by IOMMU.")

* [SRU][Jammy/OEM-5.17][PATCH 0/1] Fix calltrace in mac80211 (LP: #1978297)
    - mac80211: fix struct ieee80211_tx_info size

* [SRU][Jammy][PATCH 0/1] Fix amd display corruption on s2idle resume
    (LP: #1978244)
    - drm/amd/display: Don't reinitialize DMCUB on s0ix resume

* pl2303 serial adapter not recognized (LP: #1967493)
    - USB: serial: pl2303: fix type detection for odd device

* Remove SAUCE patches from test_vxlan_under_vrf.sh in net of
    ubuntu_kernel_selftests (LP: #1975691)
    - Revert "UBUNTU: SAUCE: selftests: net: Don't fail test_vxlan_under_vrf on
      xfail"
    - Revert "UBUNTU: SAUCE: selftests: net: Make test for VXLAN underlay in non-
      default VRF an expected failure"

* Fix hp_wmi_read_int() reporting error (0x05) (LP: #1979051)
    - platform/x86: hp-wmi: Fix hp_wmi_read_int() reporting error (0x05)

* Request to back port vmci patches to Ubuntu kernel (LP: #1978145)
    - VMCI: dma dg: whitespace formatting change for vmci register defines
    - VMCI: dma dg: add MMIO access to registers
    - VMCI: dma dg: detect DMA datagram capability
    - VMCI: dma dg: set OS page size
    - VMCI: dma dg: register dummy IRQ handlers for DMA datagrams
    - VMCI: dma dg: allocate send and receive buffers for DMA datagrams
    - VMCI: dma dg: add support for DMA datagrams sends
    - VMCI: dma dg: add support for DMA datagrams receive
    - VMCI: Fix some error handling paths in vmci_guest_probe_device()
    - VMCI: Release notification_bitmap in error path
    - VMCI: Check exclusive_vectors when freeing interrupt 1
    - VMCI: Add support for ARM64
    - [Config] Update policies for VMWARE_VMCI and VMWARE_VMCI_VSOCKETS

* [UBUNTU 20.04] rcu stalls with many storage key guests (LP: #1975582)
    - s390/gmap: voluntarily schedule during key setting
    - s390/mm: use non-quiescing sske for KVM switch to keyed guest

* [SRU][OEM-5.14/OEM-5.17/Jammy][PATCH 0/1] Fix i915 calltrace on new ADL BIOS
    (LP: #1976214)
    - drm/i915: update new TMDS clock setting defined by VBT

* Revert PPC get_user workaround (LP: #1976248)
    - powerpc: Export mmu_feature_keys[] as non-GPL

* Jammy update: v5.15.39 upstream stable release (LP: #1978240)
    - MIPS: Fix CP0 counter erratum detection for R4k CPUs
    - parisc: Merge model and model name into one line in /proc/cpuinfo
    - ALSA: hda/realtek: Add quirk for Yoga Duet 7 13ITL6 speakers
    - ALSA: fireworks: fix wrong return count shorter than expected by 4 bytes
    - mmc: sdhci-msm: Reset GCC_SDCC_BCR register for SDHC
    - mmc: sunxi-mmc: Fix DMA descriptors allocated above 32 bits
    - mmc: core: Set HS clock speed before sending HS CMD13
    - gpiolib: of: fix bounds check for 'gpio-reserved-ranges'
    - x86/fpu: Prevent FPU state corruption
    - KVM: x86/svm: Account for family 17h event renumberings in
      amd_pmc_perf_hw_id
    - iommu/vt-d: Calculate mask for non-aligned flushes
    - iommu/arm-smmu-v3: Fix size calculation in arm_smmu_mm_invalidate_range()
    - drm/amd/display: Avoid reading audio pattern past AUDIO_CHANNELS_COUNT
    - drm/amdgpu: do not use passthrough mode in Xen dom0
    - RISC-V: relocate DTB if it's outside memory region
    - Revert "SUNRPC: attempt AF_LOCAL connect on setup"
    - timekeeping: Mark NMI safe time accessors as notrace
    - firewire: fix potential uaf in outbound_phy_packet_callback()
    - firewire: remove check of list iterator against head past the loop body
    - firewire: core: extend card->lock in fw_core_handle_bus_reset
    - net: stmmac: disable Split Header (SPH) for Intel platforms
    - genirq: Synchronize interrupt thread startup
    - ASoC: da7219: Fix change notifications for tone generator frequency
    - ASoC: wm8958: Fix change notifications for DSP controls
    - ASoC: meson: Fix event generation for AUI ACODEC mux
    - ASoC: meson: Fix event generation for G12A tohdmi mux
    - ASoC: meson: Fix event generation for AUI CODEC mux
    - s390/dasd: fix data corruption for ESE devices
    - s390/dasd: prevent double format of tracks for ESE devices
    - s390/dasd: Fix read for ESE with blksize < 4k
    - s390/dasd: Fix read inconsistency for ESE DASD devices
    - can: grcan: grcan_close(): fix deadlock
    - can: isotp: remove re-binding of bound socket
    - can: grcan: use ofdev->dev when allocating DMA memory
    - can: grcan: grcan_probe(): fix broken system id check for errata workaround
      needs
    - can: grcan: only use the NAPI poll budget for RX
    - nfc: replace improper check device_is_registered() in netlink related
      functions
    - nfc: nfcmrvl: main: reorder destructive operations in
      nfcmrvl_nci_unregister_dev to avoid bugs
    - NFC: netlink: fix sleep in atomic bug when firmware download timeout
    - gpio: visconti: Fix fwnode of GPIO IRQ
    - gpio: pca953x: fix irq_stat not updated when irq is disabled (irq_mask not
      set)
    - hwmon: (adt7470) Fix warning on module removal
    - hwmon: (pmbus) disable PEC if not enabled
    - ASoC: dmaengine: Restore NULL prepare_slave_config() callback
    - ASoC: soc-ops: fix error handling
    - iommu/vt-d: Drop stop marker messages
    - iommu/dart: check return value after calling platform_get_resource()
    - net/mlx5e: Fix trust state reset in reload
    - net/mlx5e: Don't match double-vlan packets if cvlan is not set
    - net/mlx5e: CT: Fix queued up restore put() executing after relevant ft
      release
    - net/mlx5e: Fix the calling of update_buffer_lossy() API
    - net/mlx5: Avoid double clear or set of sync reset requested
    - net/mlx5: Fix deadlock in sync reset flow
    - selftests/seccomp: Don't call read() on TTY from background pgrp
    - SUNRPC release the transport of a relocated task with an assigned transport
    - RDMA/siw: Fix a condition race issue in MPA request processing
    - RDMA/irdma: Flush iWARP QP if modified to ERR from RTR state
    - RDMA/irdma: Reduce iWARP QP destroy time
    - RDMA/irdma: Fix possible crash due to NULL netdev in notifier
    - NFSv4: Don't invalidate inode attributes on delegation return
    - net: ethernet: mediatek: add missing of_node_put() in mtk_sgmii_init()
    - net: dsa: mt7530: add missing of_node_put() in mt7530_setup()
    - net: stmmac: dwmac-sun8i: add missing of_node_put() in
      sun8i_dwmac_register_mdio_mux()
    - net: mdio: Fix ENOMEM return value in BCM6368 mux bus controller
    - net: cpsw: add missing of_node_put() in cpsw_probe_dt()
    - net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter()
    - net: emaclite: Add error handling for of_address_to_resource()
    - selftests/net: so_txtime: fix parsing of start time stamp on 32 bit systems
    - selftests/net: so_txtime: usage(): fix documentation of default clock
    - drm/msm/dp: remove fail safe mode related code
    - btrfs: do not BUG_ON() on failure to update inode when setting xattr
    - hinic: fix bug of wq out of bound access
    - mld: respect RCU rules in ip6_mc_source() and ip6_mc_msfilter()
    - rxrpc: Enable IPv6 checksums on transport socket
    - selftests: mirror_gre_bridge_1q: Avoid changing PVID while interface is
      operational
    - bnxt_en: Fix possible bnxt_open() failure caused by wrong RFS flag
    - bnxt_en: Fix unnecessary dropping of RX packets
    - selftests: ocelot: tc_flower_chains: specify conform-exceed action for
      policer
    - smsc911x: allow using IRQ0
    - btrfs: force v2 space cache usage for subpage mount
    - btrfs: always log symlinks in full mode
    - gpio: mvebu: drop pwm base assignment
    - kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU
    - net/mlx5: Fix slab-out-of-bounds while reading resource dump menu
    - net/mlx5e: Lag, Fix use-after-free in fib event handler
    - net/mlx5e: Lag, Fix fib_info pointer assignment
    - net/mlx5e: Lag, Don't skip fib events on current dst
    - iommu/dart: Add missing module owner to ops structure
    - kvm: selftests: do not use bitfields larger than 32-bits for PTEs
    - KVM: selftests: Silence compiler warning in the kvm_page_table_test
    - x86/kvm: Preserve BSP MSR_KVM_POLL_CONTROL across suspend/resume
    - KVM: x86: Do not change ICR on write to APIC_SELF_IPI
    - KVM: x86/mmu: avoid NULL-pointer dereference on page freeing bugs
    - KVM: LAPIC: Enable timer posted-interrupt only when mwait/hlt is advertised
    - selftest/vm: verify mmap addr in mremap_test
    - selftest/vm: verify remap destination address in mremap_test
    - Revert "parisc: Mark sched_clock unstable only if clocks are not
      syncronized"
    - rcu: Fix callbacks processing time limit retaining cond_resched()
    - rcu: Apply callbacks processing time limit only on softirq
    - PCI: pci-bridge-emul: Add description for class_revision field
    - PCI: pci-bridge-emul: Add definitions for missing capabilities registers
    - PCI: aardvark: Add support for DEVCAP2, DEVCTL2, LNKCAP2 and LNKCTL2
      registers on emulated bridge
    - PCI: aardvark: Clear all MSIs at setup
    - PCI: aardvark: Comment actions in driver remove method
    - PCI: aardvark: Disable bus mastering when unbinding driver
    - PCI: aardvark: Mask all interrupts when unbinding driver
    - PCI: aardvark: Fix memory leak in driver unbind
    - PCI: aardvark: Assert PERST# when unbinding driver
    - PCI: aardvark: Disable link training when unbinding driver
    - PCI: aardvark: Disable common PHY when unbinding driver
    - PCI: aardvark: Replace custom PCIE_CORE_INT_* macros with PCI_INTERRUPT_*
    - PCI: aardvark: Check return value of generic_handle_domain_irq() when
      processing INTx IRQ
    - PCI: aardvark: Make MSI irq_chip structures static driver structures
    - PCI: aardvark: Make msi_domain_info structure a static driver structure
    - PCI: aardvark: Use dev_fwnode() instead of of_node_to_fwnode(dev->of_node)
    - PCI: aardvark: Refactor unmasking summary MSI interrupt
    - PCI: aardvark: Add support for masking MSI interrupts
    - PCI: aardvark: Fix setting MSI address
    - PCI: aardvark: Enable MSI-X support
    - PCI: aardvark: Add support for ERR interrupt on emulated bridge
    - PCI: aardvark: Optimize writing PCI_EXP_RTCTL_PMEIE and PCI_EXP_RTSTA_PME on
      emulated bridge
    - PCI: aardvark: Add support for PME interrupts
    - PCI: aardvark: Fix support for PME requester on emulated bridge
    - PCI: aardvark: Use separate INTA interrupt for emulated root bridge
    - PCI: aardvark: Remove irq_mask_ack() callback for INTx interrupts
    - PCI: aardvark: Don't mask irq when mapping
    - PCI: aardvark: Drop __maybe_unused from advk_pcie_disable_phy()
    - PCI: aardvark: Update comment about link going down after link-up
    - Linux 5.15.39

* Jammy update: v5.15.38 upstream stable release (LP: #1978234)
    - usb: mtu3: fix USB 3.0 dual-role-switch from device to host
    - USB: quirks: add a Realtek card reader
    - USB: quirks: add STRING quirk for VCOM device
    - USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS
    - USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader
    - USB: serial: option: add support for Cinterion MV32-WA/MV32-WB
    - USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions
    - usb: xhci: tegra:Fix PM usage reference leak of
      tegra_xusb_unpowergate_partitions
    - xhci: Enable runtime PM on second Alderlake controller
    - xhci: stop polling roothubs after shutdown
    - xhci: increase usb U3 -> U0 link resume timeout from 100ms to 500ms
    - iio: dac: ad5592r: Fix the missing return value.
    - iio: dac: ad5446: Fix read_raw not returning set value
    - iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on()
    - iio: imu: inv_icm42600: Fix I2C init possible nack
    - usb: misc: fix improper handling of refcount in uss720_probe()
    - usb: core: Don't hold the device lock while sleeping in do_proc_control()
    - usb: typec: ucsi: Fix reuse of completion structure
    - usb: typec: ucsi: Fix role swapping
    - usb: gadget: uvc: Fix crash when encoding data for usb request
    - usb: gadget: configfs: clear deactivation flag in
      configfs_composite_unbind()
    - usb: dwc3: Try usb-role-switch first in dwc3_drd_init
    - usb: dwc3: core: Fix tx/rx threshold settings
    - usb: dwc3: core: Only handle soft-reset in DCTL
    - usb: dwc3: gadget: Return proper request status
    - usb: dwc3: pci: add support for the Intel Meteor Lake-P
    - usb: cdns3: Fix issue for clear halt endpoint
    - usb: phy: generic: Get the vbus supply
    - serial: imx: fix overrun interrupts in DMA mode
    - serial: amba-pl011: do not time out prematurely when draining tx fifo
    - serial: 8250: Also set sticky MCR bits in console restoration
    - serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device
    - arch_topology: Do not set llc_sibling if llc_id is invalid
    - ceph: fix possible NULL pointer dereference for req->r_session
    - bus: mhi: host: pci_generic: Add missing poweroff() PM callback
    - bus: mhi: host: pci_generic: Flush recovery worker during freeze
    - arm64: dts: imx8mm-venice: fix spi2 pin configuration
    - pinctrl: samsung: fix missing GPIOLIB on ARM64 Exynos config
    - hex2bin: make the function hex_to_bin constant-time
    - hex2bin: fix access beyond string end
    - riscv: patch_text: Fixup last cpu should be master
    - x86/pci/xen: Disable PCI/MSI[-X] masking for XEN_HVM guests
    - iocost: don't reset the inuse weight of under-weighted debtors
    - virtio_net: fix wrong buf address calculation when using xdp
    - cpufreq: qcom-hw: fix the race between LMH worker and cpuhp
    - cpufreq: qcom-cpufreq-hw: Fix throttle frequency value on EPSS platforms
    - video: fbdev: udlfb: properly check endpoint type
    - arm64: dts: meson: remove CPU opps below 1GHz for G12B boards
    - arm64: dts: meson: remove CPU opps below 1GHz for SM1 boards
    - iio:imu:bmi160: disable regulator in error path
    - mtd: rawnand: fix ecc parameters for mt7622
    - xsk: Fix l2fwd for copy mode + busy poll combo
    - arm64: dts: imx8qm: Correct SCU clock controller's compatible property
    - USB: Fix xhci event ring dequeue pointer ERDP update issue
    - ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue
    - arm64: dts: imx8mn: Fix SAI nodes
    - arm64: dts: meson-sm1-bananapi-m5: fix wrong GPIO pin labeling for CON1
    - phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe
    - phy: samsung: exynos5250-sata: fix missing device put in probe error paths
    - ARM: OMAP2+: Fix refcount leak in omap_gic_of_init
    - bus: ti-sysc: Make omap3 gpt12 quirk handling SoC specific
    - ARM: dts: dra7: Fix suspend warning for vpe powerdomain
    - phy: ti: omap-usb2: Fix error handling in omap_usb2_enable_clocks
    - ARM: dts: at91: Map MCLK for wm8731 on at91sam9g20ek
    - ARM: dts: at91: sama5d4_xplained: fix pinctrl phandle name
    - ARM: dts: at91: fix pinctrl phandles
    - phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe
    - phy: ti: Add missing pm_runtime_disable() in serdes_am654_probe
    - interconnect: qcom: sdx55: Drop IP0 interconnects
    - ARM: dts: Fix mmc order for omap3-gta04
    - ARM: dts: am3517-evm: Fix misc pinmuxing
    - ARM: dts: logicpd-som-lv: Fix wrong pinmuxing on OMAP35
    - ipvs: correctly print the memory size of ip_vs_conn_tab
    - phy: amlogic: fix error path in phy_g12a_usb3_pcie_probe()
    - pinctrl: mediatek: moore: Fix build error
    - mtd: rawnand: Fix return value check of wait_for_completion_timeout
    - mtd: fix 'part' field data corruption in mtd_info
    - pinctrl: stm32: Do not call stm32_gpio_get() for edge triggered IRQs in EOI
    - memory: renesas-rpc-if: Fix HF/OSPI data transfer in Manual Mode
    - net: dsa: Add missing of_node_put() in dsa_port_link_register_of
    - netfilter: nft_set_rbtree: overlap detection with element re-addition after
      deletion
    - bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt
      hook
    - pinctrl: rockchip: fix RK3308 pinmux bits
    - tcp: md5: incorrect tcp_header_len for incoming connections
    - pinctrl: stm32: Keep pinctrl block clock enabled when LEVEL IRQ requested
    - tcp: ensure to use the most recently sent skb when filling the rate sample
    - wireguard: device: check for metadata_dst with skb_valid_dst()
    - sctp: check asoc strreset_chunk in sctp_generate_reconf_event
    - ARM: dts: imx6ull-colibri: fix vqmmc regulator
    - arm64: dts: imx8mn-ddr4-evk: Describe the 32.768 kHz PMIC clock
    - pinctrl: pistachio: fix use of irq_of_parse_and_map()
    - cpufreq: fix memory leak in sun50i_cpufreq_nvmem_probe
    - net: hns3: clear inited state and stop client after failed to register
      netdev
    - net: hns3: modify the return code of hclge_get_ring_chain_from_mbx
    - net: hns3: add validity check for message data length
    - net: hns3: add return value for mailbox handling in PF
    - net/smc: sync err code when tcp connection was refused
    - ip_gre: Make o_seqno start from 0 in native mode
    - ip6_gre: Make o_seqno start from 0 in native mode
    - ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode
    - tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT
    - tcp: make sure treq->af_specific is initialized
    - bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create()
    - clk: sunxi: sun9i-mmc: check return value after calling
      platform_get_resource()
    - cpufreq: qcom-cpufreq-hw: Clear dcvs interrupts
    - net: bcmgenet: hide status block before TX timestamping
    - net: phy: marvell10g: fix return value on error
    - net: dsa: mv88e6xxx: Fix port_hidden_wait to account for port_base_addr
    - drm/sun4i: Remove obsolete references to PHYS_OFFSET
    - net: dsa: lantiq_gswip: Don't set GSWIP_MII_CFG_RMII_CLK
    - io_uring: check reserved fields for send/sendmsg
    - io_uring: check reserved fields for recv/recvmsg
    - netfilter: conntrack: fix udp offload timeout sysctl
    - drm/amdkfd: Fix GWS queue count
    - drm/amd/display: Fix memory leak in dcn21_clock_source_create
    - tls: Skip tls_append_frag on zero copy size
    - bnx2x: fix napi API usage sequence
    - net: fec: add missing of_node_put() in fec_enet_init_stop_mode()
    - gfs2: Prevent endless loops in gfs2_file_buffered_write
    - gfs2: Minor retry logic cleanup
    - gfs2: Make sure not to return short direct writes
    - gfs2: No short reads or writes upon glock contention
    - perf arm-spe: Fix addresses of synthesized SPE events
    - ixgbe: ensure IPsec VF<->PF compatibility
    - Revert "ibmvnic: Add ethtool private flag for driver-defined queue limits"
    - tcp: fix F-RTO may not work correctly when receiving DSACK
    - ASoC: Intel: soc-acpi: correct device endpoints for max98373
    - ASoC: wm8731: Disable the regulator when probing fails
    - ext4: fix bug_on in start_this_handle during umount filesystem
    - arch: xtensa: platforms: Fix deadlock in rs_close()
    - ksmbd: increment reference count of parent fp
    - ksmbd: set fixed sector size to FS_SECTOR_SIZE_INFORMATION
    - bonding: do not discard lowest hash bit for non layer3+4 hashing
    - x86: __memcpy_flushcache: fix wrong alignment if size > 2^32
    - cifs: destage any unwritten data to the server before calling
      copychunk_write
    - drivers: net: hippi: Fix deadlock in rr_close()
    - powerpc/perf: Fix 32bit compile
    - selftest/vm: verify mmap addr in mremap_test
    - selftest/vm: verify remap destination address in mremap_test
    - Revert "ACPI: processor: idle: fix lockup regression on 32-bit ThinkPad T40"
    - zonefs: Fix management of open zones
    - zonefs: Clear inode information flags on inode creation
    - kasan: prevent cpu_quarantine corruption when CPU offline and cache shrink
      occur at same time
    - mtd: rawnand: qcom: fix memory corruption that causes panic
    - netfilter: Update ip6_route_me_harder to consider L3 domain
    - drm/i915: Check EDID for HDR static metadata when choosing blc
    - drm/i915: Fix SEL_FETCH_PLANE_*(PIPE_B+) register addresses
    - net: ethernet: stmmac: fix write to sgmii_adapter_base
    - ACPI: processor: idle: Avoid falling back to C3 type C-states
    - thermal: int340x: Fix attr.show callback prototype
    - btrfs: fix leaked plug after failure syncing log on zoned filesystems
    - ARM: dts: at91: sama7g5ek: enable pull-up on flexcom3 console lines
    - ARM: dts: imx8mm-venice-gw{71xx,72xx,73xx}: fix OTG controller OC mode
    - x86/cpu: Load microcode during restore_processor_state()
    - perf symbol: Pass is_kallsyms to symbols__fixup_end()
    - perf symbol: Update symbols__fixup_end()
    - tty: n_gsm: fix restart handling via CLD command
    - tty: n_gsm: fix decoupled mux resource
    - tty: n_gsm: fix mux cleanup after unregister tty device
    - tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2
    - tty: n_gsm: fix malformed counter for out of frame data
    - netfilter: nft_socket: only do sk lookups when indev is available
    - tty: n_gsm: fix insufficient txframe size
    - tty: n_gsm: fix wrong DLCI release order
    - tty: n_gsm: fix missing explicit ldisc flush
    - tty: n_gsm: fix wrong command retry handling
    - tty: n_gsm: fix wrong command frame length field encoding
    - tty: n_gsm: fix wrong signal octets encoding in MSC
    - tty: n_gsm: fix missing tty wakeup in convergence layer type 2
    - tty: n_gsm: fix reset fifo race condition
    - tty: n_gsm: fix incorrect UA handling
    - tty: n_gsm: fix software flow control handling
    - perf symbol: Remove arch__symbols__fixup_end()
    - eeprom: at25: Use DMA safe buffers
    - objtool: Fix code relocs vs weak symbols
    - objtool: Fix type of reloc::addend
    - powerpc/64: Add UADDR64 relocation support
    - Linux 5.15.38

* Jammy update: v5.15.37 upstream stable release (LP: #1976135)
    - floppy: disable FDRAWCMD by default
    - [Config] updateconfigs for BLK_DEV_FD_RAWCMD
    - bpf: Introduce composable reg, ret and arg types.
    - bpf: Replace ARG_XXX_OR_NULL with ARG_XXX | PTR_MAYBE_NULL
    - bpf: Replace RET_XXX_OR_NULL with RET_XXX | PTR_MAYBE_NULL
    - bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL
    - bpf: Introduce MEM_RDONLY flag
    - bpf: Convert PTR_TO_MEM_OR_NULL to composable types.
    - bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM.
    - bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem.
    - bpf/selftests: Test PTR_TO_RDONLY_MEM
    - bpf: Fix crash due to out of bounds access into reg2btf_ids.
    - spi: cadence-quadspi: fix write completion support
    - ARM: dts: socfpga: change qspi to "intel,socfpga-qspi"
    - mm: kfence: fix objcgs vector allocation
    - gup: Turn fault_in_pages_{readable,writeable} into
      fault_in_{readable,writeable}
    - iov_iter: Turn iov_iter_fault_in_readable into fault_in_iov_iter_readable
    - iov_iter: Introduce fault_in_iov_iter_writeable
    - gfs2: Add wrapper for iomap_file_buffered_write
    - gfs2: Clean up function may_grant
    - gfs2: Introduce flag for glock holder auto-demotion
    - gfs2: Move the inode glock locking to gfs2_file_buffered_write
    - gfs2: Eliminate ip->i_gh
    - gfs2: Fix mmap + page fault deadlocks for buffered I/O
    - iomap: Fix iomap_dio_rw return value for user copies
    - iomap: Support partial direct I/O on user copy failures
    - iomap: Add done_before argument to iomap_dio_rw
    - gup: Introduce FOLL_NOFAULT flag to disable page faults
    - iov_iter: Introduce nofault flag to disable page faults
    - gfs2: Fix mmap + page fault deadlocks for direct I/O
    - btrfs: fix deadlock due to page faults during direct IO reads and writes
    - btrfs: fallback to blocking mode when doing async dio over multiple extents
    - mm: gup: make fault_in_safe_writeable() use fixup_user_fault()
    - selftests/bpf: Add test for reg2btf_ids out of bounds access
    - Linux 5.15.37

* CVE-2022-1789
    - KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID

* Jammy update: v5.15.36 upstream stable release (LP: #1972905)
    - block: simplify the block device syncing code
    - xfs: return errors in xfs_fs_sync_fs
    - dma-mapping: remove bogus test for pfn_valid from dma_map_resource
    - arm64/mm: drop HAVE_ARCH_PFN_VALID
    - etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead
    - mm: page_alloc: fix building error on -Werror=array-compare
    - perf tools: Fix segfault accessing sample_id xyarray
    - mm, kfence: support kmem_dump_obj() for KFENCE objects
    - gfs2: assign rgrp glock before compute_bitstructs
    - scsi: ufs: core: scsi_get_lba() error fix
    - ALSA: usb-audio: Clear MIDI port active flag after draining
    - ALSA: hda/realtek: Add quirk for Clevo NP70PNP
    - ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek
    - ASoC: topology: Correct error handling in soc_tplg_dapm_widget_create()
    - ASoC: rk817: Use devm_clk_get() in rk817_platform_probe
    - ASoC: msm8916-wcd-digital: Check failure for devm_snd_soc_register_component
    - ASoC: codecs: wcd934x: do not switch off SIDO Buck when codec is in use
    - dmaengine: idxd: fix device cleanup on disable
    - dmaengine: imx-sdma: Fix error checking in sdma_event_remap
    - dmaengine: mediatek:Fix PM usage reference leak of
      mtk_uart_apdma_alloc_chan_resources
    - dmaengine: dw-edma: Fix unaligned 64bit access
    - spi: spi-mtk-nor: initialize spi controller after resume
    - esp: limit skb_page_frag_refill use to a single page
    - spi: cadence-quadspi: fix incorrect supports_op() return value
    - igc: Fix infinite loop in release_swfw_sync
    - igc: Fix BUG: scheduling while atomic
    - igc: Fix suspending when PTM is active
    - ALSA: hda/hdmi: fix warning about PCM count when used with SOF
    - rxrpc: Restore removed timer deletion
    - net/smc: Fix sock leak when release after smc_shutdown()
    - net/packet: fix packet_sock xmit return value checking
    - ip6_gre: Avoid updating tunnel->tun_hlen in __gre6_xmit()
    - ip6_gre: Fix skb_under_panic in __gre6_xmit()
    - net: restore alpha order to Ethernet devices in config
    - net/sched: cls_u32: fix possible leak in u32_init_knode()
    - l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using
      netdev_master_upper_dev_get_rcu
    - ipv6: make ip6_rt_gc_expire an atomic_t
    - can: isotp: stop timeout monitoring when no first frame was sent
    - net: dsa: hellcreek: Calculate checksums in tagger
    - net: mscc: ocelot: fix broken IP multicast flooding
    - netlink: reset network and mac headers in netlink_dump()
    - drm/i915/display/psr: Unset enable_psr2_sel_fetch if other checks in
      intel_psr2_config_valid() fails
    - net: stmmac: Use readl_poll_timeout_atomic() in atomic state
    - dmaengine: idxd: add RO check for wq max_batch_size write
    - dmaengine: idxd: add RO check for wq max_transfer_size write
    - dmaengine: idxd: skip clearing device context when device is read-only
    - selftests: mlxsw: vxlan_flooding: Prevent flooding of unwanted packets
    - arm64: mm: fix p?d_leaf()
    - ARM: vexpress/spc: Avoid negative array index when !SMP
    - reset: renesas: Check return value of reset_control_deassert()
    - reset: tegra-bpmp: Restore Handle errors in BPMP response
    - platform/x86: samsung-laptop: Fix an unsigned comparison which can never be
      negative
    - ALSA: usb-audio: Fix undefined behavior due to shift overflowing the
      constant
    - drm/msm/disp: check the return value of kzalloc()
    - arm64: dts: imx: Fix imx8*-var-som touchscreen property sizes
    - vxlan: fix error return code in vxlan_fdb_append
    - cifs: Check the IOCB_DIRECT flag, not O_DIRECT
    - mt76: Fix undefined behavior due to shift overflowing the constant
    - brcmfmac: sdio: Fix undefined behavior due to shift overflowing the constant
    - dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info()
    - drm/msm/mdp5: check the return of kzalloc()
    - net: macb: Restart tx only if queue pointer is lagging
    - scsi: iscsi: Release endpoint ID when its freed
    - scsi: iscsi: Merge suspend fields
    - scsi: iscsi: Fix NOP handling during conn recovery
    - scsi: qedi: Fix failed disconnect handling
    - stat: fix inconsistency between struct stat and struct compat_stat
    - VFS: filename_create(): fix incorrect intent.
    - nvme: add a quirk to disable namespace identifiers
    - nvme-pci: disable namespace identifiers for the MAXIO MAP1002/1202
    - nvme-pci: disable namespace identifiers for Qemu controllers
    - EDAC/synopsys: Read the error count from the correct register
    - mm/memory-failure.c: skip huge_zero_page in memory_failure()
    - memcg: sync flush only if periodic flush is delayed
    - mm, hugetlb: allow for "high" userspace addresses
    - oom_kill.c: futex: delay the OOM reaper to allow time for proper futex
      cleanup
    - mm/mmu_notifier.c: fix race in mmu_interval_notifier_remove()
    - ata: pata_marvell: Check the 'bmdma_addr' beforing reading
    - dma: at_xdmac: fix a missing check on list iterator
    - dmaengine: imx-sdma: fix init of uart scripts
    - net: atlantic: invert deep par in pm functions, preventing null derefs
    - Input: omap4-keypad - fix pm_runtime_get_sync() error checking
    - scsi: sr: Do not leak information in ioctl
    - sched/pelt: Fix attach_entity_load_avg() corner case
    - perf/core: Fix perf_mmap fail when CONFIG_PERF_USE_VMALLOC enabled
    - drm/panel/raspberrypi-touchscreen: Avoid NULL deref if not initialised
    - drm/panel/raspberrypi-touchscreen: Initialise the bridge in prepare
    - KVM: PPC: Fix TCE handling for VFIO
    - drm/vc4: Use pm_runtime_resume_and_get to fix pm_runtime_get_sync() usage
    - powerpc/perf: Fix power9 event alternatives
    - powerpc/perf: Fix power10 event alternatives
    - perf script: Always allow field 'data_src' for auxtrace
    - perf report: Set PERF_SAMPLE_DATA_SRC bit for Arm SPE event
    - xtensa: patch_text: Fixup last cpu should be master
    - xtensa: fix a7 clobbering in coprocessor context load/store
    - openvswitch: fix OOB access in reserve_sfa_size()
    - ASoC: soc-dapm: fix two incorrect uses of list iterator
    - e1000e: Fix possible overflow in LTR decoding
    - ARC: entry: fix syscall_trace_exit argument
    - arm_pmu: Validate single/group leader events
    - KVM: x86/pmu: Update AMD PMC sample period to fix guest NMI-watchdog
    - KVM: x86: Pend KVM_REQ_APICV_UPDATE during vCPU creation to fix a race
    - KVM: nVMX: Defer APICv updates while L2 is active until L1 is active
    - KVM: SVM: Flush when freeing encrypted pages even on SME_COHERENT CPUs
    - netfilter: conntrack: convert to refcount_t api
    - netfilter: conntrack: avoid useless indirection during conntrack destruction
    - ext4: fix fallocate to use file_modified to update permissions consistently
    - ext4: fix symlink file size not match to file content
    - ext4: fix use-after-free in ext4_search_dir
    - ext4, doc: fix incorrect h_reserved size
    - ext4: fix overhead calculation to account for the reserved gdt blocks
    - ext4: force overhead calculation if the s_overhead_cluster makes no sense
    - netfilter: nft_ct: fix use after free when attaching zone template
    - jbd2: fix a potential race while discarding reserved buffers after an abort
    - spi: atmel-quadspi: Fix the buswidth adjustment between spi-mem and
      controller
    - block/compat_ioctl: fix range check in BLKGETSIZE
    - arm64: dts: qcom: add IPA qcom,qmp property
    - Linux 5.15.36

* Aquantia GbE LAN driver causes UBSAN error during kernel boot
    (LP: #1958770) // Jammy update: v5.15.36 upstream stable release
    (LP: #1972905)
    - net: atlantic: Avoid out-of-bounds indexing

-- Stefan Bader <stefan.bader@canonical.com>  Wed, 22 Jun 2022 14:42:28 +0200

Changed in linux (Ubuntu Jammy):
status:	Fix Committed → Fix Released

Revision history for this message

Kaz (ka4684346) wrote on 2022-07-13:

#54

I had updated to 5.15.0-41.44, but I still get the error.

syslog:
Jul 13 15:05:58 *** kernel: [ 0.000000] Linux version 5.15.0-41-generic (buildd@lcy02-amd64-065) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #44-Ubuntu SMP Wed Jun 22 14:20:53 UTC 2022 (Ubuntu 5.15.0-41.44-generic 5.15.39)
...
Jul 13 15:06:04 *** kernel: [ 13.227143] UBSAN: array-index-out-of-bounds in /build/linux-TxVM9Q/linux-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
Jul 13 15:06:04 *** kernel: [ 13.228858] index 8 is out of range for type 'aq_vec_s *[8]'

uname -a:
Linux ***.***.*** 5.15.0-41-generic #44-Ubuntu SMP Wed Jun 22 14:20:53 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Revision history for this message

ltkarrde (ltkarrde) wrote on 2022-08-02:

#55

I am still getting this on 5.15.0-43-lowlatency as well. Filed bug report that turned out to be a duplicate at Bug #1982878

7/26/22 7:33 AM kernel ================================================================================
7/26/22 7:33 AM kernel UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-gn5Bpn/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
7/26/22 7:33 AM kernel index 8 is out of range for type 'aq_vec_s *[8]'
7/26/22 7:33 AM kernel CPU: 2 PID: 2109 Comm: daemon-init Not tainted 5.15.0-43-lowlatency #46-Ubuntu
7/26/22 7:33 AM kernel Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
7/26/22 7:33 AM kernel Call Trace:
7/26/22 7:33 AM kernel <TASK>
7/26/22 7:33 AM kernel show_stack+0x52/0x58
7/26/22 7:33 AM kernel dump_stack_lvl+0x4a/0x5f
7/26/22 7:33 AM kernel dump_stack+0x10/0x12
7/26/22 7:33 AM kernel ubsan_epilogue+0x9/0x45
7/26/22 7:33 AM kernel __ubsan_handle_out_of_bounds.cold+0x44/0x49
7/26/22 7:33 AM kernel ? netdev_set_tc_queue+0x78/0x90
7/26/22 7:33 AM kernel ? aq_vec_stop+0x72/0x80 [atlantic]
7/26/22 7:33 AM kernel aq_nic_stop+0x1b2/0x1c0 [atlantic]
7/26/22 7:33 AM kernel aq_ndev_set_features+0x13f/0x1a0 [atlantic]
7/26/22 7:33 AM kernel __netdev_update_features+0x184/0x810
7/26/22 7:33 AM kernel dev_disable_lro+0x34/0x150
7/26/22 7:33 AM kernel devinet_sysctl_forward+0x1f7/0x230
7/26/22 7:33 AM kernel proc_sys_call_handler+0x161/0x2d0
7/26/22 7:33 AM kernel proc_sys_write+0x13/0x20
7/26/22 7:33 AM kernel new_sync_write+0x117/0x1a0
7/26/22 7:33 AM kernel vfs_write+0x1f3/0x290
7/26/22 7:33 AM kernel ksys_write+0x67/0xe0
7/26/22 7:33 AM kernel __x64_sys_write+0x19/0x20
7/26/22 7:33 AM kernel do_syscall_64+0x5c/0xc0
7/26/22 7:33 AM kernel ? exit_to_user_mode_prepare+0x37/0xb0
7/26/22 7:33 AM kernel ? syscall_exit_to_user_mode+0x27/0x50
7/26/22 7:33 AM kernel ? do_syscall_64+0x69/0xc0
7/26/22 7:33 AM kernel ? exit_to_user_mode_prepare+0x37/0xb0
7/26/22 7:33 AM kernel ? syscall_exit_to_user_mode+0x27/0x50
7/26/22 7:33 AM kernel ? do_syscall_64+0x69/0xc0
7/26/22 7:33 AM kernel ? asm_exc_page_fault+0x8/0x30
7/26/22 7:33 AM kernel entry_SYSCALL_64_after_hwframe+0x44/0xae
7/26/22 7:33 AM kernel RIP: 0033:0x7f4be0057a6f
7/26/22 7:33 AM kernel Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
7/26/22 7:33 AM kernel RSP: 002b:00007f4b9bffe810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
7/26/22 7:33 AM kernel RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f4be0057a6f
7/26/22 7:33 AM kernel RDX: 0000000000000002 RSI: 00007f4be09dd5e5 RDI: 0000000000000013
7/26/22 7:33 AM kernel RBP: 00007f4be09dd5e5 R08: 0000000000000000 R09: 0000000000000001
7/26/22 7:33 AM kernel R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
7/26/22 7:33 AM kernel R13: 0000000000000013 R14: 0000000000000000 R15: 00007f4b90024b50
7/26/22 7:33 AM kernel </TASK>
7/26/22 7:33 AM kernel ================================================================================

I am still getting this on 5.15.0-43-lowlatency as well. Filed bug report that turned out to be a duplicate at Bug #1982878

7/26/22 7:33 AM kernel ================================================================================
7/26/22 7:33 AM kernel UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-gn5Bpn/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
7/26/22 7:33 AM kernel index 8 is out of range for type 'aq_vec_s *[8]'
7/26/22 7:33 AM kernel CPU: 2 PID: 2109 Comm: daemon-init Not tainted 5.15.0-43-lowlatency #46-Ubuntu
7/26/22 7:33 AM kernel Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
7/26/22 7:33 AM kernel Call Trace:
7/26/22 7:33 AM kernel <TASK>
7/26/22 7:33 AM kernel show_stack+0x52/0x58
7/26/22 7:33 AM kernel dump_stack_lvl+0x4a/0x5f
7/26/22 7:33 AM kernel dump_stack+0x10/0x12
7/26/22 7:33 AM kernel ubsan_epilogue+0x9/0x45
7/26/22 7:33 AM kernel __ubsan_handle_out_of_bounds.cold+0x44/0x49
7/26/22 7:33 AM kernel ? netdev_set_tc_queue+0x78/0x90
7/26/22 7:33 AM kernel ? aq_vec_stop+0x72/0x80 [atlantic]
7/26/22 7:33 AM kernel aq_nic_stop+0x1b2/0x1c0 [atlantic]
7/26/22 7:33 AM kernel aq_ndev_set_features+0x13f/0x1a0 [atlantic]
7/26/22 7:33 AM kernel __netdev_update_features+0x184/0x810
7/26/22 7:33 AM kernel dev_disable_lro+0x34/0x150
7/26/22 7:33 AM kernel devinet_sysctl_forward+0x1f7/0x230
7/26/22 7:33 AM kernel proc_sys_call_handler+0x161/0x2d0
7/26/22 7:33 AM kernel proc_sys_write+0x13/0x20
7/26/22 7:33 AM kernel new_sync_write+0x117/0x1a0
7/26/22 7:33 AM kernel vfs_write+0x1f3/0x290
7/26/22 7:33 AM kernel ksys_write+0x67/0xe0
7/26/22 7:33 AM kernel __x64_sys_write+0x19/0x20
7/26/22 7:33 AM kernel do_syscall_64+0x5c/0xc0
7/26/22 7:33 AM kernel ? exit_to_user_mode_prepare+0x37/0xb0
7/26/22 7:33 AM kernel ? syscall_exit_to_user_mode+0x27/0x50
7/26/22 7:33 AM kernel ? do_syscall_64+0x69/0xc0
7/26/22 7:33 AM kernel ? exit_to_user_mode_prepare+0x37/0xb0
7/26/22 7:33 AM kernel ? syscall_exit_to_user_mode+0x27/0x50
7/26/22 7:33 AM kernel ? do_syscall_64+0x69/0xc0
7/26/22 7:33 AM kernel ? asm_exc_page_fault+0x8/0x30
7/26/22 7:33 AM kernel entry_SYSCALL_64_after_hwframe+0x44/0xae
7/26/22 7:33 AM kernel RIP: 0033:0x7f4be0057a6f
7/26/22 7:33 AM kernel Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
7/26/22 7:33 AM kernel RSP: 002b:00007f4b9bffe810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
7/26/22 7:33 AM kernel RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f4be0057a6f
7/26/22 7:33 AM kernel RDX: 0000000000000002 RSI: 00007f4be09dd5e5 RDI: 0000000000000013
7/26/22 7:33 AM kernel RBP: 00007f4be09dd5e5 R08: 0000000000000000 R09: 0000000000000001
7/26/22 7:33 AM kernel R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
7/26/22 7:33 AM kernel R13: 0000000000000013 R14: 0000000000000000 R15: 00007f4b90024b50
7/26/22 7:33 AM kernel </TASK>
7/26/22 7:33 AM kernel ================================================================================

Revision history for this message

bsdz (blairuk) wrote on 2022-08-02:

#56

I have the same problem. Curiously, the patch previously submitted should fix those code lines reported in the UBSAN report

https://launchpadlibrarian.net/601133815/aq_nic.c.patch

Revision history for this message

ltkarrde (ltkarrde) wrote on 2022-08-06:

#57

Still present on 5.15.0-45-lowlatency after update to it.

8/6/22 10:11 AM kernel ================================================================================
8/6/22 10:11 AM kernel UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-gNNzPd/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
8/6/22 10:11 AM kernel index 8 is out of range for type 'aq_vec_s *[8]'
8/6/22 10:11 AM kernel CPU: 2 PID: 2097 Comm: daemon-init Not tainted 5.15.0-45-lowlatency #48-Ubuntu
8/6/22 10:11 AM kernel Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
8/6/22 10:11 AM kernel Call Trace:
8/6/22 10:11 AM kernel <TASK>
8/6/22 10:11 AM kernel show_stack+0x52/0x5c
8/6/22 10:11 AM kernel dump_stack_lvl+0x4a/0x63
8/6/22 10:11 AM kernel dump_stack+0x10/0x16
8/6/22 10:11 AM kernel ubsan_epilogue+0x9/0x49
8/6/22 10:11 AM kernel __ubsan_handle_out_of_bounds.cold+0x44/0x49
8/6/22 10:11 AM kernel ? qdisc_pkt_len_init+0x128/0x180
8/6/22 10:11 AM kernel ? aq_vec_stop+0x72/0x80 [atlantic]
8/6/22 10:11 AM kernel aq_nic_stop+0x1b6/0x1c0 [atlantic]
8/6/22 10:11 AM kernel aq_ndev_set_features+0x143/0x1a0 [atlantic]
8/6/22 10:11 AM kernel __netdev_update_features+0x184/0x820
8/6/22 10:11 AM kernel dev_disable_lro+0x34/0x150
8/6/22 10:11 AM kernel devinet_sysctl_forward+0x1fb/0x230
8/6/22 10:11 AM kernel proc_sys_call_handler+0x161/0x2d0
8/6/22 10:11 AM kernel proc_sys_write+0x13/0x20
8/6/22 10:11 AM kernel new_sync_write+0x117/0x1b0
8/6/22 10:11 AM kernel ? blk_tracer_print_header+0x10/0x30
8/6/22 10:11 AM kernel vfs_write+0x1fb/0x290
8/6/22 10:11 AM kernel ksys_write+0x67/0xf0
8/6/22 10:11 AM kernel __x64_sys_write+0x19/0x20
8/6/22 10:11 AM kernel do_syscall_64+0x5c/0xc0
8/6/22 10:11 AM kernel ? exit_to_user_mode_prepare+0x37/0xb0
8/6/22 10:11 AM kernel ? syscall_exit_to_user_mode+0x27/0x50
8/6/22 10:11 AM kernel ? do_syscall_64+0x69/0xc0
8/6/22 10:11 AM kernel entry_SYSCALL_64_after_hwframe+0x61/0xcb
8/6/22 10:11 AM kernel RIP: 0033:0x7ff6d640da6f
8/6/22 10:11 AM kernel Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
8/6/22 10:11 AM kernel RSP: 002b:00007ff6a27fb810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
8/6/22 10:11 AM kernel RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007ff6d640da6f
8/6/22 10:11 AM kernel RDX: 0000000000000002 RSI: 00007ff6d6d965e5 RDI: 0000000000000013
8/6/22 10:11 AM kernel RBP: 00007ff6d6d965e5 R08: 0000000000000000 R09: 0000000000000001
8/6/22 10:11 AM kernel R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
8/6/22 10:11 AM kernel R13: 0000000000000013 R14: 0000000000000000 R15: 00007ff684024b10
8/6/22 10:11 AM kernel </TASK>

Still present on 5.15.0-45-lowlatency after update to it.

8/6/22 10:11 AM	kernel	================================================================================
8/6/22 10:11 AM	kernel	UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-gNNzPd/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
8/6/22 10:11 AM	kernel	index 8 is out of range for type 'aq_vec_s *[8]'
8/6/22 10:11 AM	kernel	CPU: 2 PID: 2097 Comm: daemon-init Not tainted 5.15.0-45-lowlatency #48-Ubuntu
8/6/22 10:11 AM	kernel	Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
8/6/22 10:11 AM	kernel	Call Trace:
8/6/22 10:11 AM	kernel	 <TASK>
8/6/22 10:11 AM	kernel	 show_stack+0x52/0x5c
8/6/22 10:11 AM	kernel	 dump_stack_lvl+0x4a/0x63
8/6/22 10:11 AM	kernel	 dump_stack+0x10/0x16
8/6/22 10:11 AM	kernel	 ubsan_epilogue+0x9/0x49
8/6/22 10:11 AM	kernel	 __ubsan_handle_out_of_bounds.cold+0x44/0x49
8/6/22 10:11 AM	kernel	 ? qdisc_pkt_len_init+0x128/0x180
8/6/22 10:11 AM	kernel	 ? aq_vec_stop+0x72/0x80 [atlantic]
8/6/22 10:11 AM	kernel	 aq_nic_stop+0x1b6/0x1c0 [atlantic]
8/6/22 10:11 AM	kernel	 aq_ndev_set_features+0x143/0x1a0 [atlantic]
8/6/22 10:11 AM	kernel	 __netdev_update_features+0x184/0x820
8/6/22 10:11 AM	kernel	 dev_disable_lro+0x34/0x150
8/6/22 10:11 AM	kernel	 devinet_sysctl_forward+0x1fb/0x230
8/6/22 10:11 AM	kernel	 proc_sys_call_handler+0x161/0x2d0
8/6/22 10:11 AM	kernel	 proc_sys_write+0x13/0x20
8/6/22 10:11 AM	kernel	 new_sync_write+0x117/0x1b0
8/6/22 10:11 AM	kernel	 ? blk_tracer_print_header+0x10/0x30
8/6/22 10:11 AM	kernel	 vfs_write+0x1fb/0x290
8/6/22 10:11 AM	kernel	 ksys_write+0x67/0xf0
8/6/22 10:11 AM	kernel	 __x64_sys_write+0x19/0x20
8/6/22 10:11 AM	kernel	 do_syscall_64+0x5c/0xc0
8/6/22 10:11 AM	kernel	 ? exit_to_user_mode_prepare+0x37/0xb0
8/6/22 10:11 AM	kernel	 ? syscall_exit_to_user_mode+0x27/0x50
8/6/22 10:11 AM	kernel	 ? do_syscall_64+0x69/0xc0
8/6/22 10:11 AM	kernel	 entry_SYSCALL_64_after_hwframe+0x61/0xcb
8/6/22 10:11 AM	kernel	RIP: 0033:0x7ff6d640da6f
8/6/22 10:11 AM	kernel	Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
8/6/22 10:11 AM	kernel	RSP: 002b:00007ff6a27fb810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
8/6/22 10:11 AM	kernel	RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007ff6d640da6f
8/6/22 10:11 AM	kernel	RDX: 0000000000000002 RSI: 00007ff6d6d965e5 RDI: 0000000000000013
8/6/22 10:11 AM	kernel	RBP: 00007ff6d6d965e5 R08: 0000000000000000 R09: 0000000000000001
8/6/22 10:11 AM	kernel	R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
8/6/22 10:11 AM	kernel	R13: 0000000000000013 R14: 0000000000000000 R15: 00007ff684024b10
8/6/22 10:11 AM	kernel	 </TASK>

Revision history for this message

ltkarrde (ltkarrde) wrote on 2022-08-10:

#58

Still present in 5.15.0-46.49-lowlatency

8/10/22 7:56 AM kernel ================================================================================
8/10/22 7:56 AM kernel UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-Q9YOeF/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
8/10/22 7:56 AM kernel index 8 is out of range for type 'aq_vec_s *[8]'
8/10/22 7:56 AM kernel CPU: 12 PID: 2172 Comm: daemon-init Not tainted 5.15.0-46-lowlatency #49-Ubuntu
8/10/22 7:56 AM kernel Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
8/10/22 7:56 AM kernel Call Trace:
8/10/22 7:56 AM kernel <TASK>
8/10/22 7:56 AM kernel show_stack+0x52/0x5c
8/10/22 7:56 AM kernel dump_stack_lvl+0x4a/0x63
8/10/22 7:56 AM kernel dump_stack+0x10/0x16
8/10/22 7:56 AM kernel ubsan_epilogue+0x9/0x49
8/10/22 7:56 AM kernel __ubsan_handle_out_of_bounds.cold+0x44/0x49
8/10/22 7:56 AM kernel ? qdisc_pkt_len_init+0x108/0x180
8/10/22 7:56 AM kernel ? aq_vec_stop+0x72/0x80 [atlantic]
8/10/22 7:56 AM kernel aq_nic_stop+0x1b6/0x1c0 [atlantic]
8/10/22 7:56 AM kernel aq_ndev_set_features+0x143/0x1a0 [atlantic]
8/10/22 7:56 AM kernel __netdev_update_features+0x184/0x820
8/10/22 7:56 AM kernel dev_disable_lro+0x34/0x150
8/10/22 7:56 AM kernel devinet_sysctl_forward+0x1fb/0x230
8/10/22 7:56 AM kernel proc_sys_call_handler+0x161/0x2d0
8/10/22 7:56 AM kernel proc_sys_write+0x13/0x20
8/10/22 7:56 AM kernel new_sync_write+0x117/0x1b0
8/10/22 7:56 AM kernel ? intel_pmu_cpu_starting+0x280/0x3c0
8/10/22 7:56 AM kernel vfs_write+0x1fb/0x290
8/10/22 7:56 AM kernel ksys_write+0x67/0xf0
8/10/22 7:56 AM kernel __x64_sys_write+0x19/0x20
8/10/22 7:56 AM kernel do_syscall_64+0x5c/0xc0
8/10/22 7:56 AM kernel ? exit_to_user_mode_prepare+0x37/0xb0
8/10/22 7:56 AM kernel ? syscall_exit_to_user_mode+0x27/0x50
8/10/22 7:56 AM kernel ? do_syscall_64+0x69/0xc0
8/10/22 7:56 AM kernel entry_SYSCALL_64_after_hwframe+0x61/0xcb
8/10/22 7:56 AM kernel RIP: 0033:0x7f0adb562a6f
8/10/22 7:56 AM kernel Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
8/10/22 7:56 AM kernel RSP: 002b:00007f0a9b7fd810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
8/10/22 7:56 AM kernel RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f0adb562a6f
8/10/22 7:56 AM kernel RDX: 0000000000000002 RSI: 00007f0adbeeb5e5 RDI: 0000000000000013
8/10/22 7:56 AM kernel RBP: 00007f0adbeeb5e5 R08: 0000000000000000 R09: 0000000000000001
8/10/22 7:56 AM kernel R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
8/10/22 7:56 AM kernel R13: 0000000000000013 R14: 0000000000000000 R15: 00007f0a90024b10
8/10/22 7:56 AM kernel </TASK>
8/10/22 7:56 AM kernel ================================================================================

Still present in 5.15.0-46.49-lowlatency

8/10/22 7:56 AM	kernel	================================================================================
8/10/22 7:56 AM	kernel	UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-Q9YOeF/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
8/10/22 7:56 AM	kernel	index 8 is out of range for type 'aq_vec_s *[8]'
8/10/22 7:56 AM	kernel	CPU: 12 PID: 2172 Comm: daemon-init Not tainted 5.15.0-46-lowlatency #49-Ubuntu
8/10/22 7:56 AM	kernel	Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
8/10/22 7:56 AM	kernel	Call Trace:
8/10/22 7:56 AM	kernel	 <TASK>
8/10/22 7:56 AM	kernel	 show_stack+0x52/0x5c
8/10/22 7:56 AM	kernel	 dump_stack_lvl+0x4a/0x63
8/10/22 7:56 AM	kernel	 dump_stack+0x10/0x16
8/10/22 7:56 AM	kernel	 ubsan_epilogue+0x9/0x49
8/10/22 7:56 AM	kernel	 __ubsan_handle_out_of_bounds.cold+0x44/0x49
8/10/22 7:56 AM	kernel	 ? qdisc_pkt_len_init+0x108/0x180
8/10/22 7:56 AM	kernel	 ? aq_vec_stop+0x72/0x80 [atlantic]
8/10/22 7:56 AM	kernel	 aq_nic_stop+0x1b6/0x1c0 [atlantic]
8/10/22 7:56 AM	kernel	 aq_ndev_set_features+0x143/0x1a0 [atlantic]
8/10/22 7:56 AM	kernel	 __netdev_update_features+0x184/0x820
8/10/22 7:56 AM	kernel	 dev_disable_lro+0x34/0x150
8/10/22 7:56 AM	kernel	 devinet_sysctl_forward+0x1fb/0x230
8/10/22 7:56 AM	kernel	 proc_sys_call_handler+0x161/0x2d0
8/10/22 7:56 AM	kernel	 proc_sys_write+0x13/0x20
8/10/22 7:56 AM	kernel	 new_sync_write+0x117/0x1b0
8/10/22 7:56 AM	kernel	 ? intel_pmu_cpu_starting+0x280/0x3c0
8/10/22 7:56 AM	kernel	 vfs_write+0x1fb/0x290
8/10/22 7:56 AM	kernel	 ksys_write+0x67/0xf0
8/10/22 7:56 AM	kernel	 __x64_sys_write+0x19/0x20
8/10/22 7:56 AM	kernel	 do_syscall_64+0x5c/0xc0
8/10/22 7:56 AM	kernel	 ? exit_to_user_mode_prepare+0x37/0xb0
8/10/22 7:56 AM	kernel	 ? syscall_exit_to_user_mode+0x27/0x50
8/10/22 7:56 AM	kernel	 ? do_syscall_64+0x69/0xc0
8/10/22 7:56 AM	kernel	 entry_SYSCALL_64_after_hwframe+0x61/0xcb
8/10/22 7:56 AM	kernel	RIP: 0033:0x7f0adb562a6f
8/10/22 7:56 AM	kernel	Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
8/10/22 7:56 AM	kernel	RSP: 002b:00007f0a9b7fd810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
8/10/22 7:56 AM	kernel	RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f0adb562a6f
8/10/22 7:56 AM	kernel	RDX: 0000000000000002 RSI: 00007f0adbeeb5e5 RDI: 0000000000000013
8/10/22 7:56 AM	kernel	RBP: 00007f0adbeeb5e5 R08: 0000000000000000 R09: 0000000000000001
8/10/22 7:56 AM	kernel	R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
8/10/22 7:56 AM	kernel	R13: 0000000000000013 R14: 0000000000000000 R15: 00007f0a90024b10
8/10/22 7:56 AM	kernel	 </TASK>
8/10/22 7:56 AM	kernel	================================================================================

Revision history for this message

ltkarrde (ltkarrde) wrote on 2022-08-20:

#59

Still present in 5.15.0-47.53-lowlatency

8/20/22 7:42 AM kernel ================================================================================
8/20/22 7:42 AM kernel UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-uED6sK/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
8/20/22 7:42 AM kernel index 8 is out of range for type 'aq_vec_s *[8]'
8/20/22 7:42 AM kernel CPU: 12 PID: 2174 Comm: daemon-init Not tainted 5.15.0-47-lowlatency #53-Ubuntu
8/20/22 7:42 AM kernel Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
8/20/22 7:42 AM kernel Call Trace:
8/20/22 7:42 AM kernel <TASK>
8/20/22 7:42 AM kernel show_stack+0x52/0x5c
8/20/22 7:42 AM kernel dump_stack_lvl+0x4a/0x63
8/20/22 7:42 AM kernel dump_stack+0x10/0x16
8/20/22 7:42 AM kernel ubsan_epilogue+0x9/0x49
8/20/22 7:42 AM kernel __ubsan_handle_out_of_bounds.cold+0x44/0x49
8/20/22 7:42 AM kernel ? is_skb_forwardable+0x48/0x50
8/20/22 7:42 AM kernel ? aq_vec_stop+0x72/0x80 [atlantic]
8/20/22 7:42 AM kernel aq_nic_stop+0x1b6/0x1c0 [atlantic]
8/20/22 7:42 AM kernel aq_ndev_set_features+0x143/0x1a0 [atlantic]
8/20/22 7:42 AM kernel __netdev_update_features+0x184/0x820
8/20/22 7:42 AM kernel dev_disable_lro+0x34/0x150
8/20/22 7:42 AM kernel devinet_sysctl_forward+0x1fb/0x230
8/20/22 7:42 AM kernel proc_sys_call_handler+0x161/0x2d0
8/20/22 7:42 AM kernel proc_sys_write+0x13/0x20
8/20/22 7:42 AM kernel new_sync_write+0x117/0x1b0
8/20/22 7:42 AM kernel ? intel_pmu_cpu_starting+0x240/0x3c0
8/20/22 7:42 AM kernel vfs_write+0x1fb/0x290
8/20/22 7:42 AM kernel ksys_write+0x67/0xf0
8/20/22 7:42 AM kernel __x64_sys_write+0x19/0x20
8/20/22 7:42 AM kernel do_syscall_64+0x5c/0xc0
8/20/22 7:42 AM kernel ? syscall_exit_to_user_mode+0x27/0x50
8/20/22 7:42 AM kernel ? do_syscall_64+0x69/0xc0
8/20/22 7:42 AM kernel ? exit_to_user_mode_prepare+0x37/0xb0
8/20/22 7:42 AM kernel entry_SYSCALL_64_after_hwframe+0x61/0xcb
8/20/22 7:42 AM kernel RIP: 0033:0x7f8073495a6f
8/20/22 7:42 AM kernel Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
8/20/22 7:42 AM kernel RSP: 002b:00007f803b7fd810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
8/20/22 7:42 AM kernel RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f8073495a6f
8/20/22 7:42 AM kernel RDX: 0000000000000002 RSI: 00007f8073e1e5e5 RDI: 0000000000000013
8/20/22 7:42 AM kernel RBP: 00007f8073e1e5e5 R08: 0000000000000000 R09: 0000000000000001
8/20/22 7:42 AM kernel R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
8/20/22 7:42 AM kernel R13: 0000000000000013 R14: 0000000000000000 R15: 00007f8028024ab0
8/20/22 7:42 AM kernel </TASK>
8/20/22 7:42 AM kernel ================================================================================

Still present in 5.15.0-47.53-lowlatency

8/20/22 7:42 AM	kernel	================================================================================
8/20/22 7:42 AM	kernel	UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-uED6sK/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
8/20/22 7:42 AM	kernel	index 8 is out of range for type 'aq_vec_s *[8]'
8/20/22 7:42 AM	kernel	CPU: 12 PID: 2174 Comm: daemon-init Not tainted 5.15.0-47-lowlatency #53-Ubuntu
8/20/22 7:42 AM	kernel	Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
8/20/22 7:42 AM	kernel	Call Trace:
8/20/22 7:42 AM	kernel	 <TASK>
8/20/22 7:42 AM	kernel	 show_stack+0x52/0x5c
8/20/22 7:42 AM	kernel	 dump_stack_lvl+0x4a/0x63
8/20/22 7:42 AM	kernel	 dump_stack+0x10/0x16
8/20/22 7:42 AM	kernel	 ubsan_epilogue+0x9/0x49
8/20/22 7:42 AM	kernel	 __ubsan_handle_out_of_bounds.cold+0x44/0x49
8/20/22 7:42 AM	kernel	 ? is_skb_forwardable+0x48/0x50
8/20/22 7:42 AM	kernel	 ? aq_vec_stop+0x72/0x80 [atlantic]
8/20/22 7:42 AM	kernel	 aq_nic_stop+0x1b6/0x1c0 [atlantic]
8/20/22 7:42 AM	kernel	 aq_ndev_set_features+0x143/0x1a0 [atlantic]
8/20/22 7:42 AM	kernel	 __netdev_update_features+0x184/0x820
8/20/22 7:42 AM	kernel	 dev_disable_lro+0x34/0x150
8/20/22 7:42 AM	kernel	 devinet_sysctl_forward+0x1fb/0x230
8/20/22 7:42 AM	kernel	 proc_sys_call_handler+0x161/0x2d0
8/20/22 7:42 AM	kernel	 proc_sys_write+0x13/0x20
8/20/22 7:42 AM	kernel	 new_sync_write+0x117/0x1b0
8/20/22 7:42 AM	kernel	 ? intel_pmu_cpu_starting+0x240/0x3c0
8/20/22 7:42 AM	kernel	 vfs_write+0x1fb/0x290
8/20/22 7:42 AM	kernel	 ksys_write+0x67/0xf0
8/20/22 7:42 AM	kernel	 __x64_sys_write+0x19/0x20
8/20/22 7:42 AM	kernel	 do_syscall_64+0x5c/0xc0
8/20/22 7:42 AM	kernel	 ? syscall_exit_to_user_mode+0x27/0x50
8/20/22 7:42 AM	kernel	 ? do_syscall_64+0x69/0xc0
8/20/22 7:42 AM	kernel	 ? exit_to_user_mode_prepare+0x37/0xb0
8/20/22 7:42 AM	kernel	 entry_SYSCALL_64_after_hwframe+0x61/0xcb
8/20/22 7:42 AM	kernel	RIP: 0033:0x7f8073495a6f
8/20/22 7:42 AM	kernel	Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
8/20/22 7:42 AM	kernel	RSP: 002b:00007f803b7fd810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
8/20/22 7:42 AM	kernel	RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f8073495a6f
8/20/22 7:42 AM	kernel	RDX: 0000000000000002 RSI: 00007f8073e1e5e5 RDI: 0000000000000013
8/20/22 7:42 AM	kernel	RBP: 00007f8073e1e5e5 R08: 0000000000000000 R09: 0000000000000001
8/20/22 7:42 AM	kernel	R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
8/20/22 7:42 AM	kernel	R13: 0000000000000013 R14: 0000000000000000 R15: 00007f8028024ab0
8/20/22 7:42 AM	kernel	 </TASK>
8/20/22 7:42 AM	kernel	================================================================================

Revision history for this message

Henrique Bucher (vitorian) wrote on 2022-08-24:

#60

Still present on 5.15.0-46-generic (Ubuntu 20.04.3)

[ 30.346347] UBSAN: array-index-out-of-bounds in /build/linux-hwe-5.15-69LdM0/linux-hwe-5.15-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
[ 30.346349] index 8 is out of range for type 'aq_vec_s *[8]'

Revision history for this message

ltkarrde (ltkarrde) wrote on 2022-08-31:

#61

Still present in 5.15.0-48-generic

8/31/22 8:01 AM kernel ================================================================================
8/31/22 8:01 AM kernel UBSAN: array-index-out-of-bounds in /build/linux-kQ6jNR/linux-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
8/31/22 8:01 AM kernel index 8 is out of range for type 'aq_vec_s *[8]'
8/31/22 8:01 AM kernel CPU: 22 PID: 1987 Comm: daemon-init Tainted: G O 5.15.0-48-generic #54-Ubuntu
8/31/22 8:01 AM kernel Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
8/31/22 8:01 AM kernel Call Trace:
8/31/22 8:01 AM kernel <TASK>
8/31/22 8:01 AM kernel show_stack+0x52/0x5c
8/31/22 8:01 AM kernel dump_stack_lvl+0x4a/0x63
8/31/22 8:01 AM kernel dump_stack+0x10/0x16
8/31/22 8:01 AM kernel ubsan_epilogue+0x9/0x49
8/31/22 8:01 AM kernel __ubsan_handle_out_of_bounds.cold+0x44/0x49
8/31/22 8:01 AM kernel ? netdev_has_any_upper_dev+0x48/0x70
8/31/22 8:01 AM kernel ? aq_vec_stop+0x72/0x80 [atlantic]
8/31/22 8:01 AM kernel aq_nic_stop+0x10a/0x110 [atlantic]
8/31/22 8:01 AM kernel aq_ndev_set_features+0x143/0x1a0 [atlantic]
8/31/22 8:01 AM kernel __netdev_update_features+0x184/0x820
8/31/22 8:01 AM kernel dev_disable_lro+0x34/0x150
8/31/22 8:01 AM kernel devinet_sysctl_forward+0x1fb/0x230
8/31/22 8:01 AM kernel proc_sys_call_handler+0x16a/0x2f0
8/31/22 8:01 AM kernel proc_sys_write+0x13/0x20
8/31/22 8:01 AM kernel new_sync_write+0x117/0x1b0
8/31/22 8:01 AM kernel vfs_write+0x1d5/0x270
8/31/22 8:01 AM kernel ksys_write+0x67/0xf0
8/31/22 8:01 AM kernel __x64_sys_write+0x19/0x20
8/31/22 8:01 AM kernel do_syscall_64+0x5c/0xc0
8/31/22 8:01 AM kernel ? exit_to_user_mode_prepare+0x37/0xb0
8/31/22 8:01 AM kernel ? syscall_exit_to_user_mode+0x27/0x50
8/31/22 8:01 AM kernel ? do_syscall_64+0x69/0xc0
8/31/22 8:01 AM kernel entry_SYSCALL_64_after_hwframe+0x61/0xcb
8/31/22 8:01 AM kernel RIP: 0033:0x7fdfff746a6f
8/31/22 8:01 AM kernel Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
8/31/22 8:01 AM kernel RSP: 002b:00007fdfc37fd810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
8/31/22 8:01 AM kernel RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fdfff746a6f
8/31/22 8:01 AM kernel RDX: 0000000000000002 RSI: 00007fe0000cf5e5 RDI: 0000000000000013
8/31/22 8:01 AM kernel RBP: 00007fe0000cf5e5 R08: 0000000000000000 R09: 0000000000000001
8/31/22 8:01 AM kernel R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
8/31/22 8:01 AM kernel R13: 0000000000000013 R14: 0000000000000000 R15: 00007fdfb4024b50
8/31/22 8:01 AM kernel </TASK>

Still present in 5.15.0-48-generic

8/31/22 8:01 AM	kernel	================================================================================
8/31/22 8:01 AM	kernel	UBSAN: array-index-out-of-bounds in /build/linux-kQ6jNR/linux-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
8/31/22 8:01 AM	kernel	index 8 is out of range for type 'aq_vec_s *[8]'
8/31/22 8:01 AM	kernel	CPU: 22 PID: 1987 Comm: daemon-init Tainted: G           O      5.15.0-48-generic #54-Ubuntu
8/31/22 8:01 AM	kernel	Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
8/31/22 8:01 AM	kernel	Call Trace:
8/31/22 8:01 AM	kernel	 <TASK>
8/31/22 8:01 AM	kernel	 show_stack+0x52/0x5c
8/31/22 8:01 AM	kernel	 dump_stack_lvl+0x4a/0x63
8/31/22 8:01 AM	kernel	 dump_stack+0x10/0x16
8/31/22 8:01 AM	kernel	 ubsan_epilogue+0x9/0x49
8/31/22 8:01 AM	kernel	 __ubsan_handle_out_of_bounds.cold+0x44/0x49
8/31/22 8:01 AM	kernel	 ? netdev_has_any_upper_dev+0x48/0x70
8/31/22 8:01 AM	kernel	 ? aq_vec_stop+0x72/0x80 [atlantic]
8/31/22 8:01 AM	kernel	 aq_nic_stop+0x10a/0x110 [atlantic]
8/31/22 8:01 AM	kernel	 aq_ndev_set_features+0x143/0x1a0 [atlantic]
8/31/22 8:01 AM	kernel	 __netdev_update_features+0x184/0x820
8/31/22 8:01 AM	kernel	 dev_disable_lro+0x34/0x150
8/31/22 8:01 AM	kernel	 devinet_sysctl_forward+0x1fb/0x230
8/31/22 8:01 AM	kernel	 proc_sys_call_handler+0x16a/0x2f0
8/31/22 8:01 AM	kernel	 proc_sys_write+0x13/0x20
8/31/22 8:01 AM	kernel	 new_sync_write+0x117/0x1b0
8/31/22 8:01 AM	kernel	 vfs_write+0x1d5/0x270
8/31/22 8:01 AM	kernel	 ksys_write+0x67/0xf0
8/31/22 8:01 AM	kernel	 __x64_sys_write+0x19/0x20
8/31/22 8:01 AM	kernel	 do_syscall_64+0x5c/0xc0
8/31/22 8:01 AM	kernel	 ? exit_to_user_mode_prepare+0x37/0xb0
8/31/22 8:01 AM	kernel	 ? syscall_exit_to_user_mode+0x27/0x50
8/31/22 8:01 AM	kernel	 ? do_syscall_64+0x69/0xc0
8/31/22 8:01 AM	kernel	 entry_SYSCALL_64_after_hwframe+0x61/0xcb
8/31/22 8:01 AM	kernel	RIP: 0033:0x7fdfff746a6f
8/31/22 8:01 AM	kernel	Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
8/31/22 8:01 AM	kernel	RSP: 002b:00007fdfc37fd810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
8/31/22 8:01 AM	kernel	RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fdfff746a6f
8/31/22 8:01 AM	kernel	RDX: 0000000000000002 RSI: 00007fe0000cf5e5 RDI: 0000000000000013
8/31/22 8:01 AM	kernel	RBP: 00007fe0000cf5e5 R08: 0000000000000000 R09: 0000000000000001
8/31/22 8:01 AM	kernel	R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
8/31/22 8:01 AM	kernel	R13: 0000000000000013 R14: 0000000000000000 R15: 00007fdfb4024b50
8/31/22 8:01 AM	kernel	 </TASK>

Revision history for this message

ltkarrde (ltkarrde) wrote on 2022-09-01:

#62

Still present in 5.15.0-48-lowlatency as well. Interestingly, the logs say the kernel is tainted in generic, but not in lowlatency, despite no other configuration changes when this is handled.

9/1/22 8:01 AM kernel ================================================================================
9/1/22 8:01 AM kernel UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-FlX6Pk/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
9/1/22 8:01 AM kernel index 8 is out of range for type 'aq_vec_s *[8]'
9/1/22 8:01 AM kernel CPU: 0 PID: 2103 Comm: daemon-init Not tainted 5.15.0-48-lowlatency #54-Ubuntu
9/1/22 8:01 AM kernel Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
9/1/22 8:01 AM kernel Call Trace:
9/1/22 8:01 AM kernel <TASK>
9/1/22 8:01 AM kernel show_stack+0x52/0x5c
9/1/22 8:01 AM kernel dump_stack_lvl+0x4a/0x63
9/1/22 8:01 AM kernel dump_stack+0x10/0x16
9/1/22 8:01 AM kernel ubsan_epilogue+0x9/0x49
9/1/22 8:01 AM kernel __ubsan_handle_out_of_bounds.cold+0x44/0x49
9/1/22 8:01 AM kernel ? call_netdevice_notifiers+0x38/0x50
9/1/22 8:01 AM kernel ? aq_vec_stop+0x72/0x80 [atlantic]
9/1/22 8:01 AM kernel aq_nic_stop+0x1b6/0x1c0 [atlantic]
9/1/22 8:01 AM kernel aq_ndev_set_features+0x143/0x1a0 [atlantic]
9/1/22 8:01 AM kernel __netdev_update_features+0x184/0x820
9/1/22 8:01 AM kernel dev_disable_lro+0x34/0x150
9/1/22 8:01 AM kernel devinet_sysctl_forward+0x1fb/0x230
9/1/22 8:01 AM kernel proc_sys_call_handler+0x161/0x2d0
9/1/22 8:01 AM kernel proc_sys_write+0x13/0x20
9/1/22 8:01 AM kernel new_sync_write+0x117/0x1b0
9/1/22 8:01 AM kernel ? io_req_prep_async+0x2a0/0x2a0
9/1/22 8:01 AM kernel vfs_write+0x1fb/0x290
9/1/22 8:01 AM kernel ksys_write+0x67/0xf0
9/1/22 8:01 AM kernel __x64_sys_write+0x19/0x20
9/1/22 8:01 AM kernel do_syscall_64+0x5c/0xc0
9/1/22 8:01 AM kernel ? do_syscall_64+0x69/0xc0
9/1/22 8:01 AM kernel ? syscall_exit_to_user_mode+0x27/0x50
9/1/22 8:01 AM kernel ? irqentry_exit+0x3b/0x50
9/1/22 8:01 AM kernel ? exc_page_fault+0x89/0x190
9/1/22 8:01 AM kernel entry_SYSCALL_64_after_hwframe+0x61/0xcb
9/1/22 8:01 AM kernel RIP: 0033:0x7f79df4f1a6f
9/1/22 8:01 AM kernel Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
9/1/22 8:01 AM kernel RSP: 002b:00007f799f7fd810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
9/1/22 8:01 AM kernel RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f79df4f1a6f
9/1/22 8:01 AM kernel RDX: 0000000000000002 RSI: 00007f79dfe7a5e5 RDI: 0000000000000013
9/1/22 8:01 AM kernel RBP: 00007f79dfe7a5e5 R08: 0000000000000000 R09: 0000000000000001
9/1/22 8:01 AM kernel R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
9/1/22 8:01 AM kernel R13: 0000000000000013 R14: 0000000000000000 R15: 00007f7994024a70
9/1/22 8:01 AM kernel </TASK>
9/1/22 8:01 AM kernel ================================================================================

Still present in 5.15.0-48-lowlatency as well. Interestingly, the logs say the kernel is tainted in generic, but not in lowlatency, despite no other configuration changes when this is handled.

9/1/22 8:01 AM	kernel	================================================================================
9/1/22 8:01 AM	kernel	UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-FlX6Pk/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
9/1/22 8:01 AM	kernel	index 8 is out of range for type 'aq_vec_s *[8]'
9/1/22 8:01 AM	kernel	CPU: 0 PID: 2103 Comm: daemon-init Not tainted 5.15.0-48-lowlatency #54-Ubuntu
9/1/22 8:01 AM	kernel	Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
9/1/22 8:01 AM	kernel	Call Trace:
9/1/22 8:01 AM	kernel	 <TASK>
9/1/22 8:01 AM	kernel	 show_stack+0x52/0x5c
9/1/22 8:01 AM	kernel	 dump_stack_lvl+0x4a/0x63
9/1/22 8:01 AM	kernel	 dump_stack+0x10/0x16
9/1/22 8:01 AM	kernel	 ubsan_epilogue+0x9/0x49
9/1/22 8:01 AM	kernel	 __ubsan_handle_out_of_bounds.cold+0x44/0x49
9/1/22 8:01 AM	kernel	 ? call_netdevice_notifiers+0x38/0x50
9/1/22 8:01 AM	kernel	 ? aq_vec_stop+0x72/0x80 [atlantic]
9/1/22 8:01 AM	kernel	 aq_nic_stop+0x1b6/0x1c0 [atlantic]
9/1/22 8:01 AM	kernel	 aq_ndev_set_features+0x143/0x1a0 [atlantic]
9/1/22 8:01 AM	kernel	 __netdev_update_features+0x184/0x820
9/1/22 8:01 AM	kernel	 dev_disable_lro+0x34/0x150
9/1/22 8:01 AM	kernel	 devinet_sysctl_forward+0x1fb/0x230
9/1/22 8:01 AM	kernel	 proc_sys_call_handler+0x161/0x2d0
9/1/22 8:01 AM	kernel	 proc_sys_write+0x13/0x20
9/1/22 8:01 AM	kernel	 new_sync_write+0x117/0x1b0
9/1/22 8:01 AM	kernel	 ? io_req_prep_async+0x2a0/0x2a0
9/1/22 8:01 AM	kernel	 vfs_write+0x1fb/0x290
9/1/22 8:01 AM	kernel	 ksys_write+0x67/0xf0
9/1/22 8:01 AM	kernel	 __x64_sys_write+0x19/0x20
9/1/22 8:01 AM	kernel	 do_syscall_64+0x5c/0xc0
9/1/22 8:01 AM	kernel	 ? do_syscall_64+0x69/0xc0
9/1/22 8:01 AM	kernel	 ? syscall_exit_to_user_mode+0x27/0x50
9/1/22 8:01 AM	kernel	 ? irqentry_exit+0x3b/0x50
9/1/22 8:01 AM	kernel	 ? exc_page_fault+0x89/0x190
9/1/22 8:01 AM	kernel	 entry_SYSCALL_64_after_hwframe+0x61/0xcb
9/1/22 8:01 AM	kernel	RIP: 0033:0x7f79df4f1a6f
9/1/22 8:01 AM	kernel	Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
9/1/22 8:01 AM	kernel	RSP: 002b:00007f799f7fd810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
9/1/22 8:01 AM	kernel	RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f79df4f1a6f
9/1/22 8:01 AM	kernel	RDX: 0000000000000002 RSI: 00007f79dfe7a5e5 RDI: 0000000000000013
9/1/22 8:01 AM	kernel	RBP: 00007f79dfe7a5e5 R08: 0000000000000000 R09: 0000000000000001
9/1/22 8:01 AM	kernel	R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
9/1/22 8:01 AM	kernel	R13: 0000000000000013 R14: 0000000000000000 R15: 00007f7994024a70
9/1/22 8:01 AM	kernel	 </TASK>
9/1/22 8:01 AM	kernel	================================================================================

Revision history for this message

ltkarrde (ltkarrde) wrote on 2022-09-22:

#63

Still present in 5.15.0-50-generic

9/21/22 7:54 AM kernel ================================================================================
9/21/22 7:54 AM kernel UBSAN: array-index-out-of-bounds in /build/linux-lU2d47/linux-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
9/21/22 7:54 AM kernel index 8 is out of range for type 'aq_vec_s *[8]'
9/21/22 7:54 AM kernel CPU: 4 PID: 1930 Comm: daemon-init Tainted: G O 5.15.0-50-generic #56-Ubuntu
9/21/22 7:54 AM kernel Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
9/21/22 7:54 AM kernel Call Trace:
9/21/22 7:54 AM kernel <TASK>
9/21/22 7:54 AM kernel show_stack+0x52/0x5c
9/21/22 7:54 AM kernel dump_stack_lvl+0x4a/0x63
9/21/22 7:54 AM kernel dump_stack+0x10/0x16
9/21/22 7:54 AM kernel ubsan_epilogue+0x9/0x49
9/21/22 7:54 AM kernel __ubsan_handle_out_of_bounds.cold+0x44/0x49
9/21/22 7:54 AM kernel ? dev_get_port_parent_id+0x18/0x160
9/21/22 7:54 AM kernel ? aq_vec_stop+0x72/0x80 [atlantic]
9/21/22 7:54 AM kernel aq_nic_stop+0x10a/0x110 [atlantic]
9/21/22 7:54 AM kernel aq_ndev_set_features+0x143/0x1a0 [atlantic]
9/21/22 7:54 AM kernel __netdev_update_features+0x184/0x820
9/21/22 7:54 AM kernel dev_disable_lro+0x34/0x150
9/21/22 7:54 AM kernel devinet_sysctl_forward+0x1fb/0x230
9/21/22 7:54 AM kernel proc_sys_call_handler+0x16a/0x2f0
9/21/22 7:54 AM kernel proc_sys_write+0x13/0x20
9/21/22 7:54 AM kernel new_sync_write+0x114/0x1a0
9/21/22 7:54 AM kernel vfs_write+0x1d5/0x270
9/21/22 7:54 AM kernel ksys_write+0x67/0xf0
9/21/22 7:54 AM kernel __x64_sys_write+0x19/0x20
9/21/22 7:54 AM kernel do_syscall_64+0x5c/0xc0
9/21/22 7:54 AM kernel ? exit_to_user_mode_prepare+0x37/0xb0
9/21/22 7:54 AM kernel ? syscall_exit_to_user_mode+0x27/0x50
9/21/22 7:54 AM kernel ? do_syscall_64+0x69/0xc0
9/21/22 7:54 AM kernel ? exit_to_user_mode_loop+0x10d/0x160
9/21/22 7:54 AM kernel entry_SYSCALL_64_after_hwframe+0x61/0xcb
9/21/22 7:54 AM kernel RIP: 0033:0x7fed8a694a6f
9/21/22 7:54 AM kernel Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
9/21/22 7:54 AM kernel RSP: 002b:00007fed4e7fb810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
9/21/22 7:54 AM kernel RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fed8a694a6f
9/21/22 7:54 AM kernel RDX: 0000000000000002 RSI: 00007fed8b01c5e5 RDI: 0000000000000013
9/21/22 7:54 AM kernel RBP: 00007fed8b01c5e5 R08: 0000000000000000 R09: 0000000000000001
9/21/22 7:54 AM kernel R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
9/21/22 7:54 AM kernel R13: 0000000000000013 R14: 0000000000000000 R15: 00007fed38024ab0
9/21/22 7:54 AM kernel </TASK>
9/21/22 7:54 AM kernel ================================================================================

Still present in 5.15.0-50-generic

9/21/22 7:54 AM	kernel	================================================================================
9/21/22 7:54 AM	kernel	UBSAN: array-index-out-of-bounds in /build/linux-lU2d47/linux-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
9/21/22 7:54 AM	kernel	index 8 is out of range for type 'aq_vec_s *[8]'
9/21/22 7:54 AM	kernel	CPU: 4 PID: 1930 Comm: daemon-init Tainted: G           O      5.15.0-50-generic #56-Ubuntu
9/21/22 7:54 AM	kernel	Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
9/21/22 7:54 AM	kernel	Call Trace:
9/21/22 7:54 AM	kernel	 <TASK>
9/21/22 7:54 AM	kernel	 show_stack+0x52/0x5c
9/21/22 7:54 AM	kernel	 dump_stack_lvl+0x4a/0x63
9/21/22 7:54 AM	kernel	 dump_stack+0x10/0x16
9/21/22 7:54 AM	kernel	 ubsan_epilogue+0x9/0x49
9/21/22 7:54 AM	kernel	 __ubsan_handle_out_of_bounds.cold+0x44/0x49
9/21/22 7:54 AM	kernel	 ? dev_get_port_parent_id+0x18/0x160
9/21/22 7:54 AM	kernel	 ? aq_vec_stop+0x72/0x80 [atlantic]
9/21/22 7:54 AM	kernel	 aq_nic_stop+0x10a/0x110 [atlantic]
9/21/22 7:54 AM	kernel	 aq_ndev_set_features+0x143/0x1a0 [atlantic]
9/21/22 7:54 AM	kernel	 __netdev_update_features+0x184/0x820
9/21/22 7:54 AM	kernel	 dev_disable_lro+0x34/0x150
9/21/22 7:54 AM	kernel	 devinet_sysctl_forward+0x1fb/0x230
9/21/22 7:54 AM	kernel	 proc_sys_call_handler+0x16a/0x2f0
9/21/22 7:54 AM	kernel	 proc_sys_write+0x13/0x20
9/21/22 7:54 AM	kernel	 new_sync_write+0x114/0x1a0
9/21/22 7:54 AM	kernel	 vfs_write+0x1d5/0x270
9/21/22 7:54 AM	kernel	 ksys_write+0x67/0xf0
9/21/22 7:54 AM	kernel	 __x64_sys_write+0x19/0x20
9/21/22 7:54 AM	kernel	 do_syscall_64+0x5c/0xc0
9/21/22 7:54 AM	kernel	 ? exit_to_user_mode_prepare+0x37/0xb0
9/21/22 7:54 AM	kernel	 ? syscall_exit_to_user_mode+0x27/0x50
9/21/22 7:54 AM	kernel	 ? do_syscall_64+0x69/0xc0
9/21/22 7:54 AM	kernel	 ? exit_to_user_mode_loop+0x10d/0x160
9/21/22 7:54 AM	kernel	 entry_SYSCALL_64_after_hwframe+0x61/0xcb
9/21/22 7:54 AM	kernel	RIP: 0033:0x7fed8a694a6f
9/21/22 7:54 AM	kernel	Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
9/21/22 7:54 AM	kernel	RSP: 002b:00007fed4e7fb810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
9/21/22 7:54 AM	kernel	RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fed8a694a6f
9/21/22 7:54 AM	kernel	RDX: 0000000000000002 RSI: 00007fed8b01c5e5 RDI: 0000000000000013
9/21/22 7:54 AM	kernel	RBP: 00007fed8b01c5e5 R08: 0000000000000000 R09: 0000000000000001
9/21/22 7:54 AM	kernel	R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
9/21/22 7:54 AM	kernel	R13: 0000000000000013 R14: 0000000000000000 R15: 00007fed38024ab0
9/21/22 7:54 AM	kernel	 </TASK>
9/21/22 7:54 AM	kernel	================================================================================

Revision history for this message

ltkarrde (ltkarrde) wrote on 2022-09-23:

#64

Present in 5.15.0-50-lowlatency . Continues the trend where tainted in the Generic version of the kernel, but not the lowlatency version.

9/22/22 1:41 PM kernel ================================================================================
9/22/22 1:41 PM kernel UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-jwscnu/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
9/22/22 1:41 PM kernel index 8 is out of range for type 'aq_vec_s *[8]'
9/22/22 1:41 PM kernel CPU: 22 PID: 2103 Comm: daemon-init Not tainted 5.15.0-50-lowlatency #56-Ubuntu
9/22/22 1:41 PM kernel Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
9/22/22 1:41 PM kernel Call Trace:
9/22/22 1:41 PM kernel <TASK>
9/22/22 1:41 PM kernel show_stack+0x52/0x5c
9/22/22 1:41 PM kernel dump_stack_lvl+0x4a/0x63
9/22/22 1:41 PM kernel dump_stack+0x10/0x16
9/22/22 1:41 PM kernel ubsan_epilogue+0x9/0x49
9/22/22 1:41 PM kernel __ubsan_handle_out_of_bounds.cold+0x44/0x49
9/22/22 1:41 PM kernel ? dev_fetch_sw_netstats+0x48/0x90
9/22/22 1:41 PM kernel ? aq_vec_stop+0x72/0x80 [atlantic]
9/22/22 1:41 PM kernel aq_nic_stop+0x1b6/0x1c0 [atlantic]
9/22/22 1:41 PM kernel aq_ndev_set_features+0x143/0x1a0 [atlantic]
9/22/22 1:41 PM kernel __netdev_update_features+0x184/0x820
9/22/22 1:41 PM kernel dev_disable_lro+0x34/0x150
9/22/22 1:41 PM kernel devinet_sysctl_forward+0x1fb/0x230
9/22/22 1:41 PM kernel proc_sys_call_handler+0x161/0x2d0
9/22/22 1:41 PM kernel proc_sys_write+0x13/0x20
9/22/22 1:41 PM kernel new_sync_write+0x114/0x1a0
9/22/22 1:41 PM kernel vfs_write+0x1fb/0x290
9/22/22 1:41 PM kernel ksys_write+0x67/0xf0
9/22/22 1:41 PM kernel __x64_sys_write+0x19/0x20
9/22/22 1:41 PM kernel do_syscall_64+0x5c/0xc0
9/22/22 1:41 PM kernel entry_SYSCALL_64_after_hwframe+0x61/0xcb
9/22/22 1:41 PM kernel RIP: 0033:0x7f492a2f6a6f
9/22/22 1:41 PM kernel Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
9/22/22 1:41 PM kernel RSP: 002b:00007f48fe7fb810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
9/22/22 1:41 PM kernel RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f492a2f6a6f
9/22/22 1:41 PM kernel RDX: 0000000000000002 RSI: 00007f492ac7e5e5 RDI: 0000000000000013
9/22/22 1:41 PM kernel RBP: 00007f492ac7e5e5 R08: 0000000000000000 R09: 0000000000000001
9/22/22 1:41 PM kernel R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
9/22/22 1:41 PM kernel R13: 0000000000000013 R14: 0000000000000000 R15: 00007f48dc030970
9/22/22 1:41 PM kernel </TASK>
9/22/22 1:41 PM kernel ================================================================================

Present in 5.15.0-50-lowlatency . Continues the trend where tainted in the Generic version of the kernel, but not the lowlatency version.

9/22/22 1:41 PM	kernel	================================================================================
9/22/22 1:41 PM	kernel	UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-jwscnu/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
9/22/22 1:41 PM	kernel	index 8 is out of range for type 'aq_vec_s *[8]'
9/22/22 1:41 PM	kernel	CPU: 22 PID: 2103 Comm: daemon-init Not tainted 5.15.0-50-lowlatency #56-Ubuntu
9/22/22 1:41 PM	kernel	Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
9/22/22 1:41 PM	kernel	Call Trace:
9/22/22 1:41 PM	kernel	 <TASK>
9/22/22 1:41 PM	kernel	 show_stack+0x52/0x5c
9/22/22 1:41 PM	kernel	 dump_stack_lvl+0x4a/0x63
9/22/22 1:41 PM	kernel	 dump_stack+0x10/0x16
9/22/22 1:41 PM	kernel	 ubsan_epilogue+0x9/0x49
9/22/22 1:41 PM	kernel	 __ubsan_handle_out_of_bounds.cold+0x44/0x49
9/22/22 1:41 PM	kernel	 ? dev_fetch_sw_netstats+0x48/0x90
9/22/22 1:41 PM	kernel	 ? aq_vec_stop+0x72/0x80 [atlantic]
9/22/22 1:41 PM	kernel	 aq_nic_stop+0x1b6/0x1c0 [atlantic]
9/22/22 1:41 PM	kernel	 aq_ndev_set_features+0x143/0x1a0 [atlantic]
9/22/22 1:41 PM	kernel	 __netdev_update_features+0x184/0x820
9/22/22 1:41 PM	kernel	 dev_disable_lro+0x34/0x150
9/22/22 1:41 PM	kernel	 devinet_sysctl_forward+0x1fb/0x230
9/22/22 1:41 PM	kernel	 proc_sys_call_handler+0x161/0x2d0
9/22/22 1:41 PM	kernel	 proc_sys_write+0x13/0x20
9/22/22 1:41 PM	kernel	 new_sync_write+0x114/0x1a0
9/22/22 1:41 PM	kernel	 vfs_write+0x1fb/0x290
9/22/22 1:41 PM	kernel	 ksys_write+0x67/0xf0
9/22/22 1:41 PM	kernel	 __x64_sys_write+0x19/0x20
9/22/22 1:41 PM	kernel	 do_syscall_64+0x5c/0xc0
9/22/22 1:41 PM	kernel	 entry_SYSCALL_64_after_hwframe+0x61/0xcb
9/22/22 1:41 PM	kernel	RIP: 0033:0x7f492a2f6a6f
9/22/22 1:41 PM	kernel	Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
9/22/22 1:41 PM	kernel	RSP: 002b:00007f48fe7fb810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
9/22/22 1:41 PM	kernel	RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f492a2f6a6f
9/22/22 1:41 PM	kernel	RDX: 0000000000000002 RSI: 00007f492ac7e5e5 RDI: 0000000000000013
9/22/22 1:41 PM	kernel	RBP: 00007f492ac7e5e5 R08: 0000000000000000 R09: 0000000000000001
9/22/22 1:41 PM	kernel	R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
9/22/22 1:41 PM	kernel	R13: 0000000000000013 R14: 0000000000000000 R15: 00007f48dc030970
9/22/22 1:41 PM	kernel	 </TASK>
9/22/22 1:41 PM	kernel	================================================================================

Revision history for this message

ltkarrde (ltkarrde) wrote on 2022-10-19:

#65

Still present in 5.15.0-52-lowlatency

10/19/22 7:59 AM kernel ================================================================================
10/19/22 7:59 AM kernel UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-rWNFY0/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
10/19/22 7:59 AM kernel index 8 is out of range for type 'aq_vec_s *[8]'
10/19/22 7:59 AM kernel CPU: 7 PID: 2084 Comm: daemon-init Not tainted 5.15.0-52-lowlatency #58-Ubuntu
10/19/22 7:59 AM kernel Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
10/19/22 7:59 AM kernel Call Trace:
10/19/22 7:59 AM kernel <TASK>
10/19/22 7:59 AM kernel show_stack+0x52/0x5c
10/19/22 7:59 AM kernel dump_stack_lvl+0x4a/0x63
10/19/22 7:59 AM kernel dump_stack+0x10/0x16
10/19/22 7:59 AM kernel ubsan_epilogue+0x9/0x49
10/19/22 7:59 AM kernel __ubsan_handle_out_of_bounds.cold+0x44/0x49
10/19/22 7:59 AM kernel ? dev_fetch_sw_netstats+0x48/0x90
10/19/22 7:59 AM kernel ? aq_vec_stop+0x72/0x80 [atlantic]
10/19/22 7:59 AM kernel aq_nic_stop+0x1b6/0x1c0 [atlantic]
10/19/22 7:59 AM kernel aq_ndev_set_features+0x143/0x1a0 [atlantic]
10/19/22 7:59 AM kernel __netdev_update_features+0x184/0x820
10/19/22 7:59 AM kernel dev_disable_lro+0x34/0x150
10/19/22 7:59 AM kernel devinet_sysctl_forward+0x1fb/0x230
10/19/22 7:59 AM kernel proc_sys_call_handler+0x161/0x2d0
10/19/22 7:59 AM kernel proc_sys_write+0x13/0x20
10/19/22 7:59 AM kernel new_sync_write+0x114/0x1a0
10/19/22 7:59 AM kernel ? icl_set_topdown_event_period+0x70/0xe0
10/19/22 7:59 AM kernel vfs_write+0x1fb/0x290
10/19/22 7:59 AM kernel ksys_write+0x67/0xf0
10/19/22 7:59 AM kernel __x64_sys_write+0x19/0x20
10/19/22 7:59 AM kernel do_syscall_64+0x5c/0xc0
10/19/22 7:59 AM kernel ? syscall_exit_to_user_mode+0x27/0x50
10/19/22 7:59 AM kernel ? do_syscall_64+0x69/0xc0
10/19/22 7:59 AM kernel ? irqentry_exit_to_user_mode+0x9/0x20
10/19/22 7:59 AM kernel ? irqentry_exit+0x3b/0x50
10/19/22 7:59 AM kernel ? exc_page_fault+0x89/0x190
10/19/22 7:59 AM kernel entry_SYSCALL_64_after_hwframe+0x61/0xcb
10/19/22 7:59 AM kernel RIP: 0033:0x7f61c36a1a6f
10/19/22 7:59 AM kernel Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
10/19/22 7:59 AM kernel RSP: 002b:00007f61837fd810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
10/19/22 7:59 AM kernel RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f61c36a1a6f
10/19/22 7:59 AM kernel RDX: 0000000000000002 RSI: 00007f61c40265e5 RDI: 0000000000000013
10/19/22 7:59 AM kernel RBP: 00007f61c40265e5 R08: 0000000000000000 R09: 0000000000000001
10/19/22 7:59 AM kernel R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
10/19/22 7:59 AM kernel R13: 0000000000000013 R14: 0000000000000000 R15: 00007f6178031e10
10/19/22 7:59 AM kernel </TASK>
10/19/22 7:59 AM kernel ================================================================================

Still present in 5.15.0-52-lowlatency

10/19/22 7:59 AM	kernel	================================================================================
10/19/22 7:59 AM	kernel	UBSAN: array-index-out-of-bounds in /build/linux-lowlatency-rWNFY0/linux-lowlatency-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1262:48
10/19/22 7:59 AM	kernel	index 8 is out of range for type 'aq_vec_s *[8]'
10/19/22 7:59 AM	kernel	CPU: 7 PID: 2084 Comm: daemon-init Not tainted 5.15.0-52-lowlatency #58-Ubuntu
10/19/22 7:59 AM	kernel	Hardware name: To Be Filled By O.E.M. X570 Creator/X570 Creator, BIOS P3.72 05/17/2022
10/19/22 7:59 AM	kernel	Call Trace:
10/19/22 7:59 AM	kernel	 <TASK>
10/19/22 7:59 AM	kernel	 show_stack+0x52/0x5c
10/19/22 7:59 AM	kernel	 dump_stack_lvl+0x4a/0x63
10/19/22 7:59 AM	kernel	 dump_stack+0x10/0x16
10/19/22 7:59 AM	kernel	 ubsan_epilogue+0x9/0x49
10/19/22 7:59 AM	kernel	 __ubsan_handle_out_of_bounds.cold+0x44/0x49
10/19/22 7:59 AM	kernel	 ? dev_fetch_sw_netstats+0x48/0x90
10/19/22 7:59 AM	kernel	 ? aq_vec_stop+0x72/0x80 [atlantic]
10/19/22 7:59 AM	kernel	 aq_nic_stop+0x1b6/0x1c0 [atlantic]
10/19/22 7:59 AM	kernel	 aq_ndev_set_features+0x143/0x1a0 [atlantic]
10/19/22 7:59 AM	kernel	 __netdev_update_features+0x184/0x820
10/19/22 7:59 AM	kernel	 dev_disable_lro+0x34/0x150
10/19/22 7:59 AM	kernel	 devinet_sysctl_forward+0x1fb/0x230
10/19/22 7:59 AM	kernel	 proc_sys_call_handler+0x161/0x2d0
10/19/22 7:59 AM	kernel	 proc_sys_write+0x13/0x20
10/19/22 7:59 AM	kernel	 new_sync_write+0x114/0x1a0
10/19/22 7:59 AM	kernel	 ? icl_set_topdown_event_period+0x70/0xe0
10/19/22 7:59 AM	kernel	 vfs_write+0x1fb/0x290
10/19/22 7:59 AM	kernel	 ksys_write+0x67/0xf0
10/19/22 7:59 AM	kernel	 __x64_sys_write+0x19/0x20
10/19/22 7:59 AM	kernel	 do_syscall_64+0x5c/0xc0
10/19/22 7:59 AM	kernel	 ? syscall_exit_to_user_mode+0x27/0x50
10/19/22 7:59 AM	kernel	 ? do_syscall_64+0x69/0xc0
10/19/22 7:59 AM	kernel	 ? irqentry_exit_to_user_mode+0x9/0x20
10/19/22 7:59 AM	kernel	 ? irqentry_exit+0x3b/0x50
10/19/22 7:59 AM	kernel	 ? exc_page_fault+0x89/0x190
10/19/22 7:59 AM	kernel	 entry_SYSCALL_64_after_hwframe+0x61/0xcb
10/19/22 7:59 AM	kernel	RIP: 0033:0x7f61c36a1a6f
10/19/22 7:59 AM	kernel	Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 19 c0 f7 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c c0 f7 ff 48
10/19/22 7:59 AM	kernel	RSP: 002b:00007f61837fd810 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
10/19/22 7:59 AM	kernel	RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f61c36a1a6f
10/19/22 7:59 AM	kernel	RDX: 0000000000000002 RSI: 00007f61c40265e5 RDI: 0000000000000013
10/19/22 7:59 AM	kernel	RBP: 00007f61c40265e5 R08: 0000000000000000 R09: 0000000000000001
10/19/22 7:59 AM	kernel	R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000013
10/19/22 7:59 AM	kernel	R13: 0000000000000013 R14: 0000000000000000 R15: 00007f6178031e10
10/19/22 7:59 AM	kernel	 </TASK>
10/19/22 7:59 AM	kernel	================================================================================

Revision history for this message

ltkarrde (ltkarrde) wrote on 2022-10-25:

#66

Appears to be fixed in 5.15.0-53-lowlatency; no longer appearing in my error logs.

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2023-01-05:

#67

included upstream in 5.18 and up

Changed in linux (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Vitaly Protsko (atanw) wrote on 2023-11-16:

#68

Download full text (5.0 KiB)

5.15.0-91-generic

Nov 16 21:15:29 mon-host kernel: [ 101.739280] ================================================================================
Nov 16 21:15:29 mon-host kernel: [ 101.785597] UBSAN: array-index-out-of-bounds in /build/linux-90ta4T/linux-5.15.0/drivers/edac/i5000_edac.c:956:20
Nov 16 21:15:29 mon-host kernel: [ 101.786940] IPMI message handler: version 39.2
Nov 16 21:15:29 mon-host kernel: [ 101.836146] index 4 is out of range for type 'u16 [4]'
Nov 16 21:15:29 mon-host kernel: [ 101.836152] CPU: 0 PID: 447 Comm: systemd-udevd Not tainted 5.15.0-91-generic #101-Ubuntu
Nov 16 21:15:29 mon-host kernel: [ 101.836156] Hardware name: Dell Inc. PowerEdge 1950/0D8635, BIOS 2.7.0 10/30/2010
Nov 16 21:15:29 mon-host kernel: [ 101.836158] Call Trace:
Nov 16 21:15:29 mon-host kernel: [ 101.836162] <TASK>
Nov 16 21:15:29 mon-host kernel: [ 101.836166] show_stack+0x52/0x5c
Nov 16 21:15:29 mon-host kernel: [ 101.836175] dump_stack_lvl+0x4a/0x63
Nov 16 21:15:29 mon-host kernel: [ 101.836182] dump_stack+0x10/0x16
Nov 16 21:15:29 mon-host kernel: [ 101.836184] ubsan_epilogue+0x9/0x36
Nov 16 21:15:29 mon-host kernel: [ 101.836187] __ubsan_handle_out_of_bounds.cold+0x44/0x49
Nov 16 21:15:29 mon-host kernel: [ 101.836190] ? i5000_get_mc_regs.isra.0+0x14c/0x1c0 [i5000_edac]
Nov 16 21:15:29 mon-host kernel: [ 101.836197] i5000_probe1+0x506/0x5c0 [i5000_edac]
Nov 16 21:15:29 mon-host kernel: [ 101.836201] ? pci_bus_read_config_byte+0x40/0x70
Nov 16 21:15:29 mon-host kernel: [ 101.862944] ? do_pci_enable_device+0x54/0x110
Nov 16 21:15:29 mon-host kernel: [ 101.862948] i5000_init_one+0x26/0x30 [i5000_edac]
Nov 16 21:15:29 mon-host kernel: [ 101.862952] local_pci_probe+0x4b/0x90
Nov 16 21:15:29 mon-host kernel: [ 101.862956] pci_device_probe+0x119/0x1f0
Nov 16 21:15:29 mon-host kernel: [ 101.862960] really_probe+0x222/0x420
Nov 16 21:15:29 mon-host kernel: [ 101.862964] __driver_probe_device+0xe8/0x140
Nov 16 21:15:29 mon-host kernel: [ 101.862966] driver_probe_device+0x23/0xc0
Nov 16 21:15:29 mon-host kernel: [ 101.862969] __driver_attach+0xf7/0x1f0
Nov 16 21:15:29 mon-host kernel: [ 101.862971] ? __device_attach_driver+0x140/0x140
Nov 16 21:15:29 mon-host kernel: [ 101.862974] bus_for_each_dev+0x7f/0xd0
Nov 16 21:15:29 mon-host kernel: [ 101.862978] driver_attach+0x1e/0x30
Nov 16 21:15:29 mon-host kernel: [ 101.862980] bus_add_driver+0x148/0x220
Nov 16 21:15:29 mon-host kernel: [ 101.862982] ? vunmap_range_noflush+0x3d5/0x470
Nov 16 21:15:29 mon-host kernel: [ 101.862987] driver_register+0x95/0x100
Nov 16 21:15:29 mon-host kernel: [ 101.862990] ? 0xffffffffc03d8000
Nov 16 21:15:29 mon-host kernel: [ 101.862993] __pci_register_driver+0x68/0x70
Nov 16 21:15:29 mon-host kernel: [ 101.862996] i5000_init+0x36/0x1000 [i5000_edac]
Nov 16 21:15:29 mon-host kernel: [ 101.863000] do_one_initcall+0x49/0x1e0
Nov 16 21:15:29 mon-host kernel: [ 101.863005] ? kmem_cache_alloc_trace+0x19e/0x2e0
Nov 16 21:15:29 mon-host kernel: [ 101.863011] do_init_module+0x52/0x260
Nov 16 21:15:29 mon-host kernel: [ 101.863016] load_module+0xb2b/0xbc0
Nov 16 21:15:29 mon-host kernel: [ 101.863019] __do_sys_finit...

Ubuntu
linux package

Aquantia GbE LAN driver causes UBSAN error during kernel boot

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Bug attachments

Remote bug watches

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	Undecided	Unassigned
Focal	Invalid	Undecided	Unassigned
Jammy	Fix Released	Medium	Unassigned
linux-oem-5.14 (Ubuntu)	Invalid	Undecided	Unassigned
Focal	Fix Released	Undecided	Unassigned
Jammy	Invalid	Undecided	Unassigned
linux-oem-5.17 (Ubuntu)	Invalid	Undecided	Unassigned
Focal	Invalid	Undecided	Unassigned
Jammy	Fix Released	Undecided	Unassigned

Ubuntulinux package

Aquantia GbE LAN driver causes UBSAN error during kernel boot

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
linux package