UBSAN: shift-out-of-bounds in amd_sfh

Bug #2027773 reported by You-Sheng Yang
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HWE Next
New
Undecided
Unassigned
OEM Priority Project
New
Undecided
Unassigned
linux (Ubuntu)
Status tracked in Mantic
Jammy
Invalid
Undecided
Unassigned
Lunar
Fix Committed
High
You-Sheng Yang
Mantic
Fix Released
High
You-Sheng Yang
linux-oem-6.0 (Ubuntu)
Status tracked in Mantic
Jammy
Won't Fix
Undecided
Unassigned
Lunar
Invalid
Undecided
Unassigned
Mantic
Invalid
Undecided
Unassigned
linux-oem-6.1 (Ubuntu)
Status tracked in Mantic
Jammy
Fix Released
High
You-Sheng Yang
Lunar
Invalid
Undecided
Unassigned
Mantic
Invalid
Undecided
Unassigned

Bug Description

[SRU Justification]

[Impact]

UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50
[ 7.928631] shift exponent 103 is too large for 64-bit type 'long unsigned int'
[ 9.877309] Workqueue: events amd_sfh_work_buffer \[amd_sfh]
[ 9.877327] Call Trace:
[ 9.877331] \<TASK>
[ 9.877335] dump_stack_lvl+0x49/0x63
[ 9.877346] dump_stack+0x10/0x16
[ 9.877348] ubsan_epilogue+0x9/0x36
[ 9.877357] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef
[ 9.877363] ? _raw_spin_lock+0x17/0x50
[ 9.877369] ? raw_spin_rq_lock_nested+0x2e/0xa0
[ 9.877378] ? psi_group_change+0x1e2/0x4a0
[ 9.877385] float_to_int.cold+0x18/0xc8 \[amd_sfh]
[ 9.877394] ? get_feature_rep+0xb0/0xb0 \[amd_sfh]
[ 9.877402] get_input_rep+0x219/0x2f0 \[amd_sfh]
[ 9.877409] ? up+0x37/0x70
[ 9.877414] ? hid_input_report+0x104/0x170 \[hid]
[ 9.877428] amd_sfh_work_buffer+0x94/0x150 \[amd_sfh]
[ 9.877436] process_one_work+0x21f/0x3f0
[ 9.877443] worker_thread+0x50/0x3e0
[ 9.877446] ? process_one_work+0x3f0/0x3f0
[ 9.877449] kthread+0xfd/0x130
[ 9.877452] ? kthread_complete_and_exit+0x20/0x20
[ 9.877454] ret_from_fork+0x22/0x30
[ 9.877463] \</TASK>

[Fix]

Fixes in:
* commit c1685a862a4b ("HID: amd_sfh: Rename the float32 variable")
* commit 878543661764 ("HID: amd_sfh: Fix for shift-out-of-bounds")

[Test Case]

The affected platform should no longer has such error dumped in kernel dmesg at
boot.

[Where problems could occur]

This renamed a variable and corrected the way shift offset is calculated. No
known side effect.

[Other Info]

The affects kernel >= v6.0 and < v6.5, so Unstable/Mantis/Lunar/OEM-6.1 are
nominated for fix.

========== original bug report ==========

UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50
[ 7.928631] shift exponent 103 is too large for 64-bit type 'long unsigned int'
[ 9.877309] Workqueue: events amd_sfh_work_buffer [amd_sfh]
[ 9.877327] Call Trace:
[ 9.877331] <TASK>
[ 9.877335] dump_stack_lvl+0x49/0x63
[ 9.877346] dump_stack+0x10/0x16
[ 9.877348] ubsan_epilogue+0x9/0x36
[ 9.877357] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef
[ 9.877363] ? _raw_spin_lock+0x17/0x50
[ 9.877369] ? raw_spin_rq_lock_nested+0x2e/0xa0
[ 9.877378] ? psi_group_change+0x1e2/0x4a0
[ 9.877385] float_to_int.cold+0x18/0xc8 [amd_sfh]
[ 9.877394] ? get_feature_rep+0xb0/0xb0 [amd_sfh]
[ 9.877402] get_input_rep+0x219/0x2f0 [amd_sfh]
[ 9.877409] ? up+0x37/0x70
[ 9.877414] ? hid_input_report+0x104/0x170 [hid]
[ 9.877428] amd_sfh_work_buffer+0x94/0x150 [amd_sfh]
[ 9.877436] process_one_work+0x21f/0x3f0
[ 9.877443] worker_thread+0x50/0x3e0
[ 9.877446] ? process_one_work+0x3f0/0x3f0
[ 9.877449] kthread+0xfd/0x130
[ 9.877452] ? kthread_complete_and_exit+0x20/0x20
[ 9.877454] ret_from_fork+0x22/0x30
[ 9.877463] </TASK>

Fixes in:
https://github.com/torvalds/linux/commit/c1685a862a4bea863537f06abaa37a123aef493c
https://github.com/torvalds/linux/commit/87854366176403438d01f368b09de3ec2234e0f5

This affects kernel >= v6.0.

Revision history for this message
You-Sheng Yang (vicamo) wrote :

This has been landed to linus' tree. Will be in v6.5(-rc2).

Changed in linux (Ubuntu Jammy):
status: New → Invalid
Changed in linux-oem-6.0 (Ubuntu Jammy):
status: New → Won't Fix
Changed in linux-oem-6.0 (Ubuntu Lunar):
status: New → Invalid
Changed in linux-oem-6.0 (Ubuntu Mantic):
status: New → Invalid
Changed in linux-oem-6.1 (Ubuntu Jammy):
assignee: nobody → You-Sheng Yang (vicamo)
importance: Undecided → High
status: New → In Progress
Changed in linux-oem-6.1 (Ubuntu Lunar):
status: New → Invalid
Changed in linux-oem-6.1 (Ubuntu Mantic):
status: New → Invalid
Changed in linux (Ubuntu Lunar):
assignee: nobody → You-Sheng Yang (vicamo)
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Mantic):
assignee: nobody → You-Sheng Yang (vicamo)
importance: Undecided → High
status: New → In Progress
You-Sheng Yang (vicamo)
summary: - UBSAN errors in amd_sfh
+ UBSAN: shift-out-of-bounds in amd_sfh
tags: added: amd oem-priority originate-from-2026792
You-Sheng Yang (vicamo)
tags: added: originate-from-2025438
You-Sheng Yang (vicamo)
description: updated
Revision history for this message
You-Sheng Yang (vicamo) wrote :
description: updated
Stefan Bader (smb)
Changed in linux (Ubuntu Mantic):
status: In Progress → Fix Released
Timo Aaltonen (tjaalton)
Changed in linux-oem-6.1 (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-oem-6.1/6.1.0-1018.18 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-oem-6.1 verification-needed-jammy
Andy Chi (andch)
tags: added: originate-from-2026812 stella
Revision history for this message
Andy Chi (andch) wrote :

Enable -proposed on LOX14-PV-SKU6 and installed 6.1.0-1018.18, the error is gone.

tags: added: verification-done-jammy
removed: verification-needed-jammy
Changed in linux (Ubuntu Lunar):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.2.0-30.30 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar-linux' to 'verification-done-lunar-linux'. If the problem still exists, change the tag 'verification-needed-lunar-linux' to 'verification-failed-lunar-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux-v2 verification-needed-lunar-linux
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-oem-6.1 - 6.1.0-1019.19

---------------
linux-oem-6.1 (6.1.0-1019.19) jammy; urgency=medium

  * jammy/linux-oem-6.1: 6.1.0-1019.19 -proposed tracker (LP: #2029478)

  * ubuntu_bpf failed to build with j-oem-6.1.0-1018.18 (LP: #2028932)
    - SAUCE: Revert "libbpf: fix offsetof() and container_of() to work with CO-RE"

  * Regression: amdgpu mirror mode broken in -1018 (LP: #2028848)
    - Revert "drm/amd/display: edp do not add non-edid timings"

  * Miscellaneous Ubuntu changes
    - [Config] Update gcc/pahole versions.

 -- Timo Aaltonen <email address hidden> Sat, 05 Aug 2023 14:53:47 +0300

Changed in linux-oem-6.1 (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-6.2/6.2.0-1010.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-6.2' to 'verification-done-jammy-linux-nvidia-6.2'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-6.2' to 'verification-failed-jammy-linux-nvidia-6.2'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-6.2-v2 verification-needed-jammy-linux-nvidia-6.2
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-starfive/6.2.0-1004.5 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar-linux-starfive' to 'verification-done-lunar-linux-starfive'. If the problem still exists, change the tag 'verification-needed-lunar-linux-starfive' to 'verification-failed-lunar-linux-starfive'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux-starfive-v2 verification-needed-lunar-linux-starfive
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws-6.2/6.2.0-1013.13~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-aws-6.2' to 'verification-done-jammy-linux-aws-6.2'. If the problem still exists, change the tag 'verification-needed-jammy-linux-aws-6.2' to 'verification-failed-jammy-linux-aws-6.2'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-aws-6.2-v2 verification-needed-jammy-linux-aws-6.2
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure/6.2.0-1013.13 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar-linux-azure' to 'verification-done-lunar-linux-azure'. If the problem still exists, change the tag 'verification-needed-lunar-linux-azure' to 'verification-failed-lunar-linux-azure'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux-azure-v2 verification-needed-lunar-linux-azure
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.