Control: forwarded -1 https://lore.kernel.org/lkml/[email protected] Hi
Pascal reported in Debian in https://bugs.debian.org/1123987 a problem catched by UBSAN in drivers/usb/typec/ucsi/ucsi.c: [ +1,022859] ------------[ cut here ]------------ [ +0,000008] UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.13/drivers/usb/typec/ucsi/ucsi.c:605:12 [ +0,001186] index 2 is out of range for type 'ucsi_altmode [2]' [ +0,000578] CPU: 10 UID: 0 PID: 275 Comm: kworker/10:1 Not tainted 6.17.13+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.13-1 [ +0,000005] Hardware name: LENOVO 83J3/LNVNB161216, BIOS PYCN30WW 11/17/2025 [ +0,000002] Workqueue: events_long ucsi_init_work [typec_ucsi] [ +0,000010] Call Trace: [ +0,000003] <TASK> [ +0,000003] dump_stack_lvl+0x5d/0x80 [ +0,000007] ubsan_epilogue+0x5/0x2b [ +0,000005] __ubsan_handle_out_of_bounds.cold+0x54/0x59 [ +0,000007] ucsi_register_altmodes+0x214/0x250 [typec_ucsi] [ +0,000007] ucsi_check_altmodes+0x1b/0xa0 [typec_ucsi] [ +0,000004] ucsi_init_work+0x919/0x9b0 [typec_ucsi] [ +0,000005] process_one_work+0x192/0x350 [ +0,000006] worker_thread+0x25a/0x3a0 [ +0,000004] ? __pfx_worker_thread+0x10/0x10 [ +0,000003] kthread+0xfc/0x240 [ +0,000003] ? __pfx_kthread+0x10/0x10 [ +0,000002] ? __pfx_kthread+0x10/0x10 [ +0,000002] ret_from_fork+0x197/0x1c0 [ +0,000005] ? __pfx_kthread+0x10/0x10 [ +0,000002] ret_from_fork_asm+0x1a/0x30 [ +0,000008] </TASK> [ +0,000001] ---[ end trace ]--- [ +0,000006] ------------[ cut here ]------------ [ +0,000002] UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.13/drivers/usb/typec/ucsi/ucsi.c:609:18 [ +0,000579] index 2 is out of range for type 'ucsi_altmode [2]' [ +0,000562] CPU: 10 UID: 0 PID: 275 Comm: kworker/10:1 Not tainted 6.17.13+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.13-1 [ +0,000003] Hardware name: LENOVO 83J3/LNVNB161216, BIOS PYCN30WW 11/17/2025 [ +0,000001] Workqueue: events_long ucsi_init_work [typec_ucsi] [ +0,000005] Call Trace: [ +0,000001] <TASK> [ +0,000001] dump_stack_lvl+0x5d/0x80 [ +0,000004] ubsan_epilogue+0x5/0x2b [ +0,000003] __ubsan_handle_out_of_bounds.cold+0x54/0x59 [ +0,000005] ucsi_register_altmodes+0x233/0x250 [typec_ucsi] [ +0,000006] ucsi_check_altmodes+0x1b/0xa0 [typec_ucsi] [ +0,000004] ucsi_init_work+0x919/0x9b0 [typec_ucsi] [ +0,000005] process_one_work+0x192/0x350 [ +0,000004] worker_thread+0x25a/0x3a0 [ +0,000004] ? __pfx_worker_thread+0x10/0x10 [ +0,000003] kthread+0xfc/0x240 [ +0,000002] ? __pfx_kthread+0x10/0x10 [ +0,000002] ? __pfx_kthread+0x10/0x10 [ +0,000003] ret_from_fork+0x197/0x1c0 [ +0,000003] ? __pfx_kthread+0x10/0x10 [ +0,000002] ret_from_fork_asm+0x1a/0x30 [ +0,000006] </TASK> [ +0,000001] ---[ end trace ]--- [ +0,000006] ------------[ cut here ]------------ [ +0,000001] UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.13/drivers/usb/typec/ucsi/ucsi.c:610:19 [ +0,000608] index 2 is out of range for type 'ucsi_altmode [2]' [ +0,000597] CPU: 10 UID: 0 PID: 275 Comm: kworker/10:1 Not tainted 6.17.13+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.13-1 [ +0,000003] Hardware name: LENOVO 83J3/LNVNB161216, BIOS PYCN30WW 11/17/2025 [ +0,000001] Workqueue: events_long ucsi_init_work [typec_ucsi] [ +0,000004] Call Trace: [ +0,000002] <TASK> [ +0,000001] dump_stack_lvl+0x5d/0x80 [ +0,000004] ubsan_epilogue+0x5/0x2b [ +0,000003] __ubsan_handle_out_of_bounds.cold+0x54/0x59 [ +0,000004] ucsi_register_altmodes+0x1fa/0x250 [typec_ucsi] [ +0,000006] ucsi_check_altmodes+0x1b/0xa0 [typec_ucsi] [ +0,000004] ucsi_init_work+0x919/0x9b0 [typec_ucsi] [ +0,000006] process_one_work+0x192/0x350 [ +0,000004] worker_thread+0x25a/0x3a0 [ +0,000003] ? __pfx_worker_thread+0x10/0x10 [ +0,000003] kthread+0xfc/0x240 [ +0,000002] ? __pfx_kthread+0x10/0x10 [ +0,000002] ? __pfx_kthread+0x10/0x10 [ +0,000003] ret_from_fork+0x197/0x1c0 [ +0,000003] ? __pfx_kthread+0x10/0x10 [ +0,000002] ret_from_fork_asm+0x1a/0x30 [ +0,000006] </TASK> [ +0,000001] ---[ end trace ]--- While I initially asked if Pascal can check as well mainline additionally to the tested 6.18.2 version, the problematic code seems still present, so I'm forwarding it now. Regards, Salvatore
