[Kernel-packages] [Bug 2102186] Re: wrong packet header size calculation

[Launchpad Bug Tracker]

This bug was fixed in the package linux-oem-6.11 - 6.11.0-1025.25

---------------
linux-oem-6.11 (6.11.0-1025.25) noble; urgency=medium

  * noble/linux-oem-6.11: 6.11.0-1025.25 -proposed tracker (LP:
#2114304)

  * Packaging resync (LP: #1786013)
    - [Packaging] update variants

  * No IP Address assigned after hot-plugging Ethernet cable on HP Platform
    (LP: #2115393)
    - SAUCE: Revert "e1000e: change k1 configuration on MTP and later
      platforms"

  * Gnome freeze during sleepgraph testing (LP: #2115392)
    - drm/xe/sched: stop re-submitting signalled jobs

  * intel-ish-hid keeps timeout while accessing it during suspend
    (LP: #2115390)
    - SAUCE: HID: intel-ish-hid: Increase ISHTP resume ack timeout to 300ms

  * Enable the mute and mic-mute LEDs on HP Elitebook 6 laptops (LP: #2115198)
    - ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 6 G1a

  * auxiliary intel_ipu6.psys.40: deferred probe pending: (reason unknown)
    (LP: #2115083)
    - [Packaging] debian.oem/dkms-versions -- bump ipu6 version

  * Handle IOMMU IVRS entries with mismatched UID on AMD Strix or newer
    platforms (LP: #2115174)
    - iommu/amd: Allow matching ACPI HID devices without matching UIDs

  * wrong packet header size calculation (LP: #2102186)
    - [Packaging] debian.oem/dkms-versions -- bump usbio version

  * dmesg flooded with errors: amdgpu: DP AUX transfer fail:4 (LP: #2115238)
    - drm/amd/display: Correct the reply value when AUX write incomplete
    - drm/amd/display: Avoid flooding unnecessary info messages

  * Print last reset reason into kernel log on AMD Zen platforms
    (LP: #2115171)
    - i2c: piix4: Make CONFIG_I2C_PIIX4 dependent on CONFIG_X86
    - i2c: piix4, x86/platform: Move the SB800 PIIX4 FCH definitions to
      <asm/amd/fch.h>
    - platform/x86/amd/pmc: Use FCH_PM_BASE definition
    - Documentation: Add AMD Zen debugging document
    - x86/CPU/AMD: Print the reason for the last reset

  * [SRU] Add support for new hotkey of F9 on Thinkpad X9 (LP: #2115022)
    - platform/x86: thinkpad-acpi: Add support for new hotkey for camera
      shutter switch

  * HW accelerated video playback causes VCN timeout on VCN 4.0.5 (AMD Strix)
    (LP: #2112582)
    - drm/amdgpu: read back register after written for VCN v4.0.5

  * Unexpected system reboot at loading GUI session on some AMD platforms
    (LP: #2112462)
    - drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush
    - drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush
    - drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush
    - drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush
    - drm/amdgpu/hdp7: use memcfg register to post the write for HDP flush

  * fwts s3 test shows High Failures: last_hw_sleep less than 70% on AMD
    platforms (LP: #2112290)
    - SAUCE: platform/x86/amd: pmc: Clear metrics table at start of cycle

  * ASoC: rt1320: fix speaker noise when volume bar is 100% (LP: #2112350)
    - SAUCE: ASoC: rt1320: fix speaker noise when volume bar is 100%

  [ Ubuntu: 6.11.0-29.29 ]

  * oracular/linux: 6.11.0-29.29 -proposed tracker (LP: #2114305)
  * Packaging resync (LP: #1786013)
    - [Packaging] update variants
    - [Packaging] update annotations scripts
  * CVE-2025-37890
    - net_sched: hfsc: Fix a UAF vulnerability in class with netem as child
      qdisc
    - sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
    - net_sched: hfsc: Address reentrant enqueue adding class to eltree twice
  * raid1: Fix NULL pointer dereference in process_checks() (LP: #2112519)
    - md/raid1: Add check for missing source disk in process_checks()
  * CVE-2025-37798
    - sch_htb: make htb_qlen_notify() idempotent
    - sch_htb: make htb_deactivate() idempotent
    - sch_drr: make drr_qlen_notify() idempotent
    - sch_hfsc: make hfsc_qlen_notify() idempotent
    - sch_qfq: make qfq_qlen_notify() idempotent
    - sch_ets: make est_qlen_notify() idempotent
    - codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
  * CVE-2025-37997
    - netfilter: ipset: fix region locking in hash types

 -- Kuan-Ying Lee <kuan-ying....@canonical.com>  Thu, 26 Jun 2025
13:25:35 +0800

** Changed in: linux-oem-6.11 (Ubuntu Noble)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37798

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37890

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37997

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-6.11 in Ubuntu.
https://bugs.launchpad.net/bugs/2102186

Title:
  wrong packet header size calculation

Status in linux-oem-6.11 package in Ubuntu:
  Invalid
Status in usbio-drivers package in Ubuntu:
  Fix Released
Status in linux-oem-6.11 source package in Noble:
  Fix Released
Status in usbio-drivers source package in Noble:
  Invalid
Status in linux-oem-6.11 source package in Oracular:
  Invalid
Status in usbio-drivers source package in Oracular:
  Won't Fix
Status in linux-oem-6.11 source package in Plucky:
  Invalid
Status in usbio-drivers source package in Plucky:
  Fix Released
Status in linux-oem-6.11 source package in Questing:
  Invalid
Status in usbio-drivers source package in Questing:
  Fix Released

Bug description:
  [SRU Justification]

  [ Impact ]

  This is a necessary part to enable Intel IPU6 MIPI camera on another
  Intel Arrow Lake platform.

  In addition, in bug 2071821 at enabling Intel MIPI camera for Intel
  Lunar Lake platform on Dell XPS 13 9350, the request frame header size
  changed to reflect protocol 1.0 updates -- the value field in struct
  gpio_rw_packet is not included in the outgoing frame of a GPIO_READ
  operation. An work-around now known as https://github.com/intel/usbio-
  drivers/pull/14 was proposed by Intel and was then carried in Ubuntu
  usbio-drivers package since version
  0~git202408092230.70c524c5-0ubuntu1 in Oracular.

  The pull request is to:

  1. If the platform is Lunar Lake and it has a special gpio-usbio
  device -- function `is_gpio_hid_v1_0` returns true -- then it omits
  the last four bytes,

  2. else, transfer whatever is given.

  Since then, the work-around is never merged as Intel promised, and
  finally it received an official solution as
  https://github.com/intel/usbio-
  drivers/commit/b022c9a73d9ff9d455a913dd478b047228d844e2.

  However, this fix is more like an fix for another typo and is not
  logical equivalent to the original hack. This fix corrects the line
  with `sizeof(header)` to `sizeof(*header)`, which effectively reduces
  4 bytes as the original hack did, but this time, globally to every
  platform, every configuration.

  While the proposal is to drop that PR-14 in favor of this sizeof fix,
  the net effect is that for every device doesn't get matched from the
  `is_gpio_hid_v1_0` function, the xfer len will be reduced to 4 bytes.
  This was considered causing regression on all other devices with an
  older usbio protocol then 1.0 as mentioned in
  https://github.com/intel/usbio-drivers/pull/14#discussion_r1693451687,
  but the Intel CVS team claimed this is never an issue, the pull
  request is never a candidate to be merged, and Intel has verified all
  the related devices.

  While we don't really have a 0.7 usbio firmware device to verify, and
  that can also be an engineering sample that couldn't actually exist in
  public, the proposal is then justified.

  [ Test Plan ]

  1. This is a critical part for enabling a new Intel Arrow Lake
  platform, and we also picked a few devices inclusive of
  OASM4-DVT2-C2-202312-33214, a MTL platform with gpio-usbio.

  2. For existing platforms, this should be an drop-in replacement to
  existing systems. Just install intel-usbio-dkms from -proposed pocket
  and reboot to same kernel.

    $ sudo apt-get install intel-usbio-dkms

  3. For the new ARL system, install following packages to create a
  verification environtment:

    $ sudo apt-get install --no-install-recommends --yes \
        linux-oem-24.04b \
        intel-ipu6-dkms \
        intel-usbio-dkms \
        v4l2loopback-dkms \
        gstreamer1.0-icamera \
        libcamhal-ipu6epmtl \
        v4l2-relayd

  4. Verify webcam working on http://webcamtests.com

  [ Where problems could occur ]

  We don't have the firmware source to verify the protocol changes, and
  we don't own a device that matches a potential regression concern.
  Still worry about a potential regression, but I don't have a proof.

  [ Other Info ]

  The device enablement is on linux-oem-6.11. Nominate updates to
  Oracular, Plucky, and Questing.

  ========== original bug report ==========

  The work-around proposed by driver vendor,
  https://git.launchpad.net/ubuntu/+source/usbio-
  drivers/tree/debian/patches/0003-mfd-usbio-gpio-read-payload-
  reduces-4-bytes.patch?h=applied/ubuntu/devel, is wrong. A corrected
  version is now merged in the upstream as
  https://github.com/intel/usbio-
  drivers/commit/b022c9a73d9ff9d455a913dd478b047228d844e2 .

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-oem-6.11/+bug/2102186/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp