Re: [PATCH v2 2/2] mac80211: Use flexible array in struct ieee80211_tim_ie

From: Sam James <sam@gentoo.org>
To: keescook@chromium.org
Cc: chunkeey@gmail.com,chunkeey@googlemail.com,davem@davemloft.net,edumazet@google.com,helmut.schaa@googlemail.com,johannes@sipsolutions.net,kernel@quicinc.com,kuba@kernel.org,kvalo@kernel.org,linux-kernel@vger.kernel.org,linux-wireless@vger.kernel.org,netdev@vger.kernel.org,pabeni@redhat.com,pkshih@realtek.com,quic_jjohnson@quicinc.com,stf_xl@wp.pl,toke@toke.dk
Subject: Re: [PATCH v2 2/2] mac80211: Use flexible array in struct ieee80211_tim_ie
Date: Tue, 14 May 2024 05:51:02 +0100	[thread overview]
Message-ID: <87jzjxgfnt.fsf@gentoo.org> (raw)
In-Reply-To: <202308301529.AC90A9EF98@keescook>

I think I've just hit this, unless it's been fixed since and it's just
similar.

```
[  291.051876] ================================================================================
[  291.051892] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.6.30/work/linux-6.6/include/linux/ieee80211.h:4455:28
[  291.051901] index 1 is out of range for type 'u8 [1]'
[  291.051908] CPU: 2 PID: 627 Comm: kworker/2:3 Not tainted 6.6.30-gentoo-dist-hardened #1
[  291.051917] Hardware name: ASUSTeK COMPUTER INC. UX305FA/UX305FA, BIOS UX305FA.216 04/17/2019
[  291.051922] Workqueue: events cfg80211_wiphy_work [cfg80211]
[  291.052082] Call Trace:
[  291.052088]  <TASK>
[  291.052096] dump_stack_lvl (lib/dump_stack.c:107) 
[  291.052114] __ubsan_handle_out_of_bounds (lib/ubsan.c:218 (discriminator 1) lib/ubsan.c:348 (discriminator 1)) 
[  291.052130] ieee80211_rx_mgmt_beacon (include/linux/ieee80211.h:4455 net/mac80211/mlme.c:6047) mac80211
[  291.052354] ? check_preempt_wakeup (kernel/sched/fair.c:977 kernel/sched/fair.c:8226) 
[  291.052368] ? check_preempt_curr (kernel/sched/core.c:2232) 
[  291.052375] ? ttwu_do_activate (kernel/sched/core.c:3766 (discriminator 2) kernel/sched/core.c:3794 (discriminator 2)) 
[  291.052383] ? __mutex_lock.constprop.0 (kernel/locking/mutex.c:489 kernel/locking/mutex.c:607 kernel/locking/mutex.c:747) 
[  291.052393] ieee80211_sta_rx_queued_mgmt (net/mac80211/mlme.c:6288) mac80211
[  291.052599] ? finish_task_switch.isra.0 (arch/x86/include/asm/paravirt.h:700 kernel/sched/sched.h:1386 kernel/sched/core.c:5138 kernel/sched/core.c:5256) 
[  291.052613] ieee80211_iface_work (net/mac80211/iface.c:1602 net/mac80211/iface.c:1658) mac80211
[  291.052792] ? __pm_runtime_suspend (drivers/base/power/runtime.c:1128) 
[  291.052807] cfg80211_wiphy_work (include/net/cfg80211.h:5789 net/wireless/core.c:442) cfg80211
[  291.052889] process_one_work (kernel/workqueue.c:2632) 
[  291.052894] worker_thread (kernel/workqueue.c:2694 (discriminator 2) kernel/workqueue.c:2781 (discriminator 2)) 
[  291.052897] ? __pfx_worker_thread (kernel/workqueue.c:2727) 
[  291.052900] kthread (kernel/kthread.c:388) 
[  291.052905] ? __pfx_kthread (kernel/kthread.c:341) 
[  291.052909] ret_from_fork (arch/x86/kernel/process.c:153) 
[  291.052913] ? __pfx_kthread (kernel/kthread.c:341) 
[  291.052917] ret_from_fork_asm (arch/x86/entry/entry_64.S:314) 
[  291.052922]  </TASK>
[  291.052923]
================================================================================
```

I can reproduce it fairly easily when changing wifi adapters and
toggling connecting to an AP.

(It was a fun mini-adventure to get the trace usable and I should send
some patches to decode_stacktrace.sh, I think...)

thanks,
sam