From: Larry Finger <Larry.Finger@lwfinger.net>
To: "Greg KH" <gregkh@linuxfoundation.org>,
"Богдан Пилипенко" <bogdan.pylypenko107@gmail.com>
Cc: linux-wireless@vger.kernel.org
Subject: Re: rtw88 kernel module error report (UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtw88/phy.c)
Date: Tue, 30 Mar 2021 13:01:37 -0500 [thread overview]
Message-ID: <040befa9-c88f-539a-f158-0c75d8789e47@lwfinger.net> (raw)
In-Reply-To: <YGNS7WKlBmLrM9/d@kroah.com>
On 3/30/21 11:33 AM, Greg KH wrote:
> On Tue, Mar 30, 2021 at 07:26:15AM -0900, Богдан Пилипенко wrote:
>> Hi!
>> I finded your emails at:
>> - https://github.com/lwfinger/rtw88
>> - https://wireless.wiki.kernel.org/en/users/drivers/rtl819x
>>
>> I have an error in dmesg:
>> *dmesg | grep rtw88*
>>
>>> [ 26.518691] UBSAN: array-index-out-of-bounds in
>>> drivers/net/wireless/realtek/rtw88/phy.c:1661:35
>>> [ 26.518804] rtw_get_tx_power_params+0xc66/0xd80 [rtw88_core]
>>> [ 26.518822] ? check_hw_ready+0x4f/0xa0 [rtw88_core]
>>> [ 26.518836] rtw_phy_get_tx_power_index+0x4d/0x1e0 [rtw88_core]
>>> [ 26.518850] rtw_phy_set_tx_power_level+0xcc/0x1a0 [rtw88_core]
>>> [ 26.518864] rtw_set_channel+0xc1/0x120 [rtw88_core]
>>> [ 26.518878] rtw_ops_config+0x87/0xc0 [rtw88_core]
>>
>>
>> And many-many cyclic errors like (size 224 & size 512):
>> *cat /sys/kernel/debug/kmemleak*
>
> Can you submit a patch for this to resolve the issue as you can
> reproduce it easily?
Greg and Богдан,
I had previously reported the memory leak at
https://marc.info/?l=linux-wireless&m=161677626908838&w=2. Unfortunately, it is
not obvious how to fix it. When the routine exits, the skb in question belongs
to mac80211. It is not clear why it does not free it. I also have an Intel
device that uses iwlmvm. Although the calling sequence to ieee80211_rx_napi()
looks the same, it does not leak the skb. Unfortunately, none of the mac8800211
experts have responded to my E-mail.
@Богдан: What kernel version are you using? With kernel HEAD, line 1661 of
drivers/net/wireless/realtek/rtw88/phy.c is a case statement, which should not
generate an array overflow.
Larry
next prev parent reply other threads:[~2021-03-30 18:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CALw23pC5kFE23g8M97KJY5vK8-eP1dWPj3jze=j4Mi=NjHks0w@mail.gmail.com>
2021-03-30 16:33 ` rtw88 kernel module error report (UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtw88/phy.c) Greg KH
2021-03-30 18:01 ` Larry Finger [this message]
[not found] ` <CALw23pDE4dqjYapETUsxSJ5bhFHraRm3P4nsMq7o+_30rVXKkQ@mail.gmail.com>
[not found] ` <CALw23pDmLVSTEN4i7tef9a32jDhBVJ5MuAfDP5L5VL0rxi=vow@mail.gmail.com>
2021-03-31 20:16 ` Fwd: " Larry Finger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=040befa9-c88f-539a-f158-0c75d8789e47@lwfinger.net \
--to=larry.finger@lwfinger.net \
--cc=bogdan.pylypenko107@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).