* Re: rtw88 kernel module error report (UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtw88/phy.c) [not found] <CALw23pC5kFE23g8M97KJY5vK8-eP1dWPj3jze=j4Mi=NjHks0w@mail.gmail.com> @ 2021-03-30 16:33 ` Greg KH 2021-03-30 18:01 ` Larry Finger [not found] ` <CALw23pDE4dqjYapETUsxSJ5bhFHraRm3P4nsMq7o+_30rVXKkQ@mail.gmail.com> 0 siblings, 2 replies; 3+ messages in thread From: Greg KH @ 2021-03-30 16:33 UTC (permalink / raw) To: Богдан Пилипенко Cc: linux-wireless, Larry.Finger On Tue, Mar 30, 2021 at 07:26:15AM -0900, Богдан Пилипенко wrote: > Hi! > I finded your emails at: > - https://github.com/lwfinger/rtw88 > - https://wireless.wiki.kernel.org/en/users/drivers/rtl819x > > I have an error in dmesg: > *dmesg | grep rtw88* > > > [ 26.518691] UBSAN: array-index-out-of-bounds in > > drivers/net/wireless/realtek/rtw88/phy.c:1661:35 > > [ 26.518804] rtw_get_tx_power_params+0xc66/0xd80 [rtw88_core] > > [ 26.518822] ? check_hw_ready+0x4f/0xa0 [rtw88_core] > > [ 26.518836] rtw_phy_get_tx_power_index+0x4d/0x1e0 [rtw88_core] > > [ 26.518850] rtw_phy_set_tx_power_level+0xcc/0x1a0 [rtw88_core] > > [ 26.518864] rtw_set_channel+0xc1/0x120 [rtw88_core] > > [ 26.518878] rtw_ops_config+0x87/0xc0 [rtw88_core] > > > And many-many cyclic errors like (size 224 & size 512): > *cat /sys/kernel/debug/kmemleak* Can you submit a patch for this to resolve the issue as you can reproduce it easily? thanks, greg k-h ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: rtw88 kernel module error report (UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtw88/phy.c) 2021-03-30 16:33 ` rtw88 kernel module error report (UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtw88/phy.c) Greg KH @ 2021-03-30 18:01 ` Larry Finger [not found] ` <CALw23pDE4dqjYapETUsxSJ5bhFHraRm3P4nsMq7o+_30rVXKkQ@mail.gmail.com> 1 sibling, 0 replies; 3+ messages in thread From: Larry Finger @ 2021-03-30 18:01 UTC (permalink / raw) To: Greg KH, Богдан Пилипенко Cc: linux-wireless On 3/30/21 11:33 AM, Greg KH wrote: > On Tue, Mar 30, 2021 at 07:26:15AM -0900, Богдан Пилипенко wrote: >> Hi! >> I finded your emails at: >> - https://github.com/lwfinger/rtw88 >> - https://wireless.wiki.kernel.org/en/users/drivers/rtl819x >> >> I have an error in dmesg: >> *dmesg | grep rtw88* >> >>> [ 26.518691] UBSAN: array-index-out-of-bounds in >>> drivers/net/wireless/realtek/rtw88/phy.c:1661:35 >>> [ 26.518804] rtw_get_tx_power_params+0xc66/0xd80 [rtw88_core] >>> [ 26.518822] ? check_hw_ready+0x4f/0xa0 [rtw88_core] >>> [ 26.518836] rtw_phy_get_tx_power_index+0x4d/0x1e0 [rtw88_core] >>> [ 26.518850] rtw_phy_set_tx_power_level+0xcc/0x1a0 [rtw88_core] >>> [ 26.518864] rtw_set_channel+0xc1/0x120 [rtw88_core] >>> [ 26.518878] rtw_ops_config+0x87/0xc0 [rtw88_core] >> >> >> And many-many cyclic errors like (size 224 & size 512): >> *cat /sys/kernel/debug/kmemleak* > > Can you submit a patch for this to resolve the issue as you can > reproduce it easily? Greg and Богдан, I had previously reported the memory leak at https://marc.info/?l=linux-wireless&m=161677626908838&w=2. Unfortunately, it is not obvious how to fix it. When the routine exits, the skb in question belongs to mac80211. It is not clear why it does not free it. I also have an Intel device that uses iwlmvm. Although the calling sequence to ieee80211_rx_napi() looks the same, it does not leak the skb. Unfortunately, none of the mac8800211 experts have responded to my E-mail. @Богдан: What kernel version are you using? With kernel HEAD, line 1661 of drivers/net/wireless/realtek/rtw88/phy.c is a case statement, which should not generate an array overflow. Larry ^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <CALw23pDE4dqjYapETUsxSJ5bhFHraRm3P4nsMq7o+_30rVXKkQ@mail.gmail.com>]
[parent not found: <CALw23pDmLVSTEN4i7tef9a32jDhBVJ5MuAfDP5L5VL0rxi=vow@mail.gmail.com>]
* Re: Fwd: rtw88 kernel module error report (UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtw88/phy.c) [not found] ` <CALw23pDmLVSTEN4i7tef9a32jDhBVJ5MuAfDP5L5VL0rxi=vow@mail.gmail.com> @ 2021-03-31 20:16 ` Larry Finger 0 siblings, 0 replies; 3+ messages in thread From: Larry Finger @ 2021-03-31 20:16 UTC (permalink / raw) To: Богдан Пилипенко, linux-wireless On 3/30/21 11:23 PM, Богдан Пилипенко wrote: > I think this should be enough to reproduce the bug: > 1) enable UBSAN and KMEMLEAK kernel modules. Those modules - are debugger > subsystems and are switched off by default. And without those modules errors > will be suppressed. > 2) activate hardened kernel optimizations. Many other kernel > configuration options are in config file (attached in first email). Богдан, Thanks for the instructions for enabling UBSAN. I have had kmemleak enabled for several years. The array overrun occurs in the reference to bw40_base[group] in the following snippit: if (rate <= DESC_RATE11M) tx_power = pwr_idx_2g->cck_base[group]; else tx_power = pwr_idx_2g->bw40_base[group]; In main.h, bw40_base found in struct rtw_2g_txpwr_idx, as u8 bw40_base[5]. In other code, channel 14 is assigned as group 5, which is where the problem happens. Unfortunately, if I change to bw40_base[6], reading the efuse breaks, and I get an rfe of 255. I'm still working on why that happens, but there is obviously another bug somewhere. I wrote to the developer, and he has some ideas regarding the memory leak. I will tackle that problem once I figure out why increasing the dimension breaks efuse readout. Larry ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-31 20:16 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <CALw23pC5kFE23g8M97KJY5vK8-eP1dWPj3jze=j4Mi=NjHks0w@mail.gmail.com> 2021-03-30 16:33 ` rtw88 kernel module error report (UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtw88/phy.c) Greg KH 2021-03-30 18:01 ` Larry Finger [not found] ` <CALw23pDE4dqjYapETUsxSJ5bhFHraRm3P4nsMq7o+_30rVXKkQ@mail.gmail.com> [not found] ` <CALw23pDmLVSTEN4i7tef9a32jDhBVJ5MuAfDP5L5VL0rxi=vow@mail.gmail.com> 2021-03-31 20:16 ` Fwd: " Larry Finger
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).