2018-01-19 13:24 GMT+03:00 Kalle Valo <kv...@codeaurora.org>:
> Adding linux-wireless.
>
> For linux-wireless the full report is here:
>
> https://lkml.kernel.org/r/70aa931f-2f02-dd26-c98b-695d1321f...@molgen.mpg.de
>
> Paul Menzel <pmenzel+linux-ath...@molgen.mpg.de> writes:
>
>> I enabled the undefined behavior sanitizer, and built Linus’ master
>> branch under Ubuntu 16.04 with gcc (Ubuntu 5.4.0-6ubuntu1~16.04.5)
>> 5.4.0 20160609.
>
> As you just recently enabled UBSAN I guess I can assume that this isn't
> a new regression but instead the bug is an old issue?
>
> Can you reproduce the problem easily? That would help with testing
> patches.
>
>> ================================================================================
>> [  960.737730] UBSAN: Undefined behaviour in
>> drivers/net/wireless/ath/ath10k/mac.c:3092:53
>
> This line is from ath10k_update_channel_list():
>
>                         ch->max_antenna_gain = channel->max_antenna_gain * 2;
>
>> [  960.737733] signed integer overflow:
>> [  960.737735] 2147483647 * 2 cannot be represented in type 'int'
>
> 2147483647 is MAX_INT but I can't immeaditely figure out where that's
> coming from. Maybe unitialised stack somewhere?
>

It comes from wiphy_register(), where INT_MAX assigned to channels[i].orig_mag.
See c4a9fafc77a5 ("cfg80211: fix antenna gain handling")

Later ->orig_mag copied into ->max_antenna_gain in resotre_custom_reg_settings()
And finally ath10k_update_channel_list() multiplies ->max_antenna_gain by 2
( since commit 02256930d9b8 ("ath10k: use proper tx power unit") ).



>> [  960.737738] CPU: 1 PID: 2663 Comm: crda Not tainted 4.15.0-rc6+ #36
>> [  960.737739] Hardware name: Dell Inc. XPS 13 9360/0839Y6, BIOS 2.4.2
>> 11/21/2017
>> [  960.737740] Call Trace:
>> [  960.737749]  dump_stack+0x70/0xb2
>> [  960.737753]  ubsan_epilogue+0x9/0x40
>> [  960.737758]  handle_overflow+0xce/0xf0
>> [  960.737762]  ? ecryptfs_decode_and_decrypt_filename+0x104/0x530
>> [  960.737764]  ? __kmalloc+0x265/0x370
>> [  960.737774]  ath10k_regd_update+0x39d/0x5f0 [ath10k_core]
>> [  960.737782]  ath10k_reg_notifier+0x114/0x180 [ath10k_core]
>> [  960.737802]  set_regdom+0x275/0x910 [cfg80211]
>> [  960.737821]  nl80211_set_reg+0x19c/0x630 [cfg80211]
>> [  960.737826]  genl_family_rcv_msg+0x2c4/0x610
>> [  960.737830]  ? radix_tree_next_chunk+0x9f/0x570
>> [  960.737832]  genl_rcv_msg+0x5d/0xe0
>> [  960.737835]  ? __alloc_skb+0x82/0x260
>> [  960.737838]  ? genl_family_rcv_msg+0x610/0x610
>> [  960.737840]  netlink_rcv_skb+0xd5/0x130
>> [  960.737842]  genl_rcv+0x24/0x40
>> [  960.737844]  netlink_unicast+0x1cc/0x300
>> [  960.737847]  netlink_sendmsg+0x29a/0x5f0
>> [  960.737850]  sock_sendmsg+0x4c/0xa0
>> [  960.737853]  ___sys_sendmsg+0x30e/0x440
>> [  960.737857]  ? pagevec_lru_move_fn+0xc3/0x130
>> [  960.737859]  ? trace_event_raw_event_mm_lru_activate+0x100/0x100
>> [  960.737862]  ? __lru_cache_add+0x6a/0xb0
>> [  960.737865]  ? __sys_sendmsg+0x51/0x90
>> [  960.737868]  __sys_sendmsg+0x51/0x90
>> [  960.737872]  entry_SYSCALL_64_fastpath+0x1e/0x81
>

Reply via email to