Received: by 10.223.176.46 with SMTP id f43csp818130wra;
        Fri, 19 Jan 2018 02:25:20 -0800 (PST)
X-Google-Smtp-Source: ACJfBovHUyLUMUq/RjrLsYhwDmk0nWxh0YEJQaiaB8q833HqVuDhOtK06iXajFRAP9W0CxMl9Nsa
X-Received: by 10.98.32.151 with SMTP id m23mr39636787pfj.182.1516357519955;
        Fri, 19 Jan 2018 02:25:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516357519; cv=none;
        d=google.com; s=arc-20160816;
        b=m+Wp4rVTXA2Dtu7uAQDcEE+1xlg2ya/1q+5BzgzsClvTEy0Zg4zXFR9gAPSF5FMcCx
         bJU6rE29DtwRh81tunc9pmtE8hH6allfdgYIGf6Cd1s7ppSc6vhypMy2v9fdAq0Ukn8f
         Ixq/HhUB/Usu5akTmuWy1adHgUzA47rP47HXRIIfq6G+mHHWnUAtZ+Zr2W/IRzP/qgpj
         3xgB90M5cXQBm3v8jmooZzj122tvE+F8StWQ9qnbWjfeQYtVsI3F9/485byn9Wy+k71q
         75unyEaKguF6izTgJ+10RLA/T6WG7maByU+gzHioH1FvyzHys5u7vuiM+XIIWKV0GXF1
         PXmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:message-id:in-reply-to:date:references:subject:cc:to
         :from:dmarc-filter:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=3Uy4ICjRlzPRctEZHojjYXNp9XYwowsMXdF21+Hq6jA=;
        b=z8h/LMWVeot7UlsYmXSASdgWCkOGdVQbfyb7oqzNILFk9sVA1As9rCDlNtTNlhNylR
         A01fhvpIZ3qDqpJaz3kBJ/bj7iRYCHt2ZeZXqw/h4yuEe3HBwBMGJO6oK37fDbgrW9iZ
         PDzSRScDiq7OZevp6QAIKfuISJ3OnVVT8AIc721rS9ZtZyZmxTdkhNvDeubSuyMAsKRa
         alDlf+6s9ujjhpPtbbMpk4VyeM+bmVhVaTPLFw3/x5+DaCQQQfjmJnViUc7WlW/EW7fl
         1c7r3OdSsKApNdrtcW4HmTVyx+q5NIqF3BA01aor0JuVNkmodVQKtRJ3FM826mRi0kIv
         1SpQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=CSfW5WsG;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=ad3ptfwi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w1si7819028pgq.386.2018.01.19.02.25.05;
        Fri, 19 Jan 2018 02:25:19 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=CSfW5WsG;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=ad3ptfwi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755445AbeASKY1 (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Fri, 19 Jan 2018 05:24:27 -0500
Received: from smtp.codeaurora.org ([198.145.29.96]:33274 "EHLO
        smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754930AbeASKYS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Jan 2018 05:24:18 -0500
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
        id F0C2460712; Fri, 19 Jan 2018 10:24:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1516357457;
        bh=bm0JquzFOr6xrWv6AeotByZWxWp7ZjyfYp1zuzhdIAE=;
        h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
        b=CSfW5WsGqu9o/d2TYCEYg4wTTKQkSskFjoN96CTeW3R0OLTH2mT8SAr8hBRyI0EUp
         6ekSj4DaRMKKYOwlGBGTdKu+TRwDmniFxkMneetz2/SDwPGVuVEVnWhXizGE/Nkfuq
         5HPe+J6o1f/PVhI8AZZdoNbJRhSp/Yg6ZvuzGuJ8=
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        pdx-caf-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00,
        DKIM_SIGNED,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0
Received: from potku.adurom.net (a88-114-240-52.elisa-laajakaista.fi [88.114.240.52])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: kvalo@smtp.codeaurora.org)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id E1F0860712;
        Fri, 19 Jan 2018 10:24:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1516357456;
        bh=bm0JquzFOr6xrWv6AeotByZWxWp7ZjyfYp1zuzhdIAE=;
        h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
        b=ad3ptfwiY35vGrhZkjnACB4yf2E7zAMnlNBHVtEho7u9HRdB8uK+kgDqUqdX7fEHx
         eZJo8I8q/+qi4oAXJbPbZ8rrWL0I70sg+Mb1tEx7tCUBHMugtUNElDitzshfXEaLbP
         gaTOF5XGTLvfAIMfnj9gUvQGM3PrPLBem6GlsMQw=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org E1F0860712
Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=kvalo@codeaurora.org
From:   Kalle Valo <kvalo@codeaurora.org>
To:     Paul Menzel <pmenzel+linux-ath10k@molgen.mpg.de>
Cc:     <ath10k@lists.infradead.org>, <linux-kernel@vger.kernel.org>,
        "Mario Limonciello" <mario.limonciello@dell.com>,
        <it+linux-ath10k@molgen.mpg.de>, linux-wireless@vger.kernel.org
Subject: Re: UBSAN: Undefined behaviour in drivers/net/wireless/ath/ath10k/mac.c:3092:53: signed integer overflow
References: <70aa931f-2f02-dd26-c98b-695d1321f71b@molgen.mpg.de>
Date:   Fri, 19 Jan 2018 12:24:11 +0200
In-Reply-To: <70aa931f-2f02-dd26-c98b-695d1321f71b@molgen.mpg.de> (Paul
        Menzel's message of "Wed, 3 Jan 2018 17:34:08 +0100")
Message-ID: <87d1269mes.fsf@kamboji.qca.qualcomm.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Adding linux-wireless.=20

For linux-wireless the full report is here:

https://lkml.kernel.org/r/70aa931f-2f02-dd26-c98b-695d1321f71b@molgen.mpg.de

Paul Menzel <pmenzel+linux-ath10k@molgen.mpg.de> writes:

> I enabled the undefined behavior sanitizer, and built Linus=E2=80=99 mast=
er
> branch under Ubuntu 16.04 with gcc (Ubuntu 5.4.0-6ubuntu1~16.04.5)
> 5.4.0 20160609.

As you just recently enabled UBSAN I guess I can assume that this isn't
a new regression but instead the bug is an old issue?

Can you reproduce the problem easily? That would help with testing
patches.

> ```
> $ grep UBSAN /boot/config-4.15.0-rc6+
> CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=3Dy
> # CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set
> CONFIG_UBSAN=3Dy
> CONFIG_UBSAN_SANITIZE_ALL=3Dy
> # CONFIG_UBSAN_ALIGNMENT is not set
> CONFIG_UBSAN_NULL=3Dy
> ```
>
> Suspending and resuming the system *Dell XPS 13 9360* from ACPI S3 the
> messages below are printed.
>
> ```
> $ git describe --tags
> 4.15-rc6
> $ git log --oneline -1
> 30a7acd Linux 4.15-rc6
> $ dmesg
> [=E2=80=A6]
> [  960.737724]
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
> [  960.737730] UBSAN: Undefined behaviour in
> drivers/net/wireless/ath/ath10k/mac.c:3092:53

This line is from ath10k_update_channel_list():

			ch->max_antenna_gain =3D channel->max_antenna_gain * 2;

> [  960.737733] signed integer overflow:
> [  960.737735] 2147483647 * 2 cannot be represented in type 'int'

2147483647 is MAX_INT but I can't immeaditely figure out where that's
coming from. Maybe unitialised stack somewhere?

> [  960.737738] CPU: 1 PID: 2663 Comm: crda Not tainted 4.15.0-rc6+ #36
> [  960.737739] Hardware name: Dell Inc. XPS 13 9360/0839Y6, BIOS 2.4.2
> 11/21/2017
> [  960.737740] Call Trace:
> [  960.737749]  dump_stack+0x70/0xb2
> [  960.737753]  ubsan_epilogue+0x9/0x40
> [  960.737758]  handle_overflow+0xce/0xf0
> [  960.737762]  ? ecryptfs_decode_and_decrypt_filename+0x104/0x530
> [  960.737764]  ? __kmalloc+0x265/0x370
> [  960.737774]  ath10k_regd_update+0x39d/0x5f0 [ath10k_core]
> [  960.737782]  ath10k_reg_notifier+0x114/0x180 [ath10k_core]
> [  960.737802]  set_regdom+0x275/0x910 [cfg80211]
> [  960.737821]  nl80211_set_reg+0x19c/0x630 [cfg80211]
> [  960.737826]  genl_family_rcv_msg+0x2c4/0x610
> [  960.737830]  ? radix_tree_next_chunk+0x9f/0x570
> [  960.737832]  genl_rcv_msg+0x5d/0xe0
> [  960.737835]  ? __alloc_skb+0x82/0x260
> [  960.737838]  ? genl_family_rcv_msg+0x610/0x610
> [  960.737840]  netlink_rcv_skb+0xd5/0x130
> [  960.737842]  genl_rcv+0x24/0x40
> [  960.737844]  netlink_unicast+0x1cc/0x300
> [  960.737847]  netlink_sendmsg+0x29a/0x5f0
> [  960.737850]  sock_sendmsg+0x4c/0xa0
> [  960.737853]  ___sys_sendmsg+0x30e/0x440
> [  960.737857]  ? pagevec_lru_move_fn+0xc3/0x130
> [  960.737859]  ? trace_event_raw_event_mm_lru_activate+0x100/0x100
> [  960.737862]  ? __lru_cache_add+0x6a/0xb0
> [  960.737865]  ? __sys_sendmsg+0x51/0x90
> [  960.737868]  __sys_sendmsg+0x51/0x90
> [  960.737872]  entry_SYSCALL_64_fastpath+0x1e/0x81

Ok, so crda calls NL80211_CMD_SET_REG and somehow ath10k gets
max_antenna_gain as MAX_INT, but no idea why.

> [  960.737875] RIP: 0033:0x7ff956d7c450
> [  960.737877] RSP: 002b:00007ffd454a2418 EFLAGS: 00000246 ORIG_RAX:
> 000000000000002e
> [  960.737879] RAX: ffffffffffffffda RBX: 00007ff957038b20 RCX:
> 00007ff956d7c450
> [  960.737880] RDX: 0000000000000000 RSI: 00007ffd454a24a0 RDI:
> 0000000000000000
> [  960.737881] RBP: 0000000000001010 R08: 0000000000000000 R09:
> 0000000001254010
> [  960.737882] R10: 00000000000000eb R11: 0000000000000246 R12:
> 00007ff957038b78
> [  960.737883] R13: 000000000125c360 R14: 0000000001254000 R15:
> 0000000001254000
> [  960.737885]
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
> [  970.814067] PM: suspend entry (deep)
> [  970.814103] PM: Syncing filesystems ... done.
> [  970.830679] Freezing user space processes ... (elapsed 0.001
> seconds) done.
> [  970.832429] OOM killer disabled.
> [  970.832430] Freezing remaining freezable tasks ... (elapsed 0.001
> seconds) done.
> [  970.833581] Suspending console(s) (use no_console_suspend to debug)
> [  971.250651] psmouse serio1: Failed to disable mouse on isa0060/serio1
> [=E2=80=A6]
> [  975.724595] ath10k_pci 0000:3a:00.0: Unknown eventid: 90118
> [  975.780813] IPv6: ADDRCONF(NETDEV_UP): wlp58s0: link is not ready
> [  975.874965] IPv6: ADDRCONF(NETDEV_UP): wlp58s0: link is not ready
> [  985.562004] wlp58s0: authenticate with 6c:f3:7f:10:ae:18
> [  985.562028]
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
> [  985.562037] UBSAN: Undefined behaviour in
> drivers/net/wireless/ath/ath10k/mac.c:1444:65
> [  985.562041] signed integer overflow:
> [  985.562044] 2147483647 * 2 cannot be represented in type 'int'

Again max_antenna_gain with MAX_INT but now from
ath10k_vdev_start_restart():

	arg.channel.max_antenna_gain =3D chandef->chan->max_antenna_gain * 2;

> [  985.562049] CPU: 0 PID: 1135 Comm: wpa_supplicant Not tainted
> 4.15.0-rc6+ #36
> [  985.562051] Hardware name: Dell Inc. XPS 13 9360/0839Y6, BIOS 2.4.2
> 11/21/2017
> [  985.562052] Call Trace:
> [  985.562064]  dump_stack+0x70/0xb2
> [  985.562069]  ubsan_epilogue+0x9/0x40
> [  985.562075]  handle_overflow+0xce/0xf0
> [  985.562107]  ? cfg80211_iter_combinations+0x2b8/0x670 [cfg80211]
> [  985.562124]  ath10k_vdev_start_restart+0x42c/0x5d0 [ath10k_core]
> [  985.562138]  ath10k_mac_op_assign_vif_chanctx+0x6e/0x310 [ath10k_core]
> [  985.562150]  ? ath10k_config+0xd0/0xd0 [ath10k_core]
> [  985.562190]  ieee80211_assign_vif_chanctx+0x1ff/0x960 [mac80211]
> [  985.562229]  ieee80211_vif_use_channel+0x1a6/0x480 [mac80211]
> [  985.562265]  ieee80211_prep_connection+0x48f/0xfb0 [mac80211]
> [  985.562300]  ? __sdata_info+0x68/0x100 [mac80211]
> [  985.562336]  ieee80211_mgd_auth+0x32b/0x4c0 [mac80211]
> [  985.562375]  cfg80211_mlme_auth+0x17f/0x480 [cfg80211]
> [  985.562383]  ? sock_poll+0x64/0x150
> [  985.562412]  nl80211_authenticate+0x3e7/0x7c0 [cfg80211]
> [  985.562420]  genl_family_rcv_msg+0x2c4/0x610
> [  985.562426]  ? ep_poll_callback+0x14e/0x4e0
> [  985.562431]  genl_rcv_msg+0x5d/0xe0
> [  985.562434]  ? __alloc_skb+0x82/0x260
> [  985.562437]  ? genl_family_rcv_msg+0x610/0x610
> [  985.562440]  netlink_rcv_skb+0xd5/0x130
> [  985.562445]  genl_rcv+0x24/0x40
> [  985.562448]  netlink_unicast+0x1cc/0x300
> [  985.562451]  netlink_sendmsg+0x29a/0x5f0
> [  985.562456]  sock_sendmsg+0x4c/0xa0
> [  985.562460]  ___sys_sendmsg+0x30e/0x440
> [  985.562465]  ? sock_sendmsg+0x4c/0xa0
> [  985.562468]  ? SYSC_sendto+0xef/0x1a0
> [  985.562473]  ? __sys_sendmsg+0x51/0x90
> [  985.562476]  __sys_sendmsg+0x51/0x90
> [  985.562483]  entry_SYSCALL_64_fastpath+0x1e/0x81

This time wpasupplicant calling NL80211_CMD_AUTHENTICATE after resume,
which is normal.

No time to investigate more right now, but hopefully others have some
ideas.

--=20
Kalle Valo