Received: by 10.223.176.46 with SMTP id f43csp875818wra;
        Fri, 19 Jan 2018 03:29:11 -0800 (PST)
X-Google-Smtp-Source: ACJfBovDrDIZHyAnf2Y9+C4/oGrx3KRmDQ3805n4EkgpEib+dkCOD7iLKz5zKtSH4b9UaYxWw5Ct
X-Received: by 10.99.113.11 with SMTP id m11mr31099164pgc.57.1516361351600;
        Fri, 19 Jan 2018 03:29:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516361351; cv=none;
        d=google.com; s=arc-20160816;
        b=lE1xmxDDE+E1kTMi+yjrM/o2Ra4cVLu05Ql1vsqHJxzCSL99iqz0jttJDF7kFYb2ge
         Wz0tcnOEJAhtUjr1ITjsQ9X72J2ZxaRVp25Jy3beD+im6t48LOTLgr605ZbzbfbmwZlM
         qSk8jmW7ikI8jNgKkwMNibmZJ0Y5oCTy8d4LGYrgh6ywQdDC/fdnnQJ6FLih2F1YZ7bW
         tIPhNw07GHcZCVQWuvEyBFjP+4laX31IWbrKOKFdrjVM2F7ofb3JuoCD1wGN/IcwR+KB
         5WD/jKwmMBL0gJwFVSi1pBJ457KN0nfFysDx5Q+TaX0v0eYOYMeEAjH7q9yzKG25Ps1i
         kd3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:references:in-reply-to:mime-version
         :dkim-signature:arc-authentication-results;
        bh=sFuU2qkxhZKLktm3gkxp8/JIrYraguh/1tmPq6DOVM0=;
        b=qOT1Yjr4EkxaaYI50+ZvNu9F9VdIHTAtPoIhSUt2IZnpe7wmtzqJvwmRtgdGYUDjCI
         oo0yqVzJBJBaKEQHG6bd1EwA0gOOZFRfJj+E/vC4+Khy/McioQXxta2VrHzRXHJgePPX
         fb5CokQtvywl7gWWBbOcSdzg/c982UfWUmYy9BDXJXIgNkXKlAAs8EayyTkm8oZxX1Hq
         KCBjH517TZqZ8029c0JuwkuYfTEUboxT8mYeilQbCdahFe5cJfVI+aYhpFI4p2C0Tsv0
         gRVjE1RrbDc4Lgs4RNhRxYQwKd8nzEdA/fbm5wk3zM0webeETfcjWjLSiZaBOjKCDn07
         jENA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=UnxV7KA0;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a78si9211311pfc.276.2018.01.19.03.28.57;
        Fri, 19 Jan 2018 03:29:11 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=UnxV7KA0;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755433AbeASL2d (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Fri, 19 Jan 2018 06:28:33 -0500
Received: from mail-oi0-f67.google.com ([209.85.218.67]:43574 "EHLO
        mail-oi0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754070AbeASL2Z (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Jan 2018 06:28:25 -0500
Received: by mail-oi0-f67.google.com with SMTP id t16so890520oif.10;
        Fri, 19 Jan 2018 03:28:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=sFuU2qkxhZKLktm3gkxp8/JIrYraguh/1tmPq6DOVM0=;
        b=UnxV7KA0lOMTj3JDPy6wRGU2/9Av9+aUINl/hf279OMA/S5LPAWi9ve00/ThZNWEhr
         0fmae2OXLa8zIGbwnwbq5oNSIyQTAoPjrmluX1oMV+ouMemMylPAkXp/MSkmhX6wQbsG
         c/dYQDm8BrZIbWvclQ/nZjuQej32GFmx2bVKgOTc4/VrpBba1kIT94qqsLwIwCSvPhr+
         roVDwj8P/obx3LQyzcdFVOm1/3zzddqOSY/Fz22/nl/BFyjz1hV37891/v6f6zOKKQyU
         vTrezNj4bYFxmjMfUwlB7o+pAfghO4ZuvyQcREDjZUzZe2sg4aq68Dt3cPQ2B+pkXhvA
         1OWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=sFuU2qkxhZKLktm3gkxp8/JIrYraguh/1tmPq6DOVM0=;
        b=pqSf0g8HaFzFSams/Wp98blgXAzbrsrO9DfCP2DoiGPcUETxxgJFrwlacKudiFoNQS
         N7BwjsCnf7YIUpisQzaR/chf0jsTztzJs+PeanonTqex1TXuVps/fB/BgemDL6OEHgGQ
         wCO1Fqy5LhOoG78tji+Uw99dFi5CMlwqBfFTfWpOeIwEqFpmdh40y6gn3AJ6INEnI4Yc
         6ZDYDBviGHDGUscVPRij20JU8UZPS4U6vivZJX9Uq/Ivqx8d6B8eEPwjsOSni1/VKjwK
         j50dqhOgQFLJchB/zmcYAP3k2J2G1yP7jtCB7cJUWUNs9VcR628o0y4P8/9Dp4mgnFWe
         Lpuw==
X-Gm-Message-State: AKwxytd6no2gOu7HoBwFwlN5M9f4PMBfRsG7DHIQD+0tazA8S3cy4jfY
        YvBNNDJosNv2OpY5u90CLRTxZ7ZvjQmWMMuncBw=
X-Received: by 10.202.10.77 with SMTP id 74mr4442014oik.317.1516361304838;
 Fri, 19 Jan 2018 03:28:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.74.76.137 with HTTP; Fri, 19 Jan 2018 03:28:24 -0800 (PST)
In-Reply-To: <87d1269mes.fsf@kamboji.qca.qualcomm.com>
References: <70aa931f-2f02-dd26-c98b-695d1321f71b@molgen.mpg.de> <87d1269mes.fsf@kamboji.qca.qualcomm.com>
From:   Andrey Ryabinin <ryabinin.a.a@gmail.com>
Date:   Fri, 19 Jan 2018 14:28:24 +0300
Message-ID: <CAPAsAGz1pihgiBML7CExjKgFkVC5SLkN=+183gJJOFGv29Fd-A@mail.gmail.com>
Subject: Re: UBSAN: Undefined behaviour in drivers/net/wireless/ath/ath10k/mac.c:3092:53:
 signed integer overflow
To:     Kalle Valo <kvalo@codeaurora.org>
Cc:     Paul Menzel <pmenzel+linux-ath10k@molgen.mpg.de>,
        ath10k@lists.infradead.org, LKML <linux-kernel@vger.kernel.org>,
        Mario Limonciello <mario.limonciello@dell.com>,
        it+linux-ath10k@molgen.mpg.de,
        linux-wireless <linux-wireless@vger.kernel.org>,
        Felix Fietkau <nbd@openwrt.org>,
        Johannes Berg <johannes.berg@intel.com>,
        Michal Kazior <michal.kazior@tieto.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

2018-01-19 13:24 GMT+03:00 Kalle Valo <kvalo@codeaurora.org>:
> Adding linux-wireless.
>
> For linux-wireless the full report is here:
>
> https://lkml.kernel.org/r/70aa931f-2f02-dd26-c98b-695d1321f71b@molgen.mpg=
.de
>
> Paul Menzel <pmenzel+linux-ath10k@molgen.mpg.de> writes:
>
>> I enabled the undefined behavior sanitizer, and built Linus=E2=80=99 mas=
ter
>> branch under Ubuntu 16.04 with gcc (Ubuntu 5.4.0-6ubuntu1~16.04.5)
>> 5.4.0 20160609.
>
> As you just recently enabled UBSAN I guess I can assume that this isn't
> a new regression but instead the bug is an old issue?
>
> Can you reproduce the problem easily? That would help with testing
> patches.
>
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
>> [  960.737730] UBSAN: Undefined behaviour in
>> drivers/net/wireless/ath/ath10k/mac.c:3092:53
>
> This line is from ath10k_update_channel_list():
>
>                         ch->max_antenna_gain =3D channel->max_antenna_gai=
n * 2;
>
>> [  960.737733] signed integer overflow:
>> [  960.737735] 2147483647 * 2 cannot be represented in type 'int'
>
> 2147483647 is MAX_INT but I can't immeaditely figure out where that's
> coming from. Maybe unitialised stack somewhere?
>

It comes from wiphy_register(), where INT_MAX assigned to channels[i].orig_=
mag.
See c4a9fafc77a5 ("cfg80211: fix antenna gain handling")

Later ->orig_mag copied into ->max_antenna_gain in resotre_custom_reg_setti=
ngs()
And finally ath10k_update_channel_list() multiplies ->max_antenna_gain by 2
( since commit 02256930d9b8 ("ath10k: use proper tx power unit") ).



>> [  960.737738] CPU: 1 PID: 2663 Comm: crda Not tainted 4.15.0-rc6+ #36
>> [  960.737739] Hardware name: Dell Inc. XPS 13 9360/0839Y6, BIOS 2.4.2
>> 11/21/2017
>> [  960.737740] Call Trace:
>> [  960.737749]  dump_stack+0x70/0xb2
>> [  960.737753]  ubsan_epilogue+0x9/0x40
>> [  960.737758]  handle_overflow+0xce/0xf0
>> [  960.737762]  ? ecryptfs_decode_and_decrypt_filename+0x104/0x530
>> [  960.737764]  ? __kmalloc+0x265/0x370
>> [  960.737774]  ath10k_regd_update+0x39d/0x5f0 [ath10k_core]
>> [  960.737782]  ath10k_reg_notifier+0x114/0x180 [ath10k_core]
>> [  960.737802]  set_regdom+0x275/0x910 [cfg80211]
>> [  960.737821]  nl80211_set_reg+0x19c/0x630 [cfg80211]
>> [  960.737826]  genl_family_rcv_msg+0x2c4/0x610
>> [  960.737830]  ? radix_tree_next_chunk+0x9f/0x570
>> [  960.737832]  genl_rcv_msg+0x5d/0xe0
>> [  960.737835]  ? __alloc_skb+0x82/0x260
>> [  960.737838]  ? genl_family_rcv_msg+0x610/0x610
>> [  960.737840]  netlink_rcv_skb+0xd5/0x130
>> [  960.737842]  genl_rcv+0x24/0x40
>> [  960.737844]  netlink_unicast+0x1cc/0x300
>> [  960.737847]  netlink_sendmsg+0x29a/0x5f0
>> [  960.737850]  sock_sendmsg+0x4c/0xa0
>> [  960.737853]  ___sys_sendmsg+0x30e/0x440
>> [  960.737857]  ? pagevec_lru_move_fn+0xc3/0x130
>> [  960.737859]  ? trace_event_raw_event_mm_lru_activate+0x100/0x100
>> [  960.737862]  ? __lru_cache_add+0x6a/0xb0
>> [  960.737865]  ? __sys_sendmsg+0x51/0x90
>> [  960.737868]  __sys_sendmsg+0x51/0x90
>> [  960.737872]  entry_SYSCALL_64_fastpath+0x1e/0x81
>