On 3/30/21 11:23 PM, Богдан Пилипенко wrote:
> I think this should be enough to reproduce the bug:
> 1) enable UBSAN and KMEMLEAK kernel modules. Those modules - are debugger
> subsystems and are switched off by default. And without those modules errors
> will be suppressed.
> 2) activate hardened kernel optimizations. Many other kernel
> configuration options are in config file (attached in first email).
Богдан,
Thanks for the instructions for enabling UBSAN. I have had kmemleak enabled for
several years.
The array overrun occurs in the reference to bw40_base[group] in the following
snippit:
if (rate <= DESC_RATE11M)
tx_power = pwr_idx_2g->cck_base[group];
else
tx_power = pwr_idx_2g->bw40_base[group];
In main.h, bw40_base found in struct rtw_2g_txpwr_idx, as u8 bw40_base[5]. In
other code, channel 14 is assigned as group 5, which is where the problem
happens. Unfortunately, if I change to bw40_base[6], reading the efuse breaks,
and I get an rfe of 255. I'm still working on why that happens, but there is
obviously another bug somewhere.
I wrote to the developer, and he has some ideas regarding the memory leak. I
will tackle that problem once I figure out why increasing the dimension breaks
efuse readout.
Larry