Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1009323pxb;
        Tue, 17 Aug 2021 01:19:17 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwqVQ3LmUPMZswkouvomS/auOLG9eKR0kcN6UAgdXByUmwGSbocRp0caDpcMEU9kMloDkCy
X-Received: by 2002:aa7:da4a:: with SMTP id w10mr2803540eds.206.1629188357418;
        Tue, 17 Aug 2021 01:19:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1629188357; cv=none;
        d=google.com; s=arc-20160816;
        b=B+xWmzgf6QPk59HtGbRaUe3W5fRFc5nZFq7zkofoeZNzyEjorDCCsiMGk7+ahlT38V
         6Krf21WEcVZ5G6eUpHbeD9+QqaHxDNpEQbWz0Gxxh8QAG5dGqlyk0ZJq/PDurQP72GH/
         Zxqwmw3s75uyZTQDs1BLsV2ePrPLwg0GBkZIQldXgX4GlvLm9LnYGu4FAktG68tWhHrt
         DZVTE3fIvc6sLzjfffr4DpxlCubaSL+jlVSau5Tu1fL9JEQzvajdPdxctZDAtSmn7jUG
         troE/Yw9NT/ODfYX/zgj2BSbRCRf3impkc8cBQRJqWHSWKi5xo/5JKEydxIv8M3sCGxT
         clSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject:dkim-signature:dkim-filter;
        bh=tKnQ8Hf6tmK29QfXcc4OLaulU8Ts+kSCcwVNufAfPsk=;
        b=idBKKcSY4txBMcyiQndMpmknOw/+dz6Pmq5xF44tQRZtHU37ZN32jIiEUtAcqlZV/n
         jhhgnHRsBICZhxGcYYw/UMmat24AHq4HJRJhK99EVj4rx1Nz5AlYeqnewf1qkJM0jmzb
         AWHeXpJCCMZUk2QIjQaWc6TCvj7F8Wy2uknG6MzjA+UhK7awQ9ns67H4KjkAxKa6s75y
         9cZjaJQiWBHI9SeXFGrg+K4L+5/inpCQs+w81IbU3e07kZNVx/7nuTYK9tf/lTgAxJo1
         BeTWd5R+QkWyGZnCsY3aqC4DX5d9eutcUrfGAtDY3ycrWDmotC2lXx2zrSCXDHU4ichs
         dYbA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@broadcom.com header.s=dkimrelay header.b=f4zQFyzM;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g21si1592763eds.535.2021.08.17.01.18.49;
        Tue, 17 Aug 2021 01:19:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@broadcom.com header.s=dkimrelay header.b=f4zQFyzM;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239146AbhHQISi (ORCPT <rfc822;messat.profen@gmail.com>
        + 99 others); Tue, 17 Aug 2021 04:18:38 -0400
Received: from relay.smtp-ext.broadcom.com ([192.19.166.231]:58650 "EHLO
        relay.smtp-ext.broadcom.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S234706AbhHQISf (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Tue, 17 Aug 2021 04:18:35 -0400
Received: from bld-lvn-bcawlan-34.lvn.broadcom.net (bld-lvn-bcawlan-34.lvn.broadcom.net [10.75.138.137])
        by relay.smtp-ext.broadcom.com (Postfix) with ESMTP id C118024ACB;
        Tue, 17 Aug 2021 01:18:00 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 relay.smtp-ext.broadcom.com C118024ACB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=broadcom.com;
        s=dkimrelay; t=1629188280;
        bh=0xZ8pgGrQDUx2DKXZLbQE9+YSyK5bQFM0TkSsIlD0I4=;
        h=Subject:To:Cc:References:From:Date:In-Reply-To:From;
        b=f4zQFyzMewT4vwNRW1hNJJ+2dqx6vcMqr6+7/BKKOGLH/SDTsH7i0xGSTi3amDLmo
         WozdnPtPpuRcmhyarV30t9Fpfn9yjxE7jJzp///i/+V3ck6GWhYUkLDb/N9Nw9Xyo7
         dbj6OQnablN+MvKXJCTH60BxqKLkq7waH1np6m5Y=
Received: from [10.230.40.140] (unknown [10.230.40.140])
        by bld-lvn-bcawlan-34.lvn.broadcom.net (Postfix) with ESMTPSA id B3B5B1874BD;
        Tue, 17 Aug 2021 01:17:57 -0700 (PDT)
Subject: Re: 5.10.58 UBSAN from brcmf_sdio_dpc+0xa50/0x128c [brcmfmac]
To:     Arend van Spriel <aspriel@gmail.com>,
        Ryutaroh Matsumoto <ryutaroh@ict.e.titech.ac.jp>
Cc:     linux-rpi-kernel@lists.infradead.org,
        linux-wireless@vger.kernel.org,
        brcm80211-dev-list.pdl@broadcom.com,
        SHA-cyfmac-dev-list@infineon.com, franky.lin@broadcom.com,
        hante.meuleman@broadcom.com, chi-hsien.lin@infineon.com,
        wright.feng@infineon.com, chung-hsien.hsu@infineon.com,
        netdev@vger.kernel.org, David Miller <davem@davemloft.net>
References: <20210816.084210.1700916388797835755.ryutaroh@ict.e.titech.ac.jp>
 <85b31c5a-eb4a-48a0-ad94-e46db00af016@broadcom.com>
 <20210817.093658.33467107987117119.ryutaroh@ict.e.titech.ac.jp>
 <17b52a1ab20.279b.9696ff82abe5fb6502268bdc3b0467d4@gmail.com>
From:   Arend van Spriel <arend.vanspriel@broadcom.com>
Message-ID: <56ea3e65-62f4-2496-edd4-e454126abc66@broadcom.com>
Date:   Tue, 17 Aug 2021 10:17:55 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <17b52a1ab20.279b.9696ff82abe5fb6502268bdc3b0467d4@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

+netdev, +Dave

On 8/17/2021 7:42 AM, Arend van Spriel wrote:
> Using different email to avoid disclaimers...
> 
> 
> On August 17, 2021 2:39:56 AM Ryutaroh Matsumoto 
> <ryutaroh@ict.e.titech.ac.jp> wrote:
> 
>> Hi Arend, thank you for paying attention to this.
>>
>>> Line 2016 in skbuff.h is inline function __skb_queue_before() and as
>>> far as I can tell brcmfmac is not using that direct or indirect. Maybe
>>> I am reading the line info incorrectly?
>>
>> I am unsure of it. On the other hand, I have also seen somewhat similar
>> UBSAN from a header file "include/net/flow.h" as reported at
>> https://lore.kernel.org/netdev/20210813.081908.1574714532738245424.ryutaroh@ict.e.titech.ac.jp/ 
>>
>>
>> All UBSANs that I have seen come from *.h compiled with clang...
>>
>>> Would you be able to provide information as to what line
>>> brcmf_sdio_dpc+0xa50 refers to.
>>
>> I'd like to do, but I do not know how to let kernel UBSAN include a 
>> line number,
>> though I know it with user-space applications...
> 
> If you enable CONFIG_DEBUG_INFO in your kernel .config and recompile 
> brcmfmac you can load the module in gdb:
> 
> gdb> add-symbol-file brcmfmac.ko [address]
> gdb> l *brcmf_sdio_dpc+0xa50
> 
> The [address] is not very important so just fill in a nice value. The 
> 'l' command should provide the line number.

Hi Ryutaroh,

Meanwhile I did some digging in the brcmfmac driver and I think I found 
the location in brcmf_sdio_sendfromq() where we do a __skb_queue_tail(). 
So I looked at that and it does following:

static inline void __skb_queue_tail(struct sk_buff_head *list,
				   struct sk_buff *newsk)
{
	__skb_queue_before(list, (struct sk_buff *)list, newsk);
}

Your report seems to be coming from the cast that is done here, which is 
fine as long as sk_buff and sk_buff_head have the same members 'next' 
and 'prev' at the start, which is true today and hopefully forever ;-) I 
am inclined to say this is a false report.

Can you please confirm the stack trace indeed points to 
brcmf_sdio_sendfromq() in your report.

Regards,
Arend