2021-03-31 20:17:55

by Larry Finger

[permalink] [raw]
Subject: Re: Fwd: rtw88 kernel module error report (UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtw88/phy.c)

On 3/30/21 11:23 PM, Богдан Пилипенко wrote:
> I think this should be enough to reproduce the bug:
> 1) enable UBSAN and KMEMLEAK kernel modules. Those modules - are debugger
> subsystems and are switched off by default. And without those modules errors
> will be suppressed.
> 2) activate hardened kernel optimizations. Many other kernel
> configuration options are in config file (attached in first email).


Thanks for the instructions for enabling UBSAN. I have had kmemleak enabled for
several years.

The array overrun occurs in the reference to bw40_base[group] in the following

if (rate <= DESC_RATE11M)
tx_power = pwr_idx_2g->cck_base[group];
tx_power = pwr_idx_2g->bw40_base[group];

In main.h, bw40_base found in struct rtw_2g_txpwr_idx, as u8 bw40_base[5]. In
other code, channel 14 is assigned as group 5, which is where the problem
happens. Unfortunately, if I change to bw40_base[6], reading the efuse breaks,
and I get an rfe of 255. I'm still working on why that happens, but there is
obviously another bug somewhere.

I wrote to the developer, and he has some ideas regarding the memory leak. I
will tackle that problem once I figure out why increasing the dimension breaks
efuse readout.