Hi,
I have updated an ancient Thinkpad T61 to Ubuntu 22.04 and noticed some
UB warnings in dmesg.
[ 14.870724] UBSAN: shift-out-of-bounds in /build/linux-kQ6jNR/linux-5.15.0/drivers/net/wireless/intel/iwlegacy/4965-rs.c:671:18
[ 14.870840] shift exponent -1 is negative
[ 14.870940] CPU: 0 PID: 0 Comm: swapper/0 Tainted: P OE 5.15.0-48-generic #54-Ubuntu
[ 14.870943] Hardware name: LENOVO 6460EDG/6460EDG, BIOS 7LETC6WW (2.26 ) 05/11/2009
[ 14.870945] Call Trace:
[ 14.870948] <IRQ>
[ 14.870951] show_stack+0x52/0x5c
[ 14.870957] dump_stack_lvl+0x4a/0x63
[ 14.870962] dump_stack+0x10/0x16
[ 14.870964] ubsan_epilogue+0x9/0x49
[ 14.870967] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef
[ 14.870969] ? sock_def_readable+0x4b/0x80
[ 14.870973] ? __netlink_sendskb+0x62/0x80
[ 14.870980] il4965_rs_get_adjacent_rate.constprop.0.cold+0x3a/0xa4 [iwl4965]
[ 14.870990] il4965_rs_get_best_rate.isra.0+0xcc/0x140 [iwl4965]
[ 14.870997] il4965_rs_switch_to_siso.isra.0+0xa7/0x100 [iwl4965]
[ 14.871003] il4965_rs_move_legacy_other.isra.0+0x134/0x4c0 [iwl4965]
[ 14.871010] il4965_rs_rate_scale_perform+0xada/0xd10 [iwl4965]
[ 14.871016] ? kfree_skbmem+0x52/0xa0
[ 14.871019] il4965_rs_tx_status+0x3e0/0x6b0 [iwl4965]
[ 14.871028] rate_control_tx_status+0xb1/0xc0 [mac80211]
[ 14.871128] ieee80211_tx_status_ext+0x20e/0x650 [mac80211]
[ 14.871166] ieee80211_tx_status+0x72/0xa0 [mac80211]
[ 14.871205] ieee80211_tasklet_handler+0xa6/0xd0 [mac80211]
[ 14.871242] tasklet_action_common.constprop.0+0xc0/0xf0
[ 14.871247] tasklet_action+0x22/0x30
[ 14.871249] __do_softirq+0xd9/0x2e7
[ 14.871253] irq_exit_rcu+0x94/0xc0
[ 14.871255] common_interrupt+0x8e/0xa0
[ 14.871258] </IRQ>
[ 14.871259] <TASK>
[ 14.871261] asm_common_interrupt+0x26/0x40
[ 14.871265] RIP: 0010:cpuidle_enter_state+0xd9/0x620
[ 14.871270] Code: 3d c4 ef d9 54 e8 17 d7 68 ff 49 89 c7 0f 1f 44 00 00 31 ff e8 58 e4 68 ff 80 7d d0 00 0f 85 61 01 00 00 fb 66 0f 1f 44 00 00 <45> 85 f6 0f 88 6d 01 00 00 4d 63 ee 49 83 fd 09 0f 87 e7 03 00 00
[ 14.871272] RSP: 0018:ffffffffac603db8 EFLAGS: 00000292
[ 14.871275] RAX: 0000000000000000 RBX: ffff9d83f7c3b508 RCX: 0000000000000020
[ 14.871277] RDX: 0000000000001afa RSI: 000000000000a028 RDI: ffffffffac607a40
[ 14.871279] RBP: ffffffffac603e08 R08: 0000000000000000 R09: 000000000000c738
[ 14.871281] R10: 0000000000000004 R11: 071c71c71c71c71c R12: ffffffffac8d3ea0
[ 14.871283] R13: 0000000000000002 R14: 0000000000000002 R15: 00000003765a58ca
[ 14.871286] ? cpuidle_enter_state+0x24a/0x620
[ 14.871289] cpuidle_enter+0x2e/0x50
[ 14.871291] cpuidle_idle_call+0x142/0x1e0
[ 14.871294] do_idle+0x83/0xf0
[ 14.871296] cpu_startup_entry+0x20/0x30
[ 14.871299] rest_init+0xd3/0x100
[ 14.871301] ? acpi_enable_subsystem+0x20b/0x217
[ 14.871306] arch_call_rest_init+0xe/0x23
[ 14.871309] start_kernel+0x4a9/0x4ca
[ 14.871311] x86_64_start_reservations+0x24/0x2a
[ 14.871313] x86_64_start_kernel+0xe4/0xef
[ 14.871316] secondary_startup_64_no_verify+0xc2/0xcb
[ 14.871320] </TASK>
If idx passed to il4965_rs_get_adjacent_rate is 0 then the initial
statement of the first loop tries to 1 << -1 (mask = (1 << i) where
int i = idx - 1), which is indeed UB due to the negative second operand.
The idx AFAICT comes from il4965_rs_rate_scale_perform() but I don't
think it matters too much? Please let me know if I should investigate
further. I didn't notice any ill effects but I didn't test it a lot
either.
The kernel is a pre-compiled 5.15.0 from the Ubuntu repos
(linux-image-5.15.0-48-generic). I had to enable an ancient Nvidia
binary driver which taints it but it happened with nouveau before that
as well.
--
Kind regards/Mit freundlichen Grüßen, Stefan Tauner