On 3/30/21 11:33 AM, Greg KH wrote:
On Tue, Mar 30, 2021 at 07:26:15AM -0900, Богдан Пилипенко wrote:
Hi!
I finded your emails at:
- https://github.com/lwfinger/rtw88
- https://wireless.wiki.kernel.org/en/users/drivers/rtl819x
I have an error in dmesg:
*dmesg | grep rtw88*
[ 26.518691] UBSAN: array-index-out-of-bounds in
drivers/net/wireless/realtek/rtw88/phy.c:1661:35
[ 26.518804] rtw_get_tx_power_params+0xc66/0xd80 [rtw88_core]
[ 26.518822] ? check_hw_ready+0x4f/0xa0 [rtw88_core]
[ 26.518836] rtw_phy_get_tx_power_index+0x4d/0x1e0 [rtw88_core]
[ 26.518850] rtw_phy_set_tx_power_level+0xcc/0x1a0 [rtw88_core]
[ 26.518864] rtw_set_channel+0xc1/0x120 [rtw88_core]
[ 26.518878] rtw_ops_config+0x87/0xc0 [rtw88_core]
And many-many cyclic errors like (size 224 & size 512):
*cat /sys/kernel/debug/kmemleak*
Can you submit a patch for this to resolve the issue as you can
reproduce it easily?
Greg and Богдан,
I had previously reported the memory leak at
https://marc.info/?l=linux-wireless&m=161677626908838&w=2. Unfortunately, it is
not obvious how to fix it. When the routine exits, the skb in question belongs
to mac80211. It is not clear why it does not free it. I also have an Intel
device that uses iwlmvm. Although the calling sequence to ieee80211_rx_napi()
looks the same, it does not leak the skb. Unfortunately, none of the mac8800211
experts have responded to my E-mail.
@Богдан: What kernel version are you using? With kernel HEAD, line 1661 of
drivers/net/wireless/realtek/rtw88/phy.c is a case statement, which should not
generate an array overflow.
Larry
