On 3/30/21 11:23 PM, Богдан Пилипенко wrote:
I think this should be enough to reproduce the bug:
1) enable UBSAN and KMEMLEAK kernel modules. Those modules - are debugger
subsystems and are switched off by default. And without those modules errors
will be suppressed.
2) activate hardened kernel optimizations. Many other kernel
configuration options are in config file (attached in first email).
Богдан,
Thanks for the instructions for enabling UBSAN. I have had kmemleak enabled for
several years.
The array overrun occurs in the reference to bw40_base[group] in the following
snippit:
if (rate <= DESC_RATE11M)
tx_power = pwr_idx_2g->cck_base[group];
else
tx_power = pwr_idx_2g->bw40_base[group];
In main.h, bw40_base found in struct rtw_2g_txpwr_idx, as u8 bw40_base[5]. In
other code, channel 14 is assigned as group 5, which is where the problem
happens. Unfortunately, if I change to bw40_base[6], reading the efuse breaks,
and I get an rfe of 255. I'm still working on why that happens, but there is
obviously another bug somewhere.
I wrote to the developer, and he has some ideas regarding the memory leak. I
will tackle that problem once I figure out why increasing the dimension breaks
efuse readout.
Larry
