Hi, I have updated an ancient Thinkpad T61 to Ubuntu 22.04 and noticed some UB warnings in dmesg. [ 14.870724] UBSAN: shift-out-of-bounds in /build/linux-kQ6jNR/linux-5.15.0/drivers/net/wireless/intel/iwlegacy/4965-rs.c:671:18 [ 14.870840] shift exponent -1 is negative [ 14.870940] CPU: 0 PID: 0 Comm: swapper/0 Tainted: P OE 5.15.0-48-generic #54-Ubuntu [ 14.870943] Hardware name: LENOVO 6460EDG/6460EDG, BIOS 7LETC6WW (2.26 ) 05/11/2009 [ 14.870945] Call Trace: [ 14.870948] <IRQ> [ 14.870951] show_stack+0x52/0x5c [ 14.870957] dump_stack_lvl+0x4a/0x63 [ 14.870962] dump_stack+0x10/0x16 [ 14.870964] ubsan_epilogue+0x9/0x49 [ 14.870967] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef [ 14.870969] ? sock_def_readable+0x4b/0x80 [ 14.870973] ? __netlink_sendskb+0x62/0x80 [ 14.870980] il4965_rs_get_adjacent_rate.constprop.0.cold+0x3a/0xa4 [iwl4965] [ 14.870990] il4965_rs_get_best_rate.isra.0+0xcc/0x140 [iwl4965] [ 14.870997] il4965_rs_switch_to_siso.isra.0+0xa7/0x100 [iwl4965] [ 14.871003] il4965_rs_move_legacy_other.isra.0+0x134/0x4c0 [iwl4965] [ 14.871010] il4965_rs_rate_scale_perform+0xada/0xd10 [iwl4965] [ 14.871016] ? kfree_skbmem+0x52/0xa0 [ 14.871019] il4965_rs_tx_status+0x3e0/0x6b0 [iwl4965] [ 14.871028] rate_control_tx_status+0xb1/0xc0 [mac80211] [ 14.871128] ieee80211_tx_status_ext+0x20e/0x650 [mac80211] [ 14.871166] ieee80211_tx_status+0x72/0xa0 [mac80211] [ 14.871205] ieee80211_tasklet_handler+0xa6/0xd0 [mac80211] [ 14.871242] tasklet_action_common.constprop.0+0xc0/0xf0 [ 14.871247] tasklet_action+0x22/0x30 [ 14.871249] __do_softirq+0xd9/0x2e7 [ 14.871253] irq_exit_rcu+0x94/0xc0 [ 14.871255] common_interrupt+0x8e/0xa0 [ 14.871258] </IRQ> [ 14.871259] <TASK> [ 14.871261] asm_common_interrupt+0x26/0x40 [ 14.871265] RIP: 0010:cpuidle_enter_state+0xd9/0x620 [ 14.871270] Code: 3d c4 ef d9 54 e8 17 d7 68 ff 49 89 c7 0f 1f 44 00 00 31 ff e8 58 e4 68 ff 80 7d d0 00 0f 85 61 01 00 00 fb 66 0f 1f 44 00 00 <45> 85 f6 0f 88 6d 01 00 00 4d 63 ee 49 83 fd 09 0f 87 e7 03 00 00 [ 14.871272] RSP: 0018:ffffffffac603db8 EFLAGS: 00000292 [ 14.871275] RAX: 0000000000000000 RBX: ffff9d83f7c3b508 RCX: 0000000000000020 [ 14.871277] RDX: 0000000000001afa RSI: 000000000000a028 RDI: ffffffffac607a40 [ 14.871279] RBP: ffffffffac603e08 R08: 0000000000000000 R09: 000000000000c738 [ 14.871281] R10: 0000000000000004 R11: 071c71c71c71c71c R12: ffffffffac8d3ea0 [ 14.871283] R13: 0000000000000002 R14: 0000000000000002 R15: 00000003765a58ca [ 14.871286] ? cpuidle_enter_state+0x24a/0x620 [ 14.871289] cpuidle_enter+0x2e/0x50 [ 14.871291] cpuidle_idle_call+0x142/0x1e0 [ 14.871294] do_idle+0x83/0xf0 [ 14.871296] cpu_startup_entry+0x20/0x30 [ 14.871299] rest_init+0xd3/0x100 [ 14.871301] ? acpi_enable_subsystem+0x20b/0x217 [ 14.871306] arch_call_rest_init+0xe/0x23 [ 14.871309] start_kernel+0x4a9/0x4ca [ 14.871311] x86_64_start_reservations+0x24/0x2a [ 14.871313] x86_64_start_kernel+0xe4/0xef [ 14.871316] secondary_startup_64_no_verify+0xc2/0xcb [ 14.871320] </TASK> If idx passed to il4965_rs_get_adjacent_rate is 0 then the initial statement of the first loop tries to 1 << -1 (mask = (1 << i) where int i = idx - 1), which is indeed UB due to the negative second operand. The idx AFAICT comes from il4965_rs_rate_scale_perform() but I don't think it matters too much? Please let me know if I should investigate further. I didn't notice any ill effects but I didn't test it a lot either. The kernel is a pre-compiled 5.15.0 from the Ubuntu repos (linux-image-5.15.0-48-generic). I had to enable an ancient Nvidia binary driver which taints it but it happened with nouveau before that as well. -- Kind regards/Mit freundlichen Grüßen, Stefan Tauner
