[Kernel-packages] [Bug 2011457] [NEW] UBSAN: shift-out-of-bounds in /build/linux-oem-5.17-UWvyZR/linux-oem-5.17-5.17.0/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c:675:22

Mon, 13 Mar 2023 10:00:32 -0700 

Public bug reported:

Steps to reproduce below but it doesn't happen all the time:
nmcli set wlan0 managed no
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
[packet capture on wlan0]
ifconfig wlan0 down
iwconfig wlan0 mode managed
airmon-ng start wlan0
[packet capture on wlan0mon]
airmon-ng stop wlan0
ifconfig wlan0 down
ifconfig wlan0 mode managed
nmcli set wlan0 managed yes 


After that network managed didn't take back the device and iwconfig displayed 
something unrealistic hube in txpower - like -13124245424dBm
along with stacktrace in dmesg:
[209247.466524] 
================================================================================
[209247.466535] UBSAN: shift-out-of-bounds in 
/build/linux-oem-5.17-UWvyZR/linux-oem-5.17-5.17.0/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c:675:22
[209247.466544] shift exponent 65535 is too large for 64-bit type 'long 
unsigned int'
[209247.466551] CPU: 6 PID: 396541 Comm: ifconfig Kdump: loaded Tainted: P     
U     OE     5.17.0-1028-oem #29-Ubuntu
[209247.466558] Hardware name: Dell Inc. XPS 13 9310/0DXP1F, BIOS 3.12.1 
12/27/2022
[209247.466562] Call Trace:
[209247.466566]  <TASK>
[209247.466574]  show_stack+0x52/0x59
[209247.466589]  dump_stack_lvl+0x4c/0x64
[209247.466598]  dump_stack+0x10/0x13
[209247.466603]  ubsan_epilogue+0x9/0x46
[209247.466608]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef
[209247.466617]  ? iwl_txq_inc_wr_ptr+0x5a/0x70 [iwlwifi]
[209247.466670]  ? iwl_pcie_gen2_enqueue_hcmd+0x5a2/0xa60 [iwlwifi]
[209247.466708]  iwl_mvm_mac_ctxt_cmd_listener.cold+0x20/0x32 [iwlmvm]
[209247.466761]  iwl_mvm_mac_ctx_send+0x81/0xb0 [iwlmvm]
[209247.466793]  iwl_mvm_mac_ctxt_add+0x44/0xf0 [iwlmvm]
[209247.466822]  iwl_mvm_mac_add_interface+0x130/0x420 [iwlmvm]
[209247.466850]  drv_add_interface+0x4b/0x130 [mac80211]
[209247.466922]  ieee80211_add_virtual_monitor.part.0+0xc8/0x280 [mac80211]
[209247.466997]  ieee80211_do_open+0x8a5/0xa00 [mac80211]
[209247.467079]  ? ieee80211_check_concurrent_iface+0x158/0x1d0 [mac80211]
[209247.467149]  ieee80211_open+0x6d/0x90 [mac80211]
[209247.467215]  __dev_open+0xf9/0x1c0
[209247.467225]  __dev_change_flags+0x1a4/0x220
[209247.467232]  dev_change_flags+0x26/0x60
[209247.467239]  devinet_ioctl+0x599/0x6f0
[209247.467245]  ? _copy_from_user+0x2e/0x70
[209247.467255]  inet_ioctl+0x166/0x190
[209247.467260]  ? lru_cache_add+0x1c/0x20
[209247.467268]  ? lru_cache_add_inactive_or_unevictable+0x2e/0xe0
[209247.467275]  ? page_add_new_anon_rmap+0x69/0x100
[209247.467281]  ? set_pte+0x9/0x10
[209247.467289]  ? wp_page_copy+0x331/0x5e0
[209247.467293]  sock_do_ioctl+0x42/0x100
[209247.467302]  ? netdev_name_node_lookup_rcu+0x6b/0x80
[209247.467308]  ? __check_object_size.part.0+0x3a/0x140
[209247.467314]  sock_ioctl+0xf0/0x310
[209247.467321]  ? __audit_syscall_entry+0xcd/0x130
[209247.467329]  ? sock_do_ioctl+0xd6/0x100
[209247.467336]  __x64_sys_ioctl+0x8f/0xd0
[209247.467343]  do_syscall_64+0x59/0xc0
[209247.467350]  ? __audit_syscall_entry+0xcd/0x130
[209247.467357]  ? exit_to_user_mode_prepare+0x37/0xb0
[209247.467366]  ? syscall_exit_to_user_mode+0x27/0x50
[209247.467373]  ? do_syscall_64+0x69/0xc0
[209247.467377]  ? exit_to_user_mode_prepare+0x37/0xb0
[209247.467383]  ? irqentry_exit_to_user_mode+0x9/0x20
[209247.467389]  ? irqentry_exit+0x35/0x40
[209247.467395]  ? exc_page_fault+0x89/0x180
[209247.467401]  ? asm_exc_page_fault+0x8/0x30
[209247.467406]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[209247.467411] RIP: 0033:0x7f4f6d3deaff
[209247.467418] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 
00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 
3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
[209247.467423] RSP: 002b:00007ffc754f4380 EFLAGS: 00000246 ORIG_RAX: 
0000000000000010
[209247.467430] RAX: ffffffffffffffda RBX: 0000000000000041 RCX: 
00007f4f6d3deaff
[209247.467433] RDX: 00007ffc754f43e0 RSI: 0000000000008914 RDI: 
0000000000000004
[209247.467436] RBP: 00007ffc754f4490 R08: 0000000000000009 R09: 
0000000000000000
[209247.467439] R10: 00005565f4201078 R11: 0000000000000246 R12: 
00007ffc754f43e0
[209247.467441] R13: 0000000000000004 R14: 00005565f4205958 R15: 
00007f4f6d55c040
[209247.467447]  </TASK>
[209247.467449] 
================================================================================
The following caused Network Manager catched up and connected to configured 
wifi:
sudo rmmod iwlmvm
sudo modprobe iwlmvm

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: linux-modules-iwlwifi-5.17.0-1028-oem (not installed)
ProcVersionSignature: Ubuntu 5.17.0-1028.29-oem 5.17.15
Uname: Linux 5.17.0-1028-oem x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.11-0ubuntu82.3
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Mon Mar 13 17:44:41 2023
InstallationDate: Installed on 2015-05-08 (2866 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=pl_PL.UTF-8
 SHELL=/bin/bash
SourcePackage: linux-oem-5.17
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: linux-oem-5.17 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug jammy

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-5.17 in Ubuntu.
https://bugs.launchpad.net/bugs/2011457

Title:
  UBSAN: shift-out-of-bounds in /build/linux-oem-5.17-UWvyZR/linux-
  oem-5.17-5.17.0/drivers/net/wireless/intel/iwlwifi/mvm/mac-
  ctxt.c:675:22

Status in linux-oem-5.17 package in Ubuntu:
  New

Bug description:
  Steps to reproduce below but it doesn't happen all the time:
  nmcli set wlan0 managed no
  ifconfig wlan0 down
  iwconfig wlan0 mode monitor
  ifconfig wlan0 up
  [packet capture on wlan0]
  ifconfig wlan0 down
  iwconfig wlan0 mode managed
  airmon-ng start wlan0
  [packet capture on wlan0mon]
  airmon-ng stop wlan0
  ifconfig wlan0 down
  ifconfig wlan0 mode managed
  nmcli set wlan0 managed yes 

  
  After that network managed didn't take back the device and iwconfig displayed 
something unrealistic hube in txpower - like -13124245424dBm
  along with stacktrace in dmesg:
  [209247.466524] 
================================================================================
  [209247.466535] UBSAN: shift-out-of-bounds in 
/build/linux-oem-5.17-UWvyZR/linux-oem-5.17-5.17.0/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c:675:22
  [209247.466544] shift exponent 65535 is too large for 64-bit type 'long 
unsigned int'
  [209247.466551] CPU: 6 PID: 396541 Comm: ifconfig Kdump: loaded Tainted: P    
 U     OE     5.17.0-1028-oem #29-Ubuntu
  [209247.466558] Hardware name: Dell Inc. XPS 13 9310/0DXP1F, BIOS 3.12.1 
12/27/2022
  [209247.466562] Call Trace:
  [209247.466566]  <TASK>
  [209247.466574]  show_stack+0x52/0x59
  [209247.466589]  dump_stack_lvl+0x4c/0x64
  [209247.466598]  dump_stack+0x10/0x13
  [209247.466603]  ubsan_epilogue+0x9/0x46
  [209247.466608]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef
  [209247.466617]  ? iwl_txq_inc_wr_ptr+0x5a/0x70 [iwlwifi]
  [209247.466670]  ? iwl_pcie_gen2_enqueue_hcmd+0x5a2/0xa60 [iwlwifi]
  [209247.466708]  iwl_mvm_mac_ctxt_cmd_listener.cold+0x20/0x32 [iwlmvm]
  [209247.466761]  iwl_mvm_mac_ctx_send+0x81/0xb0 [iwlmvm]
  [209247.466793]  iwl_mvm_mac_ctxt_add+0x44/0xf0 [iwlmvm]
  [209247.466822]  iwl_mvm_mac_add_interface+0x130/0x420 [iwlmvm]
  [209247.466850]  drv_add_interface+0x4b/0x130 [mac80211]
  [209247.466922]  ieee80211_add_virtual_monitor.part.0+0xc8/0x280 [mac80211]
  [209247.466997]  ieee80211_do_open+0x8a5/0xa00 [mac80211]
  [209247.467079]  ? ieee80211_check_concurrent_iface+0x158/0x1d0 [mac80211]
  [209247.467149]  ieee80211_open+0x6d/0x90 [mac80211]
  [209247.467215]  __dev_open+0xf9/0x1c0
  [209247.467225]  __dev_change_flags+0x1a4/0x220
  [209247.467232]  dev_change_flags+0x26/0x60
  [209247.467239]  devinet_ioctl+0x599/0x6f0
  [209247.467245]  ? _copy_from_user+0x2e/0x70
  [209247.467255]  inet_ioctl+0x166/0x190
  [209247.467260]  ? lru_cache_add+0x1c/0x20
  [209247.467268]  ? lru_cache_add_inactive_or_unevictable+0x2e/0xe0
  [209247.467275]  ? page_add_new_anon_rmap+0x69/0x100
  [209247.467281]  ? set_pte+0x9/0x10
  [209247.467289]  ? wp_page_copy+0x331/0x5e0
  [209247.467293]  sock_do_ioctl+0x42/0x100
  [209247.467302]  ? netdev_name_node_lookup_rcu+0x6b/0x80
  [209247.467308]  ? __check_object_size.part.0+0x3a/0x140
  [209247.467314]  sock_ioctl+0xf0/0x310
  [209247.467321]  ? __audit_syscall_entry+0xcd/0x130
  [209247.467329]  ? sock_do_ioctl+0xd6/0x100
  [209247.467336]  __x64_sys_ioctl+0x8f/0xd0
  [209247.467343]  do_syscall_64+0x59/0xc0
  [209247.467350]  ? __audit_syscall_entry+0xcd/0x130
  [209247.467357]  ? exit_to_user_mode_prepare+0x37/0xb0
  [209247.467366]  ? syscall_exit_to_user_mode+0x27/0x50
  [209247.467373]  ? do_syscall_64+0x69/0xc0
  [209247.467377]  ? exit_to_user_mode_prepare+0x37/0xb0
  [209247.467383]  ? irqentry_exit_to_user_mode+0x9/0x20
  [209247.467389]  ? irqentry_exit+0x35/0x40
  [209247.467395]  ? exc_page_fault+0x89/0x180
  [209247.467401]  ? asm_exc_page_fault+0x8/0x30
  [209247.467406]  entry_SYSCALL_64_after_hwframe+0x44/0xae
  [209247.467411] RIP: 0033:0x7f4f6d3deaff
  [209247.467418] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 
00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 
c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
  [209247.467423] RSP: 002b:00007ffc754f4380 EFLAGS: 00000246 ORIG_RAX: 
0000000000000010
  [209247.467430] RAX: ffffffffffffffda RBX: 0000000000000041 RCX: 
00007f4f6d3deaff
  [209247.467433] RDX: 00007ffc754f43e0 RSI: 0000000000008914 RDI: 
0000000000000004
  [209247.467436] RBP: 00007ffc754f4490 R08: 0000000000000009 R09: 
0000000000000000
  [209247.467439] R10: 00005565f4201078 R11: 0000000000000246 R12: 
00007ffc754f43e0
  [209247.467441] R13: 0000000000000004 R14: 00005565f4205958 R15: 
00007f4f6d55c040
  [209247.467447]  </TASK>
  [209247.467449] 
================================================================================
  The following caused Network Manager catched up and connected to configured 
wifi:
  sudo rmmod iwlmvm
  sudo modprobe iwlmvm

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: linux-modules-iwlwifi-5.17.0-1028-oem (not installed)
  ProcVersionSignature: Ubuntu 5.17.0-1028.29-oem 5.17.15
  Uname: Linux 5.17.0-1028-oem x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.20.11-0ubuntu82.3
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Mar 13 17:44:41 2023
  InstallationDate: Installed on 2015-05-08 (2866 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=pl_PL.UTF-8
   SHELL=/bin/bash
  SourcePackage: linux-oem-5.17
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-oem-5.17/+bug/2011457/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to