https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69508
Bug ID: 69508
Summary: Undefined Behavior Sanitizer
__ubsan_handle_load_invalid_value reports invalid load
with wrong value
Product: gcc
Version: 5.3.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: chris.bainbridge at gmail dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
Target Milestone: ---
Created attachment 37482
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=37482&action=edit
rx.o.objdump gcc-5.3.0
UBS on Linux kernel 4.5.0-rc1 gave an error:
[ 7.976500] UBSAN: Undefined behaviour in net/mac80211/rx.c:925:18
[ 7.976502] load of value 2 is not a valid value for type '_Bool'
[ 7.976505] CPU: 3 PID: 1134 Comm: kworker/u16:7 Not tainted 4.5.0-rc1+ #265
[ 7.976507] Hardware name: Apple Inc. MacBookPro10,2/Mac-AFD8A9D944EA4843,
BIOS MBP102.88Z.0106.B0A.1509130955 09/13/2015
[ 7.976510] Workqueue: phy0 rt2x00usb_work_rxdone
[ 7.976513] 0000000000000004 ffff880254a7ba50 ffffffff8181d866
0000000000000007
[ 7.976517] ffff880254a7ba78 ffff880254a7ba68 ffffffff8188422d
ffffffff8379b520
[ 7.976521] ffff880254a7bab8 ffffffff81884747 0000000000000202
ffff880248620032
[ 7.976525] Call Trace:
[ 7.976528] [<ffffffff8181d866>] dump_stack+0x45/0x5f
[ 7.976532] [<ffffffff8188422d>] ubsan_epilogue+0xd/0x40
[ 7.976537] [<ffffffff81884747>]
__ubsan_handle_load_invalid_value+0x67/0x70
[ 7.976541] [<ffffffff82227aad>]
ieee80211_sta_reorder_release.isra.16+0x54d/0x730
[ 7.976545] [<ffffffff8222ca14>]
ieee80211_prepare_and_rx_handle+0xd04/0x1c00
[ 7.976549] [<ffffffff81cb27ce>] ? usb_hcd_map_urb_for_dma+0x65e/0x960
[ 7.976554] [<ffffffff8222db03>] __ieee80211_rx_handle_packet+0x1f3/0x750
[ 7.976557] [<ffffffff8222e4a7>] ieee80211_rx_napi+0x447/0x990
[ 7.976561] [<ffffffff81c5fb85>] rt2x00lib_rxdone+0x305/0xbd0
[ 7.976564] [<ffffffff811ac23f>] ? dequeue_task_fair+0x64f/0x1de0
[ 7.976568] [<ffffffff811a1516>] ? sched_clock_cpu+0xe6/0x150
[ 7.976573] [<ffffffff81c6c45c>] rt2x00usb_work_rxdone+0x7c/0x140
[ 7.976577] [<ffffffff8117aef6>] process_one_work+0x226/0x860
[ 7.976580] [<ffffffff8117b58c>] worker_thread+0x5c/0x680
[ 7.976584] [<ffffffff8117b530>] ? process_one_work+0x860/0x860
[ 7.976588] [<ffffffff81184f86>] kthread+0xf6/0x150
[ 7.976591] [<ffffffff81184e90>] ? kthread_worker_fn+0x310/0x310
[ 7.976595] [<ffffffff822a94df>] ret_from_fork+0x3f/0x70
[ 7.976598] [<ffffffff81184e90>] ? kthread_worker_fn+0x310/0x310
[ 7.976601]
================================================================================
Patch to print the offending value:
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index bc081850ac0e..3f85ac999934 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -921,6 +921,7 @@ static void ieee80211_sta_reorder_release(struct
ieee80211_sub_if_data *sdata,
set_release_timer:
+ printk("1 %d\n", tid_agg_rx->removed);
if (!tid_agg_rx->removed)
mod_timer(&tid_agg_rx->reorder_timer,
tid_agg_rx->reorder_time[j] + 1 +
@@ -928,6 +929,7 @@ static void ieee80211_sta_reorder_release(struct
ieee80211_sub_if_data *sdata,
} else {
del_timer(&tid_agg_rx->reorder_timer);
}
+ printk("2 %d\n", tid_agg_rx->removed);
}
/*
UBS is reporting that bool tid_agg_rx->removed has value 2 but printk prints
value 0.
Tested with gcc-4.9.2, gcc-4.9.3, gcc-5.3.0
objdump -dr net/mac80211/rx.o attached
function ieee80211_sta_reorder_release.isra.16 is where the printk and
__ubsan_handle_load_invalid_value are called
If I move the printk call to a function call and pass in tid_agg_rx as an
argument and call that function in exactly the same place as the current
printk, then the invalid load error is *not* reported, even though the code
flow is identical.
