[Bug sanitizer/69508] New: Undefined Behavior Sanitizer __ubsan_handle_load_invalid_value reports invalid load with wrong value

chris.bainbridge at gmail dot com gcc-bugzilla@gcc.gnu.org
Wed Jan 27 01:08:00 GMT 2016


https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69508

            Bug ID: 69508
           Summary: Undefined Behavior Sanitizer
                    __ubsan_handle_load_invalid_value reports invalid load
                    with wrong value
           Product: gcc
           Version: 5.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: chris.bainbridge at gmail dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
  Target Milestone: ---

Created attachment 37482
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=37482&action=edit
rx.o.objdump gcc-5.3.0

UBS on Linux kernel 4.5.0-rc1 gave an error:

[    7.976500] UBSAN: Undefined behaviour in net/mac80211/rx.c:925:18
[    7.976502] load of value 2 is not a valid value for type '_Bool'
[    7.976505] CPU: 3 PID: 1134 Comm: kworker/u16:7 Not tainted 4.5.0-rc1+ #265
[    7.976507] Hardware name: Apple Inc. MacBookPro10,2/Mac-AFD8A9D944EA4843,
BIOS MBP102.88Z.0106.B0A.1509130955 09/13/2015
[    7.976510] Workqueue: phy0 rt2x00usb_work_rxdone
[    7.976513]  0000000000000004 ffff880254a7ba50 ffffffff8181d866
0000000000000007
[    7.976517]  ffff880254a7ba78 ffff880254a7ba68 ffffffff8188422d
ffffffff8379b520
[    7.976521]  ffff880254a7bab8 ffffffff81884747 0000000000000202
ffff880248620032
[    7.976525] Call Trace:
[    7.976528]  [<ffffffff8181d866>] dump_stack+0x45/0x5f
[    7.976532]  [<ffffffff8188422d>] ubsan_epilogue+0xd/0x40
[    7.976537]  [<ffffffff81884747>]
__ubsan_handle_load_invalid_value+0x67/0x70
[    7.976541]  [<ffffffff82227aad>]
ieee80211_sta_reorder_release.isra.16+0x54d/0x730
[    7.976545]  [<ffffffff8222ca14>]
ieee80211_prepare_and_rx_handle+0xd04/0x1c00
[    7.976549]  [<ffffffff81cb27ce>] ? usb_hcd_map_urb_for_dma+0x65e/0x960
[    7.976554]  [<ffffffff8222db03>] __ieee80211_rx_handle_packet+0x1f3/0x750
[    7.976557]  [<ffffffff8222e4a7>] ieee80211_rx_napi+0x447/0x990
[    7.976561]  [<ffffffff81c5fb85>] rt2x00lib_rxdone+0x305/0xbd0
[    7.976564]  [<ffffffff811ac23f>] ? dequeue_task_fair+0x64f/0x1de0
[    7.976568]  [<ffffffff811a1516>] ? sched_clock_cpu+0xe6/0x150
[    7.976573]  [<ffffffff81c6c45c>] rt2x00usb_work_rxdone+0x7c/0x140
[    7.976577]  [<ffffffff8117aef6>] process_one_work+0x226/0x860
[    7.976580]  [<ffffffff8117b58c>] worker_thread+0x5c/0x680
[    7.976584]  [<ffffffff8117b530>] ? process_one_work+0x860/0x860
[    7.976588]  [<ffffffff81184f86>] kthread+0xf6/0x150
[    7.976591]  [<ffffffff81184e90>] ? kthread_worker_fn+0x310/0x310
[    7.976595]  [<ffffffff822a94df>] ret_from_fork+0x3f/0x70
[    7.976598]  [<ffffffff81184e90>] ? kthread_worker_fn+0x310/0x310
[    7.976601]
================================================================================

Patch to print the offending value:

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index bc081850ac0e..3f85ac999934 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -921,6 +921,7 @@ static void ieee80211_sta_reorder_release(struct
ieee80211_sub_if_data *sdata,

  set_release_timer:

+       printk("1 %d\n", tid_agg_rx->removed);
        if (!tid_agg_rx->removed)
            mod_timer(&tid_agg_rx->reorder_timer,
                  tid_agg_rx->reorder_time[j] + 1 +
@@ -928,6 +929,7 @@ static void ieee80211_sta_reorder_release(struct
ieee80211_sub_if_data *sdata,
    } else {
        del_timer(&tid_agg_rx->reorder_timer);
    }
+   printk("2 %d\n", tid_agg_rx->removed);
 }

 /*

UBS is reporting that bool tid_agg_rx->removed has value 2 but printk prints
value 0.

Tested with gcc-4.9.2, gcc-4.9.3, gcc-5.3.0

objdump -dr net/mac80211/rx.o attached
function ieee80211_sta_reorder_release.isra.16 is where the printk and
__ubsan_handle_load_invalid_value are called

If I move the printk call to a function call and pass in tid_agg_rx as an
argument and call that function in exactly the same place as the current
printk, then the invalid load error is *not* reported, even though the code
flow is identical.


More information about the Gcc-bugs mailing list