| From 6773386f977ce5af339f9678fa2918909a946c6b Mon Sep 17 00:00:00 2001 |
| From: Larry Finger <Larry.Finger@lwfinger.net> |
| Date: Sun, 5 Feb 2017 10:24:22 -0600 |
| Subject: rtlwifi: rtl8192c-common: Fix "BUG: KASAN: |
| |
| From: Larry Finger <Larry.Finger@lwfinger.net> |
| |
| commit 6773386f977ce5af339f9678fa2918909a946c6b upstream. |
| |
| Kernels built with CONFIG_KASAN=y report the following BUG for rtl8192cu |
| and rtl8192c-common: |
| |
| ================================================================== |
| BUG: KASAN: slab-out-of-bounds in rtl92c_dm_bt_coexist+0x858/0x1e40 |
| [rtl8192c_common] at addr ffff8801c90edb08 |
| Read of size 1 by task kworker/0:1/38 |
| page:ffffea0007243800 count:1 mapcount:0 mapping: (null) |
| index:0x0 compound_mapcount: 0 |
| flags: 0x8000000000004000(head) |
| page dumped because: kasan: bad access detected |
| CPU: 0 PID: 38 Comm: kworker/0:1 Not tainted 4.9.7-gentoo #3 |
| Hardware name: Gigabyte Technology Co., Ltd. To be filled by |
| O.E.M./Z77-DS3H, BIOS F11a 11/13/2013 |
| Workqueue: rtl92c_usb rtl_watchdog_wq_callback [rtlwifi] |
| 0000000000000000 ffffffff829eea33 ffff8801d7f0fa30 ffff8801c90edb08 |
| ffffffff824c0f09 ffff8801d4abee80 0000000000000004 0000000000000297 |
| ffffffffc070b57c ffff8801c7aa7c48 ffff880100000004 ffffffff000003e8 |
| Call Trace: |
| [<ffffffff829eea33>] ? dump_stack+0x5c/0x79 |
| [<ffffffff824c0f09>] ? kasan_report_error+0x4b9/0x4e0 |
| [<ffffffffc070b57c>] ? _usb_read_sync+0x15c/0x280 [rtl_usb] |
| [<ffffffff824c0f75>] ? __asan_report_load1_noabort+0x45/0x50 |
| [<ffffffffc06d7a88>] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common] |
| [<ffffffffc06d7a88>] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common] |
| [<ffffffffc06d0cbe>] ? rtl92c_dm_rf_saving+0x96e/0x1330 [rtl8192c_common] |
| ... |
| |
| The problem is due to rtl8192ce and rtl8192cu sharing routines, and having |
| different layouts of struct rtl_pci_priv, which is used by rtl8192ce, and |
| struct rtl_usb_priv, which is used by rtl8192cu. The problem was resolved |
| by placing the struct bt_coexist_info at the head of each of those private |
| areas. |
| |
| Reported-and-tested-by: Dmitry Osipenko <digetx@gmail.com> |
| Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> |
| Cc: Dmitry Osipenko <digetx@gmail.com> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/net/wireless/realtek/rtlwifi/pci.h | 4 ++-- |
| drivers/net/wireless/realtek/rtlwifi/usb.h | 3 ++- |
| 2 files changed, 4 insertions(+), 3 deletions(-) |
| |
| --- a/drivers/net/wireless/realtek/rtlwifi/pci.h |
| +++ b/drivers/net/wireless/realtek/rtlwifi/pci.h |
| @@ -271,10 +271,10 @@ struct mp_adapter { |
| }; |
| |
| struct rtl_pci_priv { |
| + struct bt_coexist_info bt_coexist; |
| + struct rtl_led_ctl ledctl; |
| struct rtl_pci dev; |
| struct mp_adapter ndis_adapter; |
| - struct rtl_led_ctl ledctl; |
| - struct bt_coexist_info bt_coexist; |
| }; |
| |
| #define rtl_pcipriv(hw) (((struct rtl_pci_priv *)(rtl_priv(hw))->priv)) |
| --- a/drivers/net/wireless/realtek/rtlwifi/usb.h |
| +++ b/drivers/net/wireless/realtek/rtlwifi/usb.h |
| @@ -146,8 +146,9 @@ struct rtl_usb { |
| }; |
| |
| struct rtl_usb_priv { |
| - struct rtl_usb dev; |
| + struct bt_coexist_info bt_coexist; |
| struct rtl_led_ctl ledctl; |
| + struct rtl_usb dev; |
| }; |
| |
| #define rtl_usbpriv(hw) (((struct rtl_usb_priv *)(rtl_priv(hw))->priv)) |