• Larry Finger's avatar
    rtlwifi: rtl8192c-common: Fix "BUG: KASAN: · db5051f8
    Larry Finger authored
    [ Upstream commit 6773386f ]
    
    Kernels built with CONFIG_KASAN=y report the following BUG for rtl8192cu
    and rtl8192c-common:
    
    ==================================================================
    BUG: KASAN: slab-out-of-bounds in rtl92c_dm_bt_coexist+0x858/0x1e40
         [rtl8192c_common] at addr ffff8801c90edb08
    Read of size 1 by task kworker/0:1/38
    page:ffffea0007243800 count:1 mapcount:0 mapping:          (null)
         index:0x0 compound_mapcount: 0
    flags: 0x8000000000004000(head)
    page dumped because: kasan: bad access detected
    CPU: 0 PID: 38 Comm: kworker/0:1 Not tainted 4.9.7-gentoo #3
    Hardware name: Gigabyte Technology Co., Ltd. To be filled by
         O.E.M./Z77-DS3H, BIOS F11a 11/13/2013
    Workqueue: rtl92c_usb rtl_watchdog_wq_callback [rtlwifi]
      0000000000000000 ffffffff829eea33 ffff8801d7f0fa30 ffff8801c90edb08
      ffffffff824c0f09 ffff8801d4abee80 0000000000000004 0000000000000297
      ffffffffc070b57c ffff8801c7aa7c48 ffff880100000004 ffffffff000003e8
    Call Trace:
      [<ffffffff829eea33>] ? dump_stack+0x5c/0x79
      [<ffffffff824c0f09>] ? kasan_report_error+0x4b9/0x4e0
      [<ffffffffc070b57c>] ? _usb_read_sync+0x15c/0x280 [rtl_usb]
      [<ffffffff824c0f75>] ? __asan_report_load1_noabort+0x45/0x50
      [<ffffffffc06d7a88>] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common]
      [<ffffffffc06d7a88>] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common]
      [<ffffffffc06d0cbe>] ? rtl92c_dm_rf_saving+0x96e/0x1330 [rtl8192c_common]
    ...
    
    The problem is due to rtl8192ce and rtl8192cu sharing routines, and having
    different layouts of struct rtl_pci_priv, which is used by rtl8192ce, and
    struct rtl_usb_priv, which is used by rtl8192cu. The problem was resolved
    by placing the struct bt_coexist_info at the head of each of those private
    areas.
    Reported-and-tested-by: default avatarDmitry Osipenko <digetx@gmail.com>
    Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
    Cc: Stable <stable@vger.kernel.org> # 4.0+
    Cc: Dmitry Osipenko <digetx@gmail.com>
    Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
    Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
    db5051f8
usb.h 4.64 KB