rtlwifi: rtl8192c-common: Fix "BUG: KASAN:

commit 6773386f977ce5af339f9678fa2918909a946c6b upstream. Kernels built with CONFIG_KASAN=y report the following BUG for rtl8192cu and rtl8192c-common: ================================================================== BUG: KASAN: slab-out-of-bounds in rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common] at addr ffff8801c90edb08 Read of size 1 by task kworker/0:1/38 page:ffffea0007243800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x8000000000004000(head) page dumped because: kasan: bad access detected CPU: 0 PID: 38 Comm: kworker/0:1 Not tainted 4.9.7-gentoo #3 Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./Z77-DS3H, BIOS F11a 11/13/2013 Workqueue: rtl92c_usb rtl_watchdog_wq_callback [rtlwifi] 0000000000000000 ffffffff829eea33 ffff8801d7f0fa30 ffff8801c90edb08 ffffffff824c0f09 ffff8801d4abee80 0000000000000004 0000000000000297 ffffffffc070b57c ffff8801c7aa7c48 ffff880100000004 ffffffff000003e8 Call Trace: [<ffffffff829eea33>] ? dump_stack+0x5c/0x79 [<ffffffff824c0f09>] ? kasan_report_error+0x4b9/0x4e0 [<ffffffffc070b57c>] ? _usb_read_sync+0x15c/0x280 [rtl_usb] [<ffffffff824c0f75>] ? __asan_report_load1_noabort+0x45/0x50 [<ffffffffc06d7a88>] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common] [<ffffffffc06d7a88>] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common] [<ffffffffc06d0cbe>] ? rtl92c_dm_rf_saving+0x96e/0x1330 [rtl8192c_common] ... The problem is due to rtl8192ce and rtl8192cu sharing routines, and having different layouts of struct rtl_pci_priv, which is used by rtl8192ce, and struct rtl_usb_priv, which is used by rtl8192cu. The problem was resolved by placing the struct bt_coexist_info at the head of each of those private areas. Reported-and-tested-by: Dmitry Osipenko <digetx@gmail.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Dmitry Osipenko <digetx@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Larry Finger <Larry.Finger@lwfinger.net> 2017-02-05 11:24:22 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-03-12 00:41:50 -0500
commit: 5ea52fac0d827452cd2887722580ab58fdbd2d7d (patch)
tree: 86879bb707a28e9fad365dfbb5b12e13da7d9337 /drivers/net/wireless
parent: d56dd01bc291962f5fb4b53f6ed6de852af0a0e3 (diff)
2 files changed, 4 insertions, 3 deletions
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.h b/drivers/net/wireless/realtek/rtlwifi/pci.h
index b951ebac15ea..d2f4dd470fdb 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.h
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.h
@@ -275,10 +275,10 @@ struct mp_adapter {
 };
 struct rtl_pci_priv {
+        struct bt_coexist_info bt_coexist;
+        struct rtl_led_ctl ledctl;
        struct rtl_pci dev;
        struct mp_adapter ndis_adapter;
-        struct rtl_led_ctl ledctl;
-        struct bt_coexist_info bt_coexist;
 };
 #define rtl_pcipriv(hw)         (((struct rtl_pci_priv *)(rtl_priv(hw))->priv))
diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.h b/drivers/net/wireless/realtek/rtlwifi/usb.h
index 685273ca9561..441c4412130c 100644
--- a/drivers/net/wireless/realtek/rtlwifi/usb.h
+++ b/drivers/net/wireless/realtek/rtlwifi/usb.h
@@ -150,8 +150,9 @@ struct rtl_usb {
 };
 struct rtl_usb_priv {
-        struct rtl_usb dev;
+        struct bt_coexist_info bt_coexist;
        struct rtl_led_ctl ledctl;
+        struct rtl_usb dev;
 };
 #define rtl_usbpriv(hw)  (((struct rtl_usb_priv *)(rtl_priv(hw))->priv))
author	Larry Finger <Larry.Finger@lwfinger.net>	2017-02-05 11:24:22 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-03-12 00:41:50 -0500
commit	5ea52fac0d827452cd2887722580ab58fdbd2d7d (patch)
tree	86879bb707a28e9fad365dfbb5b12e13da7d9337 /drivers/net/wireless
parent	d56dd01bc291962f5fb4b53f6ed6de852af0a0e3 (diff)