Re: rtlwifi: rtl8192c_common: "BUG: KASAN: slab-out-of-bounds"

From: Larry Finger
Date: Sat Feb 04 2017 - 20:05:08 EST


On 02/04/2017 01:32 PM, Dmitry Osipenko wrote:
On 04.02.2017 21:41, Larry Finger wrote:
On 02/04/2017 10:58 AM, Dmitry Osipenko wrote:
Seems the problem is caused by rtl92c_dm_*() casting .priv to "struct
rtl_pci_priv", while it is "struct rtl_usb_priv".

Those routines are shared by rtl8192ce and rtl8192cu, thus we need to make that
difference in cast to be immaterial. I think we need to move "struct
bt_coexist_info" to the beginning of both rtlpci_priv and rtl_usb_priv. Then it
should not matter.

I do not have a gcc version new enough to turn KASAN testing on, thus the
attached patch is only compile tested. Does it fix the problem?

Thank you for the patch, it indeed fixes the bug.

I noticed that struct rtl_priv contains .btcoexist, isn't it duplicated in the
struct rtl_pci_priv?

Thanks for testing. When I submit the patch, is it OK to cite your reporting and testing?

Yes, the bt_coexist_info structure is in two different places. I will change the code in rtl8192c-common and rtl8192ce to use only the one in rtlpriv. That should satisfy the problem you reported, as well as clean up the code.

Thanks again,

Larry