Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacmn: Fix array out of bounds issue

In qdf_mem_multi_page_link, pages->cacheable_pages is array with elem num
pages->num_pages, but pages->cacheable_pages[pages->num_pages] is read,
out of bounds error will report if KASAN enabled.

When ini dp_tx_ext_desc is 6144 and DP_TX_DESC_POOL_SIZE is 6144,
Size in bytes of TX TSO Num Seg Desc is 16, page size is 4096, so TX TSO
Num Seq Desc need 24 pages (6144*16/4096), each address need 8 bytes,
so TSO Num Seq Desc need kmalloc 192 bytes to save address of 24 pages.

BUG: KASAN: slab-out-of-bounds in qdf_mem_multi_page_link+0x190/0x1f4
Read of size 8 at addr ffffff816b4d60c0 by task kworker/u16:0/8

CPU: 7 PID: 8 Comm: kworker/u16:0 Tainted: G S      W  O
Workqueue: cnss_driver_event cnss_driver_event_work
Call trace:
 dump_backtrace+0x0/0x204
 show_stack+0x18/0x24
 dump_stack+0xcc/0x11c
 print_address_description+0x88/0x578
 __kasan_report+0x1ac/0x20c
 kasan_report+0x14/0x20
 __asan_load8+0x98/0x9c
 qdf_mem_multi_page_link+0x190/0x1f4 [wlan]
 dp_tx_tso_num_seg_pool_init+0x84/0x170 [wlan]
 dp_soc_tx_desc_sw_pools_init+0xb4/0x128 [wlan]
 dp_soc_init+0xf78/0x18c8 [wlan]
 dp_soc_init_wifi3+0x14/0x20 [wlan]
 cds_open+0x7e8/0x15fc [wlan]
 hdd_wlan_start_modules+0x7d8/0xf10 [wlan]
 hdd_wlan_startup+0x17c/0xbd4 [wlan]
 wlan_hdd_pld_probe+0x234/0x370 [wlan]
 pld_pcie_probe+0x6c/0x88 [wlan]
 cnss_pci_call_driver_probe+0xd8/0x358
 cnss_bus_call_driver_probe+0x38/0x6c
 cnss_driver_event_work+0xf14/0x1188
 process_one_work+0x53c/0x8b8
 worker_thread+0x4f8/0x928
 kthread+0x1e8/0x200
 ret_from_fork+0x10/0x18

Allocated by task 8:
 __kasan_kmalloc+0x100/0x1c0
 kasan_kmalloc+0x10/0x1c
 __kmalloc+0x130/0x448
 kzalloc+0x14/0x20 [wlan]
 __qdf_mem_malloc+0xcc/0x120 [wlan]
 qdf_mem_multi_pages_alloc+0xc0/0x580 [wlan]
 dp_prealloc_init+0x1b0/0x48c [wlan]
 wlan_hdd_pld_probe+0x200/0x370 [wlan]
 pld_pcie_probe+0x6c/0x88 [wlan]
 cnss_pci_call_driver_probe+0xd8/0x358
 cnss_bus_call_driver_probe+0x38/0x6c
 cnss_driver_event_work+0xf14/0x1188
 process_one_work+0x53c/0x8b8
 worker_thread+0x4f8/0x928
 kthread+0x1e8/0x200
 ret_from_fork+0x10/0x18

The bad address belongs to the object
which belongs to the cache kmalloc-192 of size 192
The bad address is located 0 bytes to the right of
f816b4d60c0).

Change-Id: I6569c22bc8f900296f49a4426f085912a33aa452
CRs-Fixed: 3014390
Jianmin Zhu 3 years ago
parent
cd01dad898
commit
cc74d108d0
1 changed files with 2 additions and 0 deletions
Split View Show Diff Stats
  1. 2 0
      qdf/linux/src/qdf_mem.c

+ 2 - 0
qdf/linux/src/qdf_mem.c
View File 

@@ -2208,6 +2208,8 @@ int qdf_mem_multi_page_link(qdf_device_t osdev,
 
 		c_elem = (void **)page_info;
 
 		for (i_int = 0; i_int < pages->num_element_per_page; i_int++) {
 
 			if (i_int == (pages->num_element_per_page - 1)) {
 
+				if ((i + 1) == pages->num_pages)
 
+					break;
 
 				if (cacheable)
 
 					*c_elem = pages->
 
 						cacheable_pages[i + 1];