cc74d108d0
In qdf_mem_multi_page_link, pages->cacheable_pages is array with elem num pages->num_pages, but pages->cacheable_pages[pages->num_pages] is read, out of bounds error will report if KASAN enabled. When ini dp_tx_ext_desc is 6144 and DP_TX_DESC_POOL_SIZE is 6144, Size in bytes of TX TSO Num Seg Desc is 16, page size is 4096, so TX TSO Num Seq Desc need 24 pages (6144*16/4096), each address need 8 bytes, so TSO Num Seq Desc need kmalloc 192 bytes to save address of 24 pages. BUG: KASAN: slab-out-of-bounds in qdf_mem_multi_page_link+0x190/0x1f4 Read of size 8 at addr ffffff816b4d60c0 by task kworker/u16:0/8 CPU: 7 PID: 8 Comm: kworker/u16:0 Tainted: G S W O Workqueue: cnss_driver_event cnss_driver_event_work Call trace: dump_backtrace+0x0/0x204 show_stack+0x18/0x24 dump_stack+0xcc/0x11c print_address_description+0x88/0x578 __kasan_report+0x1ac/0x20c kasan_report+0x14/0x20 __asan_load8+0x98/0x9c qdf_mem_multi_page_link+0x190/0x1f4 [wlan] dp_tx_tso_num_seg_pool_init+0x84/0x170 [wlan] dp_soc_tx_desc_sw_pools_init+0xb4/0x128 [wlan] dp_soc_init+0xf78/0x18c8 [wlan] dp_soc_init_wifi3+0x14/0x20 [wlan] cds_open+0x7e8/0x15fc [wlan] hdd_wlan_start_modules+0x7d8/0xf10 [wlan] hdd_wlan_startup+0x17c/0xbd4 [wlan] wlan_hdd_pld_probe+0x234/0x370 [wlan] pld_pcie_probe+0x6c/0x88 [wlan] cnss_pci_call_driver_probe+0xd8/0x358 cnss_bus_call_driver_probe+0x38/0x6c cnss_driver_event_work+0xf14/0x1188 process_one_work+0x53c/0x8b8 worker_thread+0x4f8/0x928 kthread+0x1e8/0x200 ret_from_fork+0x10/0x18 Allocated by task 8: __kasan_kmalloc+0x100/0x1c0 kasan_kmalloc+0x10/0x1c __kmalloc+0x130/0x448 kzalloc+0x14/0x20 [wlan] __qdf_mem_malloc+0xcc/0x120 [wlan] qdf_mem_multi_pages_alloc+0xc0/0x580 [wlan] dp_prealloc_init+0x1b0/0x48c [wlan] wlan_hdd_pld_probe+0x200/0x370 [wlan] pld_pcie_probe+0x6c/0x88 [wlan] cnss_pci_call_driver_probe+0xd8/0x358 cnss_bus_call_driver_probe+0x38/0x6c cnss_driver_event_work+0xf14/0x1188 process_one_work+0x53c/0x8b8 worker_thread+0x4f8/0x928 kthread+0x1e8/0x200 ret_from_fork+0x10/0x18 The bad address belongs to the object which belongs to the cache kmalloc-192 of size 192 The bad address is located 0 bytes to the right of f816b4d60c0). Change-Id: I6569c22bc8f900296f49a4426f085912a33aa452 CRs-Fixed: 3014390
This is CNSS WLAN Host Driver for products starting from iHelium