Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp383077pxb; Wed, 3 Mar 2021 05:51:19 -0800 (PST) X-Google-Smtp-Source: ABdhPJxx++fmreUIF9obvVzhL7XXjzMu42Tn2OMSZOPdAaW9S0LdxBJyqTyZB37u6LFM9NjxiT60 X-Received: by 2002:a05:6402:8c2:: with SMTP id d2mr24679465edz.4.1614779479736; Wed, 03 Mar 2021 05:51:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614779479; cv=none; d=google.com; s=arc-20160816; b=JQtWvwBO0o0ScRHPnG/lRWc92m7YDOb04u4JeXDOBY+t0bv2+svnXmgjgfizY4E64R 7Y/tvZvtop/Epm5lvldRcKTfG+6qJVzh16D9Er9fIKTktEaVOz2VENrZggpqOXna58ks ENBJS0U8nJyUM+LG+nQnMvNZpTA30d0iTBBQ+pjczaGKwac9i8/kCibKkjj9PxvQ5tyK rqT1KZPHpfR/Y8v1w9kjhdPrR38t3CHNnLVEgqKj2ceDM+2/KX3rqKgNU2g1f7roasDj u79/57hrShlCC1LXXF2Lm4XMWu8DMqIanPLNqmeyr3/aEVExn1d4xD4yp4MktD6CHKM8 XYdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sS1KBArXZanUXmuBNOe2CIO8pH+b6Lo6JXmZWZv9FB0=; b=XlyEPehxgoqYDkCEE1mZIeo7kUMbcIHmSnv8VyP/qos1NZU5cv4Nvvn+DHKzzPA8Er qfMMP0HSOVMlFr8yoFr5ekA6n0OHdg104WtrLfO+7zajxUk92+4gipGnxJPCvH0wc2Uk 5UEXPuXVDKuSZ8JyH2CdEyI77AxMXoGgQvbKYFkLaGGdN0sdQSmjjisCFgwRlLCq5pQe qvQ++9KiCPr7f1JK9CN61gQZ4pSeblhokgs6FDOPld58eU8wwyxv4JU26QUMdJ0pHEK6 vl00vNCC7fDNprVGyOCkWPsmjo8gD1Y8T1kUFt9e6tdURu1WUYmwI6hHwa/9jlaA6cGd 9kgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Tl6s33L1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dh22si559609edb.456.2021.03.03.05.50.31; Wed, 03 Mar 2021 05:51:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Tl6s33L1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242853AbhCAUE5 (ORCPT + 99 others); Mon, 1 Mar 2021 15:04:57 -0500 Received: from mail.kernel.org ([198.145.29.99]:59154 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235413AbhCAQ7J (ORCPT ); Mon, 1 Mar 2021 11:59:09 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id D8A4464FE8; Mon, 1 Mar 2021 16:37:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1614616657; bh=GFmbhcJcN/uW05kczdTV6zEvwvCAh8sGgbNOItm6ZN4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Tl6s33L1Y4NNdc+e0uApT6J/Kqjnp756GXv0MLHuaZItqFPYC1bWha7+NXV4q+H/y 6clFOkiB5CnQHuOpraaMeqSXrTZOjSezbVPsDkFZg2MxEVdYTjOGrbn1MvmdUneyWJ kQMS5PZb7k/k79wzN7GvCICtYaVTQTIBmZbO0mnM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Chen-Yu Tsai , Sasha Levin Subject: [PATCH 4.19 050/247] staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules Date: Mon, 1 Mar 2021 17:11:10 +0100 Message-Id: <20210301161034.122579753@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210301161031.684018251@linuxfoundation.org> References: <20210301161031.684018251@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Chen-Yu Tsai [ Upstream commit 61834c967a929f6b4b7fcb91f43fa225cc29aa19 ] The custom regulatory ruleset in the rtl8723bs driver lists an incorrect number of rules: one too many. This results in an out-of-bounds access, as detected by KASAN. This was possible thanks to the newly added support for KASAN on ARMv7. Fix this by filling in the correct number of rules given. KASAN report: ================================================================== BUG: KASAN: global-out-of-bounds in cfg80211_does_bw_fit_range+0x14/0x4c [cfg80211] Read of size 4 at addr bf20c254 by task ip/971 CPU: 2 PID: 971 Comm: ip Tainted: G C 5.11.0-rc2-00020-gf7fe528a7ebe #1 Hardware name: Allwinner sun8i Family [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (dump_stack+0x9c/0xb4) [] (dump_stack) from [] (print_address_description.constprop.2+0x1dc/0x2dc) [] (print_address_description.constprop.2) from [] (kasan_report+0x1a8/0x1c4) [] (kasan_report) from [] (cfg80211_does_bw_fit_range+0x14/0x4c [cfg80211]) [] (cfg80211_does_bw_fit_range [cfg80211]) from [] (freq_reg_info_regd.part.6+0x108/0x124 [> [] (freq_reg_info_regd.part.6 [cfg80211]) from [] (handle_channel_custom.constprop.12+0x48/> [] (handle_channel_custom.constprop.12 [cfg80211]) from [] (wiphy_apply_custom_regulatory+0> [] (wiphy_apply_custom_regulatory [cfg80211]) from [] (rtw_regd_init+0x60/0x70 [r8723bs]) [] (rtw_regd_init [r8723bs]) from [] (rtw_cfg80211_init_wiphy+0x164/0x1e8 [r8723bs]) [] (rtw_cfg80211_init_wiphy [r8723bs]) from [] (_netdev_open+0xe4/0x28c [r8723bs]) [] (_netdev_open [r8723bs]) from [] (netdev_open+0x60/0x88 [r8723bs]) [] (netdev_open [r8723bs]) from [] (__dev_open+0x178/0x220) [] (__dev_open) from [] (__dev_change_flags+0x258/0x2c4) [] (__dev_change_flags) from [] (dev_change_flags+0x40/0x80) [] (dev_change_flags) from [] (do_setlink+0x538/0x1160) [] (do_setlink) from [] (__rtnl_newlink+0x65c/0xad8) [] (__rtnl_newlink) from [] (rtnl_newlink+0x4c/0x6c) [] (rtnl_newlink) from [] (rtnetlink_rcv_msg+0x1f8/0x454) [] (rtnetlink_rcv_msg) from [] (netlink_rcv_skb+0xc4/0x1e0) [] (netlink_rcv_skb) from [] (netlink_unicast+0x2c8/0x3c4) [] (netlink_unicast) from [] (netlink_sendmsg+0x320/0x5f0) [] (netlink_sendmsg) from [] (____sys_sendmsg+0x320/0x3e0) [] (____sys_sendmsg) from [] (___sys_sendmsg+0xe8/0x12c) [] (___sys_sendmsg) from [] (__sys_sendmsg+0xc0/0x120) [] (__sys_sendmsg) from [] (ret_fast_syscall+0x0/0x58) Exception stack(0xc5693fa8 to 0xc5693ff0) 3fa0: 00000074 c7a39800 00000003 b6cee648 00000000 00000000 3fc0: 00000074 c7a39800 00000001 00000128 78d18349 00000000 b6ceeda0 004f7cb0 3fe0: 00000128 b6cee5e8 aeca151f aec1d746 The buggy address belongs to the variable: rtw_drv_halt+0xf908/0x6b4 [r8723bs] Memory state around the buggy address: bf20c100: 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 bf20c180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >bf20c200: 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 ^ bf20c280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bf20c300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20210108141401.31741-1-wens@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/staging/rtl8723bs/os_dep/wifi_regd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/os_dep/wifi_regd.c b/drivers/staging/rtl8723bs/os_dep/wifi_regd.c index aa2f62acc994d..4dd6f3fb59060 100644 --- a/drivers/staging/rtl8723bs/os_dep/wifi_regd.c +++ b/drivers/staging/rtl8723bs/os_dep/wifi_regd.c @@ -39,7 +39,7 @@ NL80211_RRF_PASSIVE_SCAN | NL80211_RRF_NO_OFDM) static const struct ieee80211_regdomain rtw_regdom_rd = { - .n_reg_rules = 3, + .n_reg_rules = 2, .alpha2 = "99", .reg_rules = { RTW_2GHZ_CH01_11, -- 2.27.0