Wlan: Fix out of bound access in WDI_ProcessTriggerBAReq
Out of bound access is reported by kernel address
sanitizer (KASan) tool.
==========================================================================
BUG: KASAN: slab-out-of-bounds in WDI_ProcessTriggerBAReq+0x4b8/0x66c[wlan]
at addr ffffffc058089818
Read of size 1 by task VosMCThread/28193
==========================================================================
BUG kmalloc-128 (Tainted: P B W O ): kasan: bad access detected
---------------------------------------------------------------------------
[<ffffffc00008c80c>] dump_backtrace+0x0/0x284
[<ffffffc00008caa0>] show_stack+0x10/0x1c
[<ffffffc001e98084>] dump_stack+0x74/0xfc
[<ffffffc0002f2fac>] print_trailer+0x150/0x164
[<ffffffc0002f3374>] object_err+0x38/0x4c
[<ffffffc0002f88ac>] kasan_report+0x34c/0x504
[<ffffffc0002f8a78>] __asan_report_load1_noabort+0x14/0x20
[<ffffffbffcd80afc>] WDI_ProcessTriggerBAReq+0x4b4/0x66c [wlan]
[<ffffffbffcd6289c>] WDI_MainReqStarted+0x168/0x1a8 [wlan]
[<ffffffbffcd64598>] WDI_PostMainEvent+0x14c/0x208 [wlan]
[<ffffffbffcd6a058>] WDI_PALCtrlMsgCB+0x1d0/0x18d8 [wlan]
[<ffffffbffcd02614>] VosMCThread+0x3d4/0x950 [wlan]
[<ffffffc0000f1f24>] kthread+0x22c/0x240
==========================================================================
While queuing the req in WDI_QueuePendingReq, the length passed
doesnt consider the extra user data appended to the trigger ba req.
Thus the memory is allocated will invalid length.
To fix this add the extra user data length to total length before
passing it to WDI_QueuePendingReq.
Change-Id: Ied4024f74d4d05ad6d8e03d1320cc704cb70b6e3
CRs-Fixed: 972757
3 files changed