Re-order bus header field before payload msg

The DHD driver implementation derives the bus header
pointer based on the msg payload pointer, assuming
the header memory is always before the msg payload.

DHD ver 1.201.82 has swapped the order of msg payload
field to be before bus header in struct dhd_prot_t.
This causes memory corruption when the driver tries to
access header contents by seeking the msg pointer
backwards.

Previous versions of the DHD driver do not have this
issue, and later versions 1.363.x have the correct order
(Header before the payload)

Bug 200128157

Change-Id: I33c1c99fad970c6aa221537a5bf0496666ea6d00
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/800359
Reviewed-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

diff --git a/drivers/net/wireless/bcmdhd/dhd_cdc.c b/drivers/net/wireless/bcmdhd/dhd_cdc.c
index 59a762dc3b3205ea23c31f0d93af5c3dc239022c..b96261a5b76f4952de454fe3071e946dbebfa380 100644 (file)
--- a/drivers/net/wireless/bcmdhd/dhd_cdc.c
+++ b/drivers/net/wireless/bcmdhd/dhd_cdc.c
@@ -58,12 +58,12 @@
                                 */
 
 typedef struct dhd_prot {
-       cdc_ioctl_t msg;
-       unsigned char buf[WLC_IOCTL_MAXLEN + ROUND_UP_MARGIN];
        uint16 reqid;
        uint8 pending;
        uint32 lastcmd;
        uint8 bus_header[BUS_HEADER_LEN];
+       cdc_ioctl_t msg;
+       unsigned char buf[WLC_IOCTL_MAXLEN + ROUND_UP_MARGIN];
 } dhd_prot_t;