Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933562AbcJUJTf (ORCPT ); Fri, 21 Oct 2016 05:19:35 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:46897 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933038AbcJUJTa (ORCPT ); Fri, 21 Oct 2016 05:19:30 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Greear , Christian Lamparter Subject: [PATCH 4.7 09/45] carl9170: fix debugfs crashes Date: Fri, 21 Oct 2016 11:17:29 +0200 Message-Id: <20161021091427.726997924@linuxfoundation.org> X-Mailer: git-send-email 2.10.0 In-Reply-To: <20161021091427.214431885@linuxfoundation.org> References: <20161021091427.214431885@linuxfoundation.org> User-Agent: quilt/0.64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2026 Lines: 59 4.7-stable review patch. If anyone has any objections, please let me know. ------------------ From: Christian Lamparter commit 6ee6d1cb391ca85b419f8d18bdfb1f020a5e859c upstream. Ben Greear reported: > I see lots of instability as soon as I load up the carl9710 NIC. > My application is going to be poking at it's debugfs files... > > BUG: KASAN: slab-out-of-bounds in carl9170_debugfs_read+0xd5/0x2a0 > [carl9170] at addr 0xffff8801bc1208b0 > Read of size 8 by task btserver/5888 > ======================================================================= > BUG kmalloc-256 (Tainted: G W ): kasan: bad access detected > ----------------------------------------------------------------------- > > INFO: Allocated in seq_open+0x50/0x100 age=2690 cpu=2 pid=772 >... This breakage was caused by the introduction of intermediate fops in debugfs by commit 9fd4dcece43a ("debugfs: prevent access to possibly dead file_operations at file open") Thankfully, the original/real fops are still available in d_fsdata. Reported-by: Ben Greear Signed-off-by: Christian Lamparter Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/ath/carl9170/debug.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/net/wireless/ath/carl9170/debug.c +++ b/drivers/net/wireless/ath/carl9170/debug.c @@ -75,7 +75,8 @@ static ssize_t carl9170_debugfs_read(str if (!ar) return -ENODEV; - dfops = container_of(file->f_op, struct carl9170_debugfs_fops, fops); + dfops = container_of(debugfs_real_fops(file), + struct carl9170_debugfs_fops, fops); if (!dfops->read) return -ENOSYS; @@ -127,7 +128,8 @@ static ssize_t carl9170_debugfs_write(st if (!ar) return -ENODEV; - dfops = container_of(file->f_op, struct carl9170_debugfs_fops, fops); + dfops = container_of(debugfs_real_fops(file), + struct carl9170_debugfs_fops, fops); if (!dfops->write) return -ENOSYS;