Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3732695imm; Mon, 8 Oct 2018 08:40:07 -0700 (PDT) X-Google-Smtp-Source: ACcGV63UyMs3KrBCt6fBdDTSJuY/uquu2G4+P7S/eOVchii7cqnNDgvHCmUQA0R2D1LCJ4kAyjHK X-Received: by 2002:aa7:84cc:: with SMTP id x12-v6mr6830439pfn.220.1539013207525; Mon, 08 Oct 2018 08:40:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539013207; cv=none; d=google.com; s=arc-20160816; b=WX+f2HMAPvKUs9C3oWT7qHOutqXfYsT69vQ9peoJvRoawg1/cQUDP913KQ0RL/6ATt W0TZb8/VWMawWKJEVM581cRk6XCnGPdrKoKZsTG5MrkAzUbMrvXVDZFPea3lqD/9AG42 eDY8qqz02zhiIy/1NusK+aY7lKuuvGyElUBJjJnySS4RcQEIY7Zo+mZtpiByBmVcJL2w 3vmJbYLRiNN4nRaqte/JEF2qD93JYoQt1GB343NlP2asMDp1c/0OeHHh2JtiERIyg2Wc SYCzBvFJKjtJod7LFrj9wN04C47MzGun8Uifxk+MzyAjsrw9RtT01bJ8PW9O5lqBjzs9 ikqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=fDYPtNniASoxTUk99ouR1n80rL9/3Qia2j4l8mDI51g=; b=cQad7AXKgieF/qQNR1Ga9wl226EfeYNy81bv9EARWT+5UfQiMpJzFviG5RXC9m5pb1 BV7dNpHS20IBnDWS7PIN9gA4Gx8NCvg40BlYlfOsxLIPE5etO73aYGDFAWFfPnRcmqBo FXGHLzLpcaUf7I9MzLVDLnWfcPgBBlrVrDbPEllY93aeluKkQfyf622KGE8N3I7qvFlv qu3xcYsIH3nf/1f68pxNxry7tJJ4sOlD4JBQhN3pIDITN+tyHsuDZJhIWPJPEZBvggDl 5HYnJ7+ldq793q5nzQ5pVuCtL4rJvM9Ybp8Cr+fUNFMgJS3J1c5h8Sj5U7AMVB1oQcuN 5amQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TqN5fmbA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o7-v6si17254066pls.344.2018.10.08.08.39.51; Mon, 08 Oct 2018 08:40:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TqN5fmbA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726873AbeJHWhv (ORCPT + 99 others); Mon, 8 Oct 2018 18:37:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:55874 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726754AbeJHWhu (ORCPT ); Mon, 8 Oct 2018 18:37:50 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C973B20882; Mon, 8 Oct 2018 15:25:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539012335; bh=h64erg02s6LkNgIE8E2LyrJkEQljNy53QNiQfCS3W00=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TqN5fmbASWlWU+HVt2jJE/mJx7aCXGZBH7ra2EdLfiGx8RxpeD7zPhRZ/pajAiqvo 89NYSp22QUW0ty6DihJ9hRYeZkh81DK9ZkV3ii5gp7+7iKHduqcAvfEcVXcOkzsC/j 55Jx7SHf/QW1Ra7Ix+f2NBfWLIP5jMb6O0NQfmJc= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Sven Eckelmann , Simon Wunderlich , Sasha Levin Subject: [PATCH AUTOSEL 4.18 08/58] batman-adv: Fix segfault when writing to sysfs elp_interval Date: Mon, 8 Oct 2018 11:24:33 -0400 Message-Id: <20181008152523.70705-8-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181008152523.70705-1-sashal@kernel.org> References: <20181008152523.70705-1-sashal@kernel.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sven Eckelmann [ Upstream commit a25bab9d723a08bd0bdafb1529faf9094c690b70 ] The per hardif sysfs file "batman_adv/elp_interval" is using the generic functions to store/show uint values. The helper __batadv_store_uint_attr requires the softif net_device as parameter to print the resulting change as info text when the users writes to this file. It uses the helper function batadv_info to add it at the same time to the kernel ring buffer and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG is enabled). The function batadv_info requires as first parameter the batman-adv softif net_device. This parameter is then used to find the private buffer which contains the debug log for this batman-adv interface. But batadv_store_throughput_override used as first argument the slave net_device. This slave device doesn't have the batadv_priv private data which is access by batadv_info. Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead to a segfault or to memory corruption. Fixes: 0744ff8fa8fa ("batman-adv: Add hard_iface specific sysfs wrapper macros for UINT") Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin --- net/batman-adv/sysfs.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/net/batman-adv/sysfs.c b/net/batman-adv/sysfs.c index 3a76e8970c02..09427fc6494a 100644 --- a/net/batman-adv/sysfs.c +++ b/net/batman-adv/sysfs.c @@ -188,7 +188,8 @@ ssize_t batadv_store_##_name(struct kobject *kobj, \ \ return __batadv_store_uint_attr(buff, count, _min, _max, \ _post_func, attr, \ - &bat_priv->_var, net_dev); \ + &bat_priv->_var, net_dev, \ + NULL); \ } #define BATADV_ATTR_SIF_SHOW_UINT(_name, _var) \ @@ -262,7 +263,9 @@ ssize_t batadv_store_##_name(struct kobject *kobj, \ \ length = __batadv_store_uint_attr(buff, count, _min, _max, \ _post_func, attr, \ - &hard_iface->_var, net_dev); \ + &hard_iface->_var, \ + hard_iface->soft_iface, \ + net_dev); \ \ batadv_hardif_put(hard_iface); \ return length; \ @@ -356,10 +359,12 @@ __batadv_store_bool_attr(char *buff, size_t count, static int batadv_store_uint_attr(const char *buff, size_t count, struct net_device *net_dev, + struct net_device *slave_dev, const char *attr_name, unsigned int min, unsigned int max, atomic_t *attr) { + char ifname[IFNAMSIZ + 3] = ""; unsigned long uint_val; int ret; @@ -385,8 +390,11 @@ static int batadv_store_uint_attr(const char *buff, size_t count, if (atomic_read(attr) == uint_val) return count; - batadv_info(net_dev, "%s: Changing from: %i to: %lu\n", - attr_name, atomic_read(attr), uint_val); + if (slave_dev) + snprintf(ifname, sizeof(ifname), "%s: ", slave_dev->name); + + batadv_info(net_dev, "%s: %sChanging from: %i to: %lu\n", + attr_name, ifname, atomic_read(attr), uint_val); atomic_set(attr, uint_val); return count; @@ -397,12 +405,13 @@ static ssize_t __batadv_store_uint_attr(const char *buff, size_t count, void (*post_func)(struct net_device *), const struct attribute *attr, atomic_t *attr_store, - struct net_device *net_dev) + struct net_device *net_dev, + struct net_device *slave_dev) { int ret; - ret = batadv_store_uint_attr(buff, count, net_dev, attr->name, min, max, - attr_store); + ret = batadv_store_uint_attr(buff, count, net_dev, slave_dev, + attr->name, min, max, attr_store); if (post_func && ret) post_func(net_dev); @@ -571,7 +580,7 @@ static ssize_t batadv_store_gw_sel_class(struct kobject *kobj, return __batadv_store_uint_attr(buff, count, 1, BATADV_TQ_MAX_VALUE, batadv_post_gw_reselect, attr, &bat_priv->gw.sel_class, - bat_priv->soft_iface); + bat_priv->soft_iface, NULL); } static ssize_t batadv_show_gw_bwidth(struct kobject *kobj, -- 2.17.1