Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2224771imm; Thu, 18 Oct 2018 10:59:50 -0700 (PDT) X-Google-Smtp-Source: ACcGV63coI8faHxvUNjVq9Vy6Z+xk6fPsKvJr+DlCl2u/pwYgcHxHAh8pK8r4SY1t7Kx51fjCtto X-Received: by 2002:a17:902:8a89:: with SMTP id p9-v6mr31485233plo.183.1539885590485; Thu, 18 Oct 2018 10:59:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539885590; cv=none; d=google.com; s=arc-20160816; b=H05fHpPXZdnQAaIrT86xNsX8uBGECMHyKqj1+K0iSmDFTvqvta7K2SxpdSUpHZfOyx zoeiTOoeDPVA+7KkaWxIy/CY932JvnBaulRXtbVQIDuvX/VHavF/iCR/tqUUC/P2v9fZ DjxIU8yD0GrKa7eSQo6K+r38cwvuIZuwXZtk63oEf/24CmTnnniZzzClrrAbbC83L+Si v3Nvd5OwkzaLrfLFRffgkxC/xc04I8zPrxEw18J1vm3RJC3NU+XY1q9WfduykTv7H8NP Qas8/QuGLwN9aIeDKUc41kULcIa42DW32/OPmhnVHJaLLV2rYeiYtVaBfonFC2OGW3SR M61Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=O5olIG6YF0X3SM3ntUwcxcNCa2Nvnr5X3bwFjv1Ch9I=; b=jyrZGIqmoBvb6sehkmkBUJ26dEI2h8hezeP764IGOOBHLN2MCg1i0DvCCsPcGQztpg WxcQOh1jdbcbja87wc5tiyHeK+iiyuEmMFOiX/cUqj/adezqgMfgubhzq7oFBLk417/w PDav+9qQQCYA73oDgNZTzxqccTYAgMGbkmZitC/U7A3pEsTmuDjd2ouiOE2qiWHcPXhy jfbefIdiH+MbLla9lq+GWyDbNfDe/kxxmuYnXjF1Dz02iFu4u4C5GkrS7/8R59J9nbiz TmkFRI4xF1BKo6J5u2Igz4mkl3dKue2yB7PCIFHmDGP0hb/8MBL5pb5Iwo4nx498KR8Y xXkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=NYE3m+jr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 32-v6si12933204plg.241.2018.10.18.10.59.34; Thu, 18 Oct 2018 10:59:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=NYE3m+jr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729064AbeJSCAd (ORCPT + 99 others); Thu, 18 Oct 2018 22:00:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:48214 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726650AbeJSCAc (ORCPT ); Thu, 18 Oct 2018 22:00:32 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id ADDBB21476; Thu, 18 Oct 2018 17:58:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539885507; bh=UwhtS79I2kIbhG3ok3hjKu9+xYqoTXeKjaFCaQHsJnc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NYE3m+jrsrMb8IM2PY6bge5bKSCMSxeAGTodKTdpjdyRbZpDKE7wuWV/4JZ+UMnhc Ih/wc6YAGGApvY6KpKb1vgpR0aZMBRKl2BD3x26KaTguYFSzw/6FstT5Y+7jqycisX 9tZAAISosRIYjM0UeDk7q95JivcYEkMzBDNnkRPg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sven Eckelmann , Marek Lindner , Simon Wunderlich , Sasha Levin Subject: [PATCH 4.18 08/53] batman-adv: Fix segfault when writing to sysfs elp_interval Date: Thu, 18 Oct 2018 19:54:01 +0200 Message-Id: <20181018175418.280321081@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181018175416.561567978@linuxfoundation.org> References: <20181018175416.561567978@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sven Eckelmann [ Upstream commit a25bab9d723a08bd0bdafb1529faf9094c690b70 ] The per hardif sysfs file "batman_adv/elp_interval" is using the generic functions to store/show uint values. The helper __batadv_store_uint_attr requires the softif net_device as parameter to print the resulting change as info text when the users writes to this file. It uses the helper function batadv_info to add it at the same time to the kernel ring buffer and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG is enabled). The function batadv_info requires as first parameter the batman-adv softif net_device. This parameter is then used to find the private buffer which contains the debug log for this batman-adv interface. But batadv_store_throughput_override used as first argument the slave net_device. This slave device doesn't have the batadv_priv private data which is access by batadv_info. Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead to a segfault or to memory corruption. Fixes: 0744ff8fa8fa ("batman-adv: Add hard_iface specific sysfs wrapper macros for UINT") Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/sysfs.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) --- a/net/batman-adv/sysfs.c +++ b/net/batman-adv/sysfs.c @@ -188,7 +188,8 @@ ssize_t batadv_store_##_name(struct kobj \ return __batadv_store_uint_attr(buff, count, _min, _max, \ _post_func, attr, \ - &bat_priv->_var, net_dev); \ + &bat_priv->_var, net_dev, \ + NULL); \ } #define BATADV_ATTR_SIF_SHOW_UINT(_name, _var) \ @@ -262,7 +263,9 @@ ssize_t batadv_store_##_name(struct kobj \ length = __batadv_store_uint_attr(buff, count, _min, _max, \ _post_func, attr, \ - &hard_iface->_var, net_dev); \ + &hard_iface->_var, \ + hard_iface->soft_iface, \ + net_dev); \ \ batadv_hardif_put(hard_iface); \ return length; \ @@ -356,10 +359,12 @@ __batadv_store_bool_attr(char *buff, siz static int batadv_store_uint_attr(const char *buff, size_t count, struct net_device *net_dev, + struct net_device *slave_dev, const char *attr_name, unsigned int min, unsigned int max, atomic_t *attr) { + char ifname[IFNAMSIZ + 3] = ""; unsigned long uint_val; int ret; @@ -385,8 +390,11 @@ static int batadv_store_uint_attr(const if (atomic_read(attr) == uint_val) return count; - batadv_info(net_dev, "%s: Changing from: %i to: %lu\n", - attr_name, atomic_read(attr), uint_val); + if (slave_dev) + snprintf(ifname, sizeof(ifname), "%s: ", slave_dev->name); + + batadv_info(net_dev, "%s: %sChanging from: %i to: %lu\n", + attr_name, ifname, atomic_read(attr), uint_val); atomic_set(attr, uint_val); return count; @@ -397,12 +405,13 @@ static ssize_t __batadv_store_uint_attr( void (*post_func)(struct net_device *), const struct attribute *attr, atomic_t *attr_store, - struct net_device *net_dev) + struct net_device *net_dev, + struct net_device *slave_dev) { int ret; - ret = batadv_store_uint_attr(buff, count, net_dev, attr->name, min, max, - attr_store); + ret = batadv_store_uint_attr(buff, count, net_dev, slave_dev, + attr->name, min, max, attr_store); if (post_func && ret) post_func(net_dev); @@ -571,7 +580,7 @@ static ssize_t batadv_store_gw_sel_class return __batadv_store_uint_attr(buff, count, 1, BATADV_TQ_MAX_VALUE, batadv_post_gw_reselect, attr, &bat_priv->gw.sel_class, - bat_priv->soft_iface); + bat_priv->soft_iface, NULL); } static ssize_t batadv_show_gw_bwidth(struct kobject *kobj,