Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2232705imm; Thu, 18 Oct 2018 11:06:33 -0700 (PDT) X-Google-Smtp-Source: ACcGV612e0yZu6hD+QaELAyftl1eSJd+vmv+h5f9o/3Afn6iEmPns3jX1Ke0V/eS2c67YyeTJEfr X-Received: by 2002:a63:1342:: with SMTP id 2-v6mr29288137pgt.19.1539885993600; Thu, 18 Oct 2018 11:06:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539885993; cv=none; d=google.com; s=arc-20160816; b=J5KLDt7QSzxw5iWuzPbB1qW/JDpzmh6uXGP788yuA/Fvde/ysReAeWFNZfPWdwWSvO xHg/cdCiEz3H9JhV+0AHuea05kpyf7peWaX87RDzcSynFSijzCPS4gKYcLUQcihNROS8 Xl/9ZIHd7nG66hOZY3KmT9Lp7QbXZ7ayaN00+2z3wLb7GSINtctE7UohT82qcdab7rZZ CmXqQVIVk9naQcGwH1u21F8P0zaWmxRrfRWvY1bM/ucUhzCLBMLJp7f0RMwsA+FPkcuE 34gGVNIjP1zKGkGOEE/rOCy+Sx/Iylsv4mb78EP3afUD4p/1Dw6Lh1dvOcfi/L+BSgi5 H59w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=WAPQRirIjdyRz9GpqJOs4fmkzGQftnXiuWMqzBkRpHc=; b=t4VDk0Ckeblx/k50JmIZo6DuebSSGhgpJK+gb3AYGvzy6Li7I0PbZTbP578ZwcG9oq MIUI4XNfTkxx08mA7bLFjTtf/19rIBOkbW1fdGxIRObW4ygB19U2rElPS2Hl5g7eJQFI U/2McUd3c4OitujC+Rno7pEE7vIAhCDViaWlOac1Q6+woDKLvrRhhUDWJ0ZwsFRJLeOi bOWcQ0Fsy7P0kDDXHd7dTLzgDYD+C/4MfhGV0ApduMFGRKp+2suPE1HnSPNtBXL2upds o8G+XOcAM4yPaNQfE2NNFTJD75iUUHKriOPjmk+7LfvsV8n6Uw1Hx4VC6OXjx0c8Ga+1 WWbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ywVN6vpa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h12-v6si21245046plt.240.2018.10.18.11.06.18; Thu, 18 Oct 2018 11:06:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ywVN6vpa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730000AbeJSCF7 (ORCPT + 99 others); Thu, 18 Oct 2018 22:05:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:54152 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728416AbeJSCF7 (ORCPT ); Thu, 18 Oct 2018 22:05:59 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 98BEB21476; Thu, 18 Oct 2018 18:03:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539885832; bh=WtF5NOTEi0Pt5/BAvXwJCLWLj+OIPDKX2CT1CtwsZN4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ywVN6vpauMlG3i3V7Ya9E5cdtztR8U08DcXXUgjYs2HsYHVHtDQeGccdH/DCmqB+6 rpad3pZO+73lVEb7PDbjtUM9z/oxZClREwMD7Mpr8GTrTrenUbLnuMFE09FBNZkv6V 6j4pLVnSzum3rDT8U50hld+e6D12gr+18xzu/fWg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sven Eckelmann , Marek Lindner , Simon Wunderlich , Sasha Levin Subject: [PATCH 4.9 03/35] batman-adv: Fix segfault when writing to sysfs elp_interval Date: Thu, 18 Oct 2018 19:54:32 +0200 Message-Id: <20181018175422.974032369@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181018175422.506152522@linuxfoundation.org> References: <20181018175422.506152522@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sven Eckelmann [ Upstream commit a25bab9d723a08bd0bdafb1529faf9094c690b70 ] The per hardif sysfs file "batman_adv/elp_interval" is using the generic functions to store/show uint values. The helper __batadv_store_uint_attr requires the softif net_device as parameter to print the resulting change as info text when the users writes to this file. It uses the helper function batadv_info to add it at the same time to the kernel ring buffer and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG is enabled). The function batadv_info requires as first parameter the batman-adv softif net_device. This parameter is then used to find the private buffer which contains the debug log for this batman-adv interface. But batadv_store_throughput_override used as first argument the slave net_device. This slave device doesn't have the batadv_priv private data which is access by batadv_info. Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead to a segfault or to memory corruption. Fixes: 0744ff8fa8fa ("batman-adv: Add hard_iface specific sysfs wrapper macros for UINT") Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/sysfs.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) --- a/net/batman-adv/sysfs.c +++ b/net/batman-adv/sysfs.c @@ -187,7 +187,8 @@ ssize_t batadv_store_##_name(struct kobj \ return __batadv_store_uint_attr(buff, count, _min, _max, \ _post_func, attr, \ - &bat_priv->_var, net_dev); \ + &bat_priv->_var, net_dev, \ + NULL); \ } #define BATADV_ATTR_SIF_SHOW_UINT(_name, _var) \ @@ -261,7 +262,9 @@ ssize_t batadv_store_##_name(struct kobj \ length = __batadv_store_uint_attr(buff, count, _min, _max, \ _post_func, attr, \ - &hard_iface->_var, net_dev); \ + &hard_iface->_var, \ + hard_iface->soft_iface, \ + net_dev); \ \ batadv_hardif_put(hard_iface); \ return length; \ @@ -355,10 +358,12 @@ __batadv_store_bool_attr(char *buff, siz static int batadv_store_uint_attr(const char *buff, size_t count, struct net_device *net_dev, + struct net_device *slave_dev, const char *attr_name, unsigned int min, unsigned int max, atomic_t *attr) { + char ifname[IFNAMSIZ + 3] = ""; unsigned long uint_val; int ret; @@ -384,8 +389,11 @@ static int batadv_store_uint_attr(const if (atomic_read(attr) == uint_val) return count; - batadv_info(net_dev, "%s: Changing from: %i to: %lu\n", - attr_name, atomic_read(attr), uint_val); + if (slave_dev) + snprintf(ifname, sizeof(ifname), "%s: ", slave_dev->name); + + batadv_info(net_dev, "%s: %sChanging from: %i to: %lu\n", + attr_name, ifname, atomic_read(attr), uint_val); atomic_set(attr, uint_val); return count; @@ -396,12 +404,13 @@ static ssize_t __batadv_store_uint_attr( void (*post_func)(struct net_device *), const struct attribute *attr, atomic_t *attr_store, - struct net_device *net_dev) + struct net_device *net_dev, + struct net_device *slave_dev) { int ret; - ret = batadv_store_uint_attr(buff, count, net_dev, attr->name, min, max, - attr_store); + ret = batadv_store_uint_attr(buff, count, net_dev, slave_dev, + attr->name, min, max, attr_store); if (post_func && ret) post_func(net_dev); @@ -570,7 +579,7 @@ static ssize_t batadv_store_gw_sel_class return __batadv_store_uint_attr(buff, count, 1, BATADV_TQ_MAX_VALUE, batadv_post_gw_reselect, attr, &bat_priv->gw.sel_class, - bat_priv->soft_iface); + bat_priv->soft_iface, NULL); } static ssize_t batadv_show_gw_bwidth(struct kobject *kobj,