Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2239448imm; Thu, 18 Oct 2018 11:12:51 -0700 (PDT) X-Google-Smtp-Source: ACcGV61XMoQxDHbSN5pQ9DoTvzYRDJma6QCou2gMtSR0YGpXgEHzNbl37vpzEJr3F/H70A7fyS3B X-Received: by 2002:a17:902:9a8b:: with SMTP id w11-v6mr26323946plp.94.1539886371008; Thu, 18 Oct 2018 11:12:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539886370; cv=none; d=google.com; s=arc-20160816; b=wnV5YSGhSZjXIGwvV39ppXUaolAXhliBvahhT9YBpV4U5S5llHrCQNS9damqj6Jqoh fM6X/yPVauWXqtxYMY3/1CxXz9M9Gmq7seTBs1I/S24YCtD3ktdYvBUphFTo+8ylMSGs HD3/Bphs51qcPYnp5s861mSpt4vLW6wJL8eVN6I1PqAfM5ayK0JFnk7X0DZUImQlnk4D qiDrFEsi/ziRqyVVh/o2xO1l3I8zC8P5sRvOFUNpua0Gh5Sn7bSBaDsFHA9TPu5FSNRL XiVzxw2UGwbdGRQ0cKdCHoZ4JVPd8dfqcWgHB4gBgCDegIM4Ky+NIvjOY1nyAZaEs8vk p3uQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kI2TzQ6D6Lr68LskDZpIMirLq8wayu3wJpYeNYaxDac=; b=BnloM1YvILZxHzaIPQBpnWKgy9xVPHhxF7EnUgKrWJaQTsavFewQVlUnUGFmbdepJr EZwP7QcogV3lYZt5Vz76JMBxmJSkn/Q4Ll1Eb0Cx7jtr8fRmhXpCgFtUzSEfktmYOlMF mJANGF+aLnim1W6RtxERWtw/jurmSbYe8JJxESVKyLIhrAMSabCcqaP3JEfpz45QIs7d YfusUnl0MbA6rqLahQNNeQ2ljIPfkSQrsjS9c+TeWCvcqvrUZkEu9Heam1O9se98OrW/ wNQt52LHu9IAzVGZO/MKvoeu3HcAEEVo8A13Xs3O9sUAffw5LpVinEg1djeRXaFkv3bC bCjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="PHSrx86/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p6-v6si20672765plk.429.2018.10.18.11.12.36; Thu, 18 Oct 2018 11:12:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="PHSrx86/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729629AbeJSCDv (ORCPT + 99 others); Thu, 18 Oct 2018 22:03:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:51904 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729595AbeJSCDu (ORCPT ); Thu, 18 Oct 2018 22:03:50 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A03612148E; Thu, 18 Oct 2018 18:01:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539885704; bh=xYcB3DSzZvz8IMOhtc4DkR4FJw63fbZNmd9JpR8PVmA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PHSrx86/cjW7inFKnBPFGeLQD7Fmcqq+yZEscpUV0rQFnaw4+eLf1ZSQxg0TGxh6G ZfTqHK13vsxDBYXI9Rl7BLOv33oL5SC8arfekuHyXQb3AiD5lqMYt5g39421Xljkvb TcN9FifKcmt3RQE+qQQUIxaZpWL14Xcr2XYs5lrw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sven Eckelmann , Marek Lindner , Simon Wunderlich , Sasha Levin Subject: [PATCH 4.14 04/41] batman-adv: Fix segfault when writing to sysfs elp_interval Date: Thu, 18 Oct 2018 19:54:19 +0200 Message-Id: <20181018175417.306717591@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181018175416.718399607@linuxfoundation.org> References: <20181018175416.718399607@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sven Eckelmann [ Upstream commit a25bab9d723a08bd0bdafb1529faf9094c690b70 ] The per hardif sysfs file "batman_adv/elp_interval" is using the generic functions to store/show uint values. The helper __batadv_store_uint_attr requires the softif net_device as parameter to print the resulting change as info text when the users writes to this file. It uses the helper function batadv_info to add it at the same time to the kernel ring buffer and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG is enabled). The function batadv_info requires as first parameter the batman-adv softif net_device. This parameter is then used to find the private buffer which contains the debug log for this batman-adv interface. But batadv_store_throughput_override used as first argument the slave net_device. This slave device doesn't have the batadv_priv private data which is access by batadv_info. Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead to a segfault or to memory corruption. Fixes: 0744ff8fa8fa ("batman-adv: Add hard_iface specific sysfs wrapper macros for UINT") Signed-off-by: Sven Eckelmann Acked-by: Marek Lindner Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/sysfs.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) --- a/net/batman-adv/sysfs.c +++ b/net/batman-adv/sysfs.c @@ -186,7 +186,8 @@ ssize_t batadv_store_##_name(struct kobj \ return __batadv_store_uint_attr(buff, count, _min, _max, \ _post_func, attr, \ - &bat_priv->_var, net_dev); \ + &bat_priv->_var, net_dev, \ + NULL); \ } #define BATADV_ATTR_SIF_SHOW_UINT(_name, _var) \ @@ -260,7 +261,9 @@ ssize_t batadv_store_##_name(struct kobj \ length = __batadv_store_uint_attr(buff, count, _min, _max, \ _post_func, attr, \ - &hard_iface->_var, net_dev); \ + &hard_iface->_var, \ + hard_iface->soft_iface, \ + net_dev); \ \ batadv_hardif_put(hard_iface); \ return length; \ @@ -354,10 +357,12 @@ __batadv_store_bool_attr(char *buff, siz static int batadv_store_uint_attr(const char *buff, size_t count, struct net_device *net_dev, + struct net_device *slave_dev, const char *attr_name, unsigned int min, unsigned int max, atomic_t *attr) { + char ifname[IFNAMSIZ + 3] = ""; unsigned long uint_val; int ret; @@ -383,8 +388,11 @@ static int batadv_store_uint_attr(const if (atomic_read(attr) == uint_val) return count; - batadv_info(net_dev, "%s: Changing from: %i to: %lu\n", - attr_name, atomic_read(attr), uint_val); + if (slave_dev) + snprintf(ifname, sizeof(ifname), "%s: ", slave_dev->name); + + batadv_info(net_dev, "%s: %sChanging from: %i to: %lu\n", + attr_name, ifname, atomic_read(attr), uint_val); atomic_set(attr, uint_val); return count; @@ -395,12 +403,13 @@ static ssize_t __batadv_store_uint_attr( void (*post_func)(struct net_device *), const struct attribute *attr, atomic_t *attr_store, - struct net_device *net_dev) + struct net_device *net_dev, + struct net_device *slave_dev) { int ret; - ret = batadv_store_uint_attr(buff, count, net_dev, attr->name, min, max, - attr_store); + ret = batadv_store_uint_attr(buff, count, net_dev, slave_dev, + attr->name, min, max, attr_store); if (post_func && ret) post_func(net_dev); @@ -569,7 +578,7 @@ static ssize_t batadv_store_gw_sel_class return __batadv_store_uint_attr(buff, count, 1, BATADV_TQ_MAX_VALUE, batadv_post_gw_reselect, attr, &bat_priv->gw.sel_class, - bat_priv->soft_iface); + bat_priv->soft_iface, NULL); } static ssize_t batadv_show_gw_bwidth(struct kobject *kobj,