[PATCH 2/4] carl9170: fix debugfs crashes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Christian Lamparter <chunkeey@googlemail.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Christian Lamparter <chunkeey@googlemail.com>,
	Kalle Valo <kvalo@codeaurora.org>,
	linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
	b43-dev@lists.infradead.org, Nicolai Stange <nicstange@gmail.com>,
	Ben Greear <greearb@candelatech.com>,
	Larry Finger <Larry.Finger@lwfinger.net>
Subject: [PATCH 2/4] carl9170: fix debugfs crashes
Date: Wed, 21 Sep 2016 18:29:26 +0200	[thread overview]
Message-ID: <1927662.l0xhZ6GL0u@debian64> (raw)
In-Reply-To: <20160921101325.GA22263@kroah.com>

On Wednesday, September 21, 2016 12:13:25 PM CEST Greg KH wrote:
> On Sat, Sep 17, 2016 at 09:43:02PM +0200, Christian Lamparter wrote:
> > Ben Greear reported:
> > > I see lots of instability as soon as I load up the carl9710 NIC.
> > > My application is going to be poking at it's debugfs files...
> > >
> > > BUG: KASAN: slab-out-of-bounds in carl9170_debugfs_read+0xd5/0x2a0
> > > [carl9170] at addr ffff8801bc1208b0
> > > Read of size 8 by task btserver/5888
> > > =======================================================================
> > > BUG kmalloc-256 (Tainted: G        W      ): kasan: bad access detected
> > > -----------------------------------------------------------------------
> > >
> > > INFO: Allocated in seq_open+0x50/0x100 age=2690 cpu=2 pid=772
> > >...
> > 
> > This breakage was caused by the introduction of intermediate
> > fops in debugfs by commit 9fd4dcece43a
> > ("debugfs: prevent access to possibly dead file_operations at file open")
> > 
> > Thankfully, the original/real fops are still available in d_fsdata.
> > 
> > Reported-by: Ben Greear <greearb@candelatech.com>
> > Reviewed-by: Nicolai Stange <nicstange@gmail.com>
> > Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
> > Acked-by: Kalle Valo <kvalo@codeaurora.org>
> > Cc: stable <stable@vger.kernel.org> # 4.7+
> > ---
> >  drivers/net/wireless/ath/carl9170/debug.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/net/wireless/ath/carl9170/debug.c b/drivers/net/wireless/ath/carl9170/debug.c
> > index 01a0919..ad7ffd5 100644
> > --- a/drivers/net/wireless/ath/carl9170/debug.c
> > +++ b/drivers/net/wireless/ath/carl9170/debug.c
> > @@ -75,7 +75,7 @@ static ssize_t carl9170_debugfs_read(struct file *file, char __user *userbuf,
> >  
> >  	if (!ar)
> >  		return -ENODEV;
> > -	dfops = container_of(file->f_path.dentry->d_fsdata,
> > +	dfops = container_of(debugfs_real_fops(file),
> >  			     struct carl9170_debugfs_fops, fops);
> >  
> >  	if (!dfops->read)
> > @@ -128,7 +128,7 @@ static ssize_t carl9170_debugfs_write(struct file *file,
> >  
> >  	if (!ar)
> >  		return -ENODEV;
> > -	dfops = container_of(file->f_path.dentry->d_fsdata,
> > +	dfops = container_of(debugfs_real_fops(file),
> >  			     struct carl9170_debugfs_fops, fops);
> >  	if (!dfops->write)
> >  		return -ENOSYS;
> 
> What tree is this against?  I can't apply it to 4.8-rc5, or 4.8-rc7, are
> you sure it is still needed?
---
Yes, the patch is needed. That said I screwed this patch up and as a result
it is faulty. I'll send out v2 shortly

Thanks,
Christian

WARNING: multiple messages have this Message-ID (diff)

From: Christian Lamparter <chunkeey@googlemail.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Christian Lamparter <chunkeey@googlemail.com>,
	Kalle Valo <kvalo@codeaurora.org>,
	linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
	b43-dev@lists.infradead.org, Nicolai Stange <nicstange@gmail.com>,
	Ben Greear <greearb@candelatech.com>,
	Larry Finger <Larry.Finger@lwfinger.net>
Subject: Re: [PATCH 2/4] carl9170: fix debugfs crashes
Date: Wed, 21 Sep 2016 18:29:26 +0200	[thread overview]
Message-ID: <1927662.l0xhZ6GL0u@debian64> (raw)
In-Reply-To: <20160921101325.GA22263@kroah.com>

On Wednesday, September 21, 2016 12:13:25 PM CEST Greg KH wrote:
> On Sat, Sep 17, 2016 at 09:43:02PM +0200, Christian Lamparter wrote:
> > Ben Greear reported:
> > > I see lots of instability as soon as I load up the carl9710 NIC.
> > > My application is going to be poking at it's debugfs files...
> > >
> > > BUG: KASAN: slab-out-of-bounds in carl9170_debugfs_read+0xd5/0x2a0
> > > [carl9170] at addr ffff8801bc1208b0
> > > Read of size 8 by task btserver/5888
> > > =======================================================================
> > > BUG kmalloc-256 (Tainted: G        W      ): kasan: bad access detected
> > > -----------------------------------------------------------------------
> > >
> > > INFO: Allocated in seq_open+0x50/0x100 age=2690 cpu=2 pid=772
> > >...
> > 
> > This breakage was caused by the introduction of intermediate
> > fops in debugfs by commit 9fd4dcece43a
> > ("debugfs: prevent access to possibly dead file_operations at file open")
> > 
> > Thankfully, the original/real fops are still available in d_fsdata.
> > 
> > Reported-by: Ben Greear <greearb@candelatech.com>
> > Reviewed-by: Nicolai Stange <nicstange@gmail.com>
> > Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
> > Acked-by: Kalle Valo <kvalo@codeaurora.org>
> > Cc: stable <stable@vger.kernel.org> # 4.7+
> > ---
> >  drivers/net/wireless/ath/carl9170/debug.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/net/wireless/ath/carl9170/debug.c b/drivers/net/wireless/ath/carl9170/debug.c
> > index 01a0919..ad7ffd5 100644
> > --- a/drivers/net/wireless/ath/carl9170/debug.c
> > +++ b/drivers/net/wireless/ath/carl9170/debug.c
> > @@ -75,7 +75,7 @@ static ssize_t carl9170_debugfs_read(struct file *file, char __user *userbuf,
> >  
> >  	if (!ar)
> >  		return -ENODEV;
> > -	dfops = container_of(file->f_path.dentry->d_fsdata,
> > +	dfops = container_of(debugfs_real_fops(file),
> >  			     struct carl9170_debugfs_fops, fops);
> >  
> >  	if (!dfops->read)
> > @@ -128,7 +128,7 @@ static ssize_t carl9170_debugfs_write(struct file *file,
> >  
> >  	if (!ar)
> >  		return -ENODEV;
> > -	dfops = container_of(file->f_path.dentry->d_fsdata,
> > +	dfops = container_of(debugfs_real_fops(file),
> >  			     struct carl9170_debugfs_fops, fops);
> >  	if (!dfops->write)
> >  		return -ENOSYS;
> 
> What tree is this against?  I can't apply it to 4.8-rc5, or 4.8-rc7, are
> you sure it is still needed?
---
Yes, the patch is needed. That said I screwed this patch up and as a result
it is faulty. I'll send out v2 shortly

Thanks,
Christian

next prev parent reply	other threads:[~2016-09-21 16:29 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-17 19:43 [PATCH 1/4] debugfs: introduce a public file_operations accessor Christian Lamparter
2016-09-17 19:43 ` [PATCH 2/4] carl9170: fix debugfs crashes Christian Lamparter
2016-09-17 21:45   ` Greg KH
2016-09-17 21:45     ` Greg KH
2016-09-18  7:54     ` Kalle Valo
2016-09-18  7:54       ` Kalle Valo
2016-09-18 10:14       ` Greg KH
2016-09-18 10:14         ` Greg KH
2016-09-18 12:49         ` Christian Lamparter
2016-09-18 12:49           ` Christian Lamparter
2016-09-18 16:44           ` Greg KH
2016-09-18 16:44             ` Greg KH
2016-09-19 20:12             ` Christian Lamparter
2016-09-19 20:12               ` Christian Lamparter
2016-09-20  6:50               ` Greg KH
2016-09-20  6:50                 ` Greg KH
2016-09-18 16:57         ` Kalle Valo
2016-09-18 16:57           ` Kalle Valo
2016-09-21 10:13   ` Greg KH
2016-09-21 10:13     ` Greg KH
2016-09-21 16:29     ` Christian Lamparter [this message]
2016-09-21 16:29       ` Christian Lamparter
2016-09-21 16:49       ` [PATCH v2] " Christian Lamparter
2016-09-17 19:43 ` [PATCH 3/4] b43: fix debugfs crash Christian Lamparter
2016-09-17 19:43   ` Christian Lamparter
2016-09-17 19:43 ` [PATCH 4/4] b43legacy: " Christian Lamparter
2016-09-17 19:43   ` Christian Lamparter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1927662.l0xhZ6GL0u@debian64 \
    --to=chunkeey@googlemail.com \
    --cc=Larry.Finger@lwfinger.net \
    --cc=b43-dev@lists.infradead.org \
    --cc=greearb@candelatech.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=kvalo@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=nicstange@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.