From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sven Eckelmann <sven@narfation.org>,
Marek Lindner <mareklindner@neomailbox.ch>,
Simon Wunderlich <sw@simonwunderlich.de>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 04/41] batman-adv: Fix segfault when writing to sysfs elp_interval
Date: Thu, 18 Oct 2018 19:54:19 +0200 [thread overview]
Message-ID: <20181018175417.306717591@linuxfoundation.org> (raw)
In-Reply-To: <20181018175416.718399607@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
[ Upstream commit a25bab9d723a08bd0bdafb1529faf9094c690b70 ]
The per hardif sysfs file "batman_adv/elp_interval" is using the generic
functions to store/show uint values. The helper __batadv_store_uint_attr
requires the softif net_device as parameter to print the resulting change
as info text when the users writes to this file. It uses the helper
function batadv_info to add it at the same time to the kernel ring buffer
and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG is enabled).
The function batadv_info requires as first parameter the batman-adv softif
net_device. This parameter is then used to find the private buffer which
contains the debug log for this batman-adv interface. But
batadv_store_throughput_override used as first argument the slave
net_device. This slave device doesn't have the batadv_priv private data
which is access by batadv_info.
Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead
to a segfault or to memory corruption.
Fixes: 0744ff8fa8fa ("batman-adv: Add hard_iface specific sysfs wrapper macros for UINT")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/sysfs.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
--- a/net/batman-adv/sysfs.c
+++ b/net/batman-adv/sysfs.c
@@ -186,7 +186,8 @@ ssize_t batadv_store_##_name(struct kobj
\
return __batadv_store_uint_attr(buff, count, _min, _max, \
_post_func, attr, \
- &bat_priv->_var, net_dev); \
+ &bat_priv->_var, net_dev, \
+ NULL); \
}
#define BATADV_ATTR_SIF_SHOW_UINT(_name, _var) \
@@ -260,7 +261,9 @@ ssize_t batadv_store_##_name(struct kobj
\
length = __batadv_store_uint_attr(buff, count, _min, _max, \
_post_func, attr, \
- &hard_iface->_var, net_dev); \
+ &hard_iface->_var, \
+ hard_iface->soft_iface, \
+ net_dev); \
\
batadv_hardif_put(hard_iface); \
return length; \
@@ -354,10 +357,12 @@ __batadv_store_bool_attr(char *buff, siz
static int batadv_store_uint_attr(const char *buff, size_t count,
struct net_device *net_dev,
+ struct net_device *slave_dev,
const char *attr_name,
unsigned int min, unsigned int max,
atomic_t *attr)
{
+ char ifname[IFNAMSIZ + 3] = "";
unsigned long uint_val;
int ret;
@@ -383,8 +388,11 @@ static int batadv_store_uint_attr(const
if (atomic_read(attr) == uint_val)
return count;
- batadv_info(net_dev, "%s: Changing from: %i to: %lu\n",
- attr_name, atomic_read(attr), uint_val);
+ if (slave_dev)
+ snprintf(ifname, sizeof(ifname), "%s: ", slave_dev->name);
+
+ batadv_info(net_dev, "%s: %sChanging from: %i to: %lu\n",
+ attr_name, ifname, atomic_read(attr), uint_val);
atomic_set(attr, uint_val);
return count;
@@ -395,12 +403,13 @@ static ssize_t __batadv_store_uint_attr(
void (*post_func)(struct net_device *),
const struct attribute *attr,
atomic_t *attr_store,
- struct net_device *net_dev)
+ struct net_device *net_dev,
+ struct net_device *slave_dev)
{
int ret;
- ret = batadv_store_uint_attr(buff, count, net_dev, attr->name, min, max,
- attr_store);
+ ret = batadv_store_uint_attr(buff, count, net_dev, slave_dev,
+ attr->name, min, max, attr_store);
if (post_func && ret)
post_func(net_dev);
@@ -569,7 +578,7 @@ static ssize_t batadv_store_gw_sel_class
return __batadv_store_uint_attr(buff, count, 1, BATADV_TQ_MAX_VALUE,
batadv_post_gw_reselect, attr,
&bat_priv->gw.sel_class,
- bat_priv->soft_iface);
+ bat_priv->soft_iface, NULL);
}
static ssize_t batadv_show_gw_bwidth(struct kobject *kobj,
next prev parent reply other threads:[~2018-10-18 18:01 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-18 17:54 [PATCH 4.14 00/41] 4.14.78-stable review Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 01/41] media: af9035: prevent buffer overflow on write Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 02/41] batman-adv: Avoid probe ELP information leak Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 03/41] batman-adv: Fix segfault when writing to throughput_override Greg Kroah-Hartman
2018-10-18 17:54 ` Greg Kroah-Hartman [this message]
2018-10-18 17:54 ` [PATCH 4.14 05/41] batman-adv: Prevent duplicated gateway_node entry Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 06/41] batman-adv: Prevent duplicated nc_node entry Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 07/41] batman-adv: Prevent duplicated softif_vlan entry Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 08/41] batman-adv: Prevent duplicated global TT entry Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 09/41] batman-adv: Prevent duplicated tvlv handler Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 10/41] batman-adv: fix backbone_gw refcount on queue_work() failure Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 11/41] batman-adv: fix hardif_neigh " Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 12/41] clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 13/41] scsi: ibmvscsis: Fix a stringop-overflow warning Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 14/41] scsi: ibmvscsis: Ensure partition name is properly NUL terminated Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 15/41] intel_th: pci: Add Ice Lake PCH support Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 16/41] Input: atakbd - fix Atari keymap Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 17/41] Input: atakbd - fix Atari CapsLock behaviour Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 18/41] net: emac: fix fixed-link setup for the RTL8363SB switch Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 19/41] ravb: do not write 1 to reserved bits Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 20/41] PCI: dwc: Fix scheduling while atomic issues Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 21/41] drm: mali-dp: Call drm_crtc_vblank_reset on device init Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 22/41] scsi: ipr: System hung while dlpar adding primary ipr adapter back Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 23/41] scsi: sd: dont crash the host on invalid commands Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 24/41] net/mlx4: Use cpumask_available for eq->affinity_mask Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 25/41] clocksource/drivers/fttmr010: Fix set_next_event handler Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 26/41] RISC-V: include linux/ftrace.h in asm-prototypes.h Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 27/41] powerpc/tm: Fix userspace r13 corruption Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 28/41] powerpc/tm: Avoid possible userspace r1 corruption on reclaim Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 29/41] iommu/amd: Return devid as alias for ACPI HID devices Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 30/41] powerpc/lib/feature-fixups: use raw_patch_instruction() Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 31/41] Revert "vfs: fix freeze protection in mnt_want_write_file() for overlayfs" Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 32/41] mremap: properly flush TLB before releasing the page Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 33/41] ARC: build: Get rid of toolchain check Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 34/41] ARC: build: Dont set CROSS_COMPILE in archs Makefile Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 35/41] HID: quirks: fix support for Apple Magic Keyboards Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 36/41] drm/i915: Nuke the LVDS lid notifier Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 37/41] staging: ccree: check DMA pool buf !NULL before free Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 38/41] mm: disallow mappings that conflict for devm_memremap_pages() Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 39/41] drm/i915/glk: Add Quirk for GLK NUC HDMI port issues Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 40/41] i2c: rcar: handle RXDMA HW behaviour on Gen3 Greg Kroah-Hartman
2018-10-18 17:54 ` [PATCH 4.14 41/41] IB/hfi1: Fix destroy_qp hang after a link down Greg Kroah-Hartman
2018-10-19 1:41 ` [PATCH 4.14 00/41] 4.14.78-stable review Nathan Chancellor
2018-10-19 8:15 ` Greg Kroah-Hartman
2018-10-19 12:10 ` Rafael David Tinoco
2018-10-19 15:49 ` Guenter Roeck
2018-10-19 20:43 ` Shuah Khan
2018-10-22 13:03 ` Jon Hunter
2018-10-22 13:03 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181018175417.306717591@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mareklindner@neomailbox.ch \
--cc=stable@vger.kernel.org \
--cc=sven@narfation.org \
--cc=sw@simonwunderlich.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.