From patchwork Wed Sep 21 16:49:36 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Lamparter X-Patchwork-Id: 9343903 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3C2986077A for ; Wed, 21 Sep 2016 16:49:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3B6E72A766 for ; Wed, 21 Sep 2016 16:49:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2FD8D2A7A9; Wed, 21 Sep 2016 16:49:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B1AE82A76A for ; Wed, 21 Sep 2016 16:49:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964851AbcIUQtm (ORCPT ); Wed, 21 Sep 2016 12:49:42 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:36856 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934834AbcIUQtk (ORCPT ); Wed, 21 Sep 2016 12:49:40 -0400 Received: by mail-wm0-f68.google.com with SMTP id b184so9636297wma.3; Wed, 21 Sep 2016 09:49:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=4Mkc7z1Ex/Bae61DeC1UQKAf9H+KomD/LeK3kf7wtDk=; b=Gt1q103j1K7v8bQAhO/eMEJKUm9h+6b+RQ8luPyKeegBFlymeUi87Hi9IGGwLzi/LJ eN6KgJkNyyOXomnJYZnWs6gcSh4mbggefGz6D86TdXLct5vVvy7cS9nZx0JaGRjcMOIA IWIYIzIKkG3cnBGA3qQ4BsYob1DNyaOu2q/SBkGNjOohkzDvxWXj/Gokd0jbsW4Q48FI 254O9nwt4DH3KV3+Bv9STMAdhxDKS0HqQ8bmih/kVykIghGSpF91K3T8fXLUvz434Ykt dBLO0uvEAUNjASQ7acBTDHBoon5HO4Gv+l//2vpLS4+92lgniW+OEAQsGIf4lCFXG6eg 10HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=4Mkc7z1Ex/Bae61DeC1UQKAf9H+KomD/LeK3kf7wtDk=; b=SQxOgQPAX8LIqlv8/05UbkD0lCQbEEr63CWF5amXMVXMvHaBrKqdb2PuNm31JQAueS ne3c09EfskOA+rBoEUfHIBNEvCmMCcDWXMupanr6ztxq87A1m3vz4PEOBt+vFgwi+iZA AqZtzvj3AzKSfRqIyz487LzDu6d/7OEzkSU0aeK+ju5XAvvQz7j8Qd5mQPOu1y9CiW+/ jTCj+BmX7VoJAG9dKX8Dh7WTggexMUY/QQruUlZ9j9D0gkoDB8uSEohMcW1s47JMkFPP NZJTag9WIGUpfSKxxS9dm519I7JBdjTAnYrg72vrU8zMecProMJkKOkt0oQ18JaAI+OL CESQ== X-Gm-Message-State: AE9vXwOM1PEwRMjL6CdqzxsX14lRRn9fO/9/xcLklKajo9lZojIm4mTvFQVxKpbgxWCjUQ== X-Received: by 10.28.52.210 with SMTP id b201mr3965452wma.32.1474476578479; Wed, 21 Sep 2016 09:49:38 -0700 (PDT) Received: from debian64.daheim (pD9F88706.dip0.t-ipconnect.de. [217.248.135.6]) by smtp.gmail.com with ESMTPSA id c5sm34411618wjw.29.2016.09.21.09.49.37 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 21 Sep 2016 09:49:37 -0700 (PDT) From: Christian Lamparter X-Google-Original-From: Christian Lamparter Received: from chuck by debian64.daheim with local (Exim 4.87) (envelope-from ) id 1bmkiG-0003qJ-NU; Wed, 21 Sep 2016 18:49:36 +0200 To: gregkh@linuxfoundation.org, Kalle Valo Cc: Christian Lamparter , linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org, Nicolai Stange , Ben Greear Subject: [PATCH v2] carl9170: fix debugfs crashes Date: Wed, 21 Sep 2016 18:49:36 +0200 Message-Id: <238afe4926e979a46013129f8b8db48154e46963.1474476231.git.chunkeey@gmail.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <1927662.l0xhZ6GL0u@debian64> References: <1927662.l0xhZ6GL0u@debian64> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Ben Greear reported: > I see lots of instability as soon as I load up the carl9710 NIC. > My application is going to be poking at it's debugfs files... > > BUG: KASAN: slab-out-of-bounds in carl9170_debugfs_read+0xd5/0x2a0 > [carl9170] at addr 0xffff8801bc1208b0 > Read of size 8 by task btserver/5888 > ======================================================================= > BUG kmalloc-256 (Tainted: G W ): kasan: bad access detected > ----------------------------------------------------------------------- > > INFO: Allocated in seq_open+0x50/0x100 age=2690 cpu=2 pid=772 >... This breakage was caused by the introduction of intermediate fops in debugfs by commit 9fd4dcece43a ("debugfs: prevent access to possibly dead file_operations at file open") Thankfully, the original/real fops are still available in d_fsdata. Reported-by: Ben Greear Signed-off-by: Christian Lamparter Cc: stable # 4.7+ --- drivers/net/wireless/ath/carl9170/debug.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/carl9170/debug.c b/drivers/net/wireless/ath/carl9170/debug.c index 6808db4..ec3a64e 100644 --- a/drivers/net/wireless/ath/carl9170/debug.c +++ b/drivers/net/wireless/ath/carl9170/debug.c @@ -75,7 +75,8 @@ static ssize_t carl9170_debugfs_read(struct file *file, char __user *userbuf, if (!ar) return -ENODEV; - dfops = container_of(file->f_op, struct carl9170_debugfs_fops, fops); + dfops = container_of(debugfs_real_fops(file), + struct carl9170_debugfs_fops, fops); if (!dfops->read) return -ENOSYS; @@ -127,7 +128,8 @@ static ssize_t carl9170_debugfs_write(struct file *file, if (!ar) return -ENODEV; - dfops = container_of(file->f_op, struct carl9170_debugfs_fops, fops); + dfops = container_of(debugfs_real_fops(file), + struct carl9170_debugfs_fops, fops); if (!dfops->write) return -ENOSYS;