From patchwork Sat Sep 17 19:43:02 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christian Lamparter <chunkeey@googlemail.com>
X-Patchwork-Id: 9337347
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	79BBA60839 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sat, 17 Sep 2016 19:43:31 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6CBF3291CE
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sat, 17 Sep 2016 19:43:31 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 607B6291F4; Sat, 17 Sep 2016 19:43:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D4EC5291CE
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sat, 17 Sep 2016 19:43:30 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753243AbcIQTnO (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Sat, 17 Sep 2016 15:43:14 -0400
Received: from mail-wm0-f67.google.com ([74.125.82.67]:36115 "EHLO
	mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751970AbcIQTnK (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Sat, 17 Sep 2016 15:43:10 -0400
Received: by mail-wm0-f67.google.com with SMTP id b184so8677195wma.3;
	Sat, 17 Sep 2016 12:43:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:in-reply-to:references;
	bh=ClORJrI/JfVxFHK/lkXJQaGEkqZOvWArpEBDPItI0v4=;
	b=qUg/fo23UfOFDsw17a13vc3b1PqvNoJm58fazLlTJvs5SaMG5d2TrOsTRZPJ4pW7ma
	pxZt3Z4jhDwnakW2rasdPe/AlAAs9WvleUCc3jlOU4aX5kTEYb1S4KzqL5iMzCOwf78x
	GrQ5PcHHDoWQEd4qw9kUmz7bIRCE8O2/qWSKYXtpEeL5IvK6E395Zx2aFKYrU2/voXeY
	Sf43pHtSfpoP7po7TP5VynNMbSngFu1MbfSf9dVGkIn0oeDw3dMp+gcAGWmfgO9e4ZH1
	ka30oOar1l5aod9dMrXZ/PBRx2eFjleCUp30in79F3sQxBUSFlFsJaITCF6OSQ1jRAA5
	zzrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:in-reply-to:references;
	bh=ClORJrI/JfVxFHK/lkXJQaGEkqZOvWArpEBDPItI0v4=;
	b=PQXTScUPtb7x5v6Zdtnjky2IujVyzCT+phgMkW7OtrYcbhiJ5dZBYzXeeQkAlZDGGO
	qnAGV8KXHTrRZIf3xJtVTLHhXCQdoFTWN9CKyYTUdYvBg++eh6AMGFadEM7q5t3azTeG
	VhBBXGdNKzb6npBOpHVX2Nn5kSSUaeZinOuYNQl93ebtDQFpkw6BWQuAXcE9qqRKAwsO
	uLjkaCopCmyONJHB7I3IE2PtHE/UrsJjrndnz8LL2nRMAZy4lQV67TeVwYVx/lcv6rON
	mtblljwvmcsY/JaKpfu4NlC4dn1CTkrhUi9hvqfeLRIHHjJe2cEzkuQa32tVIW5zwMWa
	M31w==
X-Gm-Message-State: 
 AE9vXwOA1XGvTpIkeIFJoRhHeHuwXJ/LRMrtg21vCM8EhNJOL9wpt7WMN4bJsqm9emjeOQ==
X-Received: by 10.194.80.104 with SMTP id q8mr17408236wjx.83.1474141388289;
	Sat, 17 Sep 2016 12:43:08 -0700 (PDT)
Received: from debian64.daheim (pD9F8BE97.dip0.t-ipconnect.de.
	[217.248.190.151]) by smtp.gmail.com with ESMTPSA id
	r2sm6865000wmf.14.2016.09.17.12.43.07
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Sat, 17 Sep 2016 12:43:07 -0700 (PDT)
From: Christian Lamparter <chunkeey@googlemail.com>
X-Google-Original-From: Christian Lamparter <chunkeey@gmail.com>
Received: from chuck by debian64.daheim with local (Exim 4.87)
	(envelope-from <chunkeey@gmail.com>)
	id 1blLVy-0006sn-Nx; Sat, 17 Sep 2016 21:43:06 +0200
To: gregkh@linuxfoundation.org, Kalle Valo <kvalo@codeaurora.org>
Cc: Christian Lamparter <chunkeey@gmail.com>,
	linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
	b43-dev@lists.infradead.org, Nicolai Stange <nicstange@gmail.com>,
	Ben Greear <greearb@candelatech.com>,
	Larry Finger <Larry.Finger@lwfinger.net>
Subject: [PATCH 2/4] carl9170: fix debugfs crashes
Date: Sat, 17 Sep 2016 21:43:02 +0200
Message-Id: 
 <ccf228acb7af8ee3bbd82f72f28ebc068f37cb8e.1474140477.git.chunkeey@gmail.com>
X-Mailer: git-send-email 2.9.3
In-Reply-To: 
 <48411543620969bebb37a1a9ea7b8f451cdfdd31.1474140477.git.chunkeey@gmail.com>
References: 
 <48411543620969bebb37a1a9ea7b8f451cdfdd31.1474140477.git.chunkeey@gmail.com>
In-Reply-To: 
 <48411543620969bebb37a1a9ea7b8f451cdfdd31.1474140477.git.chunkeey@gmail.com>
References: 
 <48411543620969bebb37a1a9ea7b8f451cdfdd31.1474140477.git.chunkeey@gmail.com>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Ben Greear reported:
> I see lots of instability as soon as I load up the carl9710 NIC.
> My application is going to be poking at it's debugfs files...
>
> BUG: KASAN: slab-out-of-bounds in carl9170_debugfs_read+0xd5/0x2a0
> [carl9170] at addr ffff8801bc1208b0
> Read of size 8 by task btserver/5888
> =======================================================================
> BUG kmalloc-256 (Tainted: G        W      ): kasan: bad access detected
> -----------------------------------------------------------------------
>
> INFO: Allocated in seq_open+0x50/0x100 age=2690 cpu=2 pid=772
>...

This breakage was caused by the introduction of intermediate
fops in debugfs by commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Thankfully, the original/real fops are still available in d_fsdata.

Reported-by: Ben Greear <greearb@candelatech.com>
Reviewed-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Acked-by: Kalle Valo <kvalo@codeaurora.org>
---
 drivers/net/wireless/ath/carl9170/debug.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/ath/carl9170/debug.c b/drivers/net/wireless/ath/carl9170/debug.c
index 01a0919..ad7ffd5 100644
--- a/drivers/net/wireless/ath/carl9170/debug.c
+++ b/drivers/net/wireless/ath/carl9170/debug.c
@@ -75,7 +75,7 @@ static ssize_t carl9170_debugfs_read(struct file *file, char __user *userbuf,
 
 	if (!ar)
 		return -ENODEV;
-	dfops = container_of(file->f_path.dentry->d_fsdata,
+	dfops = container_of(debugfs_real_fops(file),
 			     struct carl9170_debugfs_fops, fops);
 
 	if (!dfops->read)
@@ -128,7 +128,7 @@ static ssize_t carl9170_debugfs_write(struct file *file,
 
 	if (!ar)
 		return -ENODEV;
-	dfops = container_of(file->f_path.dentry->d_fsdata,
+	dfops = container_of(debugfs_real_fops(file),
 			     struct carl9170_debugfs_fops, fops);
 	if (!dfops->write)
 		return -ENOSYS;