[PATCH net 1/1] net: dsa: mv88e6xxx: Fix out-of-bound access

From: Joseph Huang
Date: Mon Aug 19 2024 - 18:45:36 EST


If an ATU violation was caused by a CPU Load operation, the SPID is 0xf,
which is larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[]
array).

Fixes: 75c05a74e745 ("net: dsa: mv88e6xxx: Fix counting of ATU violations")
Signed-off-by: Joseph Huang <Joseph.Huang@xxxxxxxxxx>
---
drivers/net/dsa/mv88e6xxx/global1.h | 1 +
drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/dsa/mv88e6xxx/global1.h b/drivers/net/dsa/mv88e6xxx/global1.h
index 3dbb7a1b8fe1..9676e2d42c9e 100644
--- a/drivers/net/dsa/mv88e6xxx/global1.h
+++ b/drivers/net/dsa/mv88e6xxx/global1.h
@@ -162,6 +162,7 @@
#define MV88E6XXX_G1_ATU_DATA_STATE_MC_STATIC_AVB_NRL_PO 0x000d
#define MV88E6XXX_G1_ATU_DATA_STATE_MC_STATIC_DA_MGMT_PO 0x000e
#define MV88E6XXX_G1_ATU_DATA_STATE_MC_STATIC_PO 0x000f
+#define MV88E6XXX_G1_ATU_DATA_SPID_CPU 0x000f

/* Offset 0x0D: ATU MAC Address Register Bytes 0 & 1
* Offset 0x0E: ATU MAC Address Register Bytes 2 & 3
diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c
index ce3b3690c3c0..b6f15ae22c20 100644
--- a/drivers/net/dsa/mv88e6xxx/global1_atu.c
+++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c
@@ -457,7 +457,8 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
trace_mv88e6xxx_atu_full_violation(chip->dev, spid,
entry.portvec, entry.mac,
fid);
- chip->ports[spid].atu_full_violation++;
+ if (spid != MV88E6XXX_G1_ATU_DATA_SPID_CPU)
+ chip->ports[spid].atu_full_violation++;
}

return IRQ_HANDLED;
--
2.17.1