[PATCH v2 net 1/1] net: dsa: mv88e6xxx: Fix out-of-bound access

From: Joseph Huang
Date: Mon Aug 19 2024 - 19:53:46 EST

Next message: Matthew Brost: "Re: [PATCH] workqueue: fix null-ptr-deref on __alloc_workqueue() error"
Previous message: Chen Wang: "Re: [PATCH] riscv: defconfig: sophgo: enable clks for sg2042"
Next in thread: Andrew Lunn: "Re: [PATCH v2 net 1/1] net: dsa: mv88e6xxx: Fix out-of-bound access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If an ATU violation was caused by a CPU Load operation, the SPID could
be larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array).

Fixes: 75c05a74e745 ("net: dsa: mv88e6xxx: Fix counting of ATU violations")
Signed-off-by: Joseph Huang <Joseph.Huang@xxxxxxxxxx>
---
v1: https://lore.kernel.org/lkml/20240819222641.1292308-1-Joseph.Huang@xxxxxxxxxx/
v2: Use ARRAY_SIZE instead of hard-coded SPID value.
---
drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c
index ce3b3690c3c0..c47f068f56b3 100644
--- a/drivers/net/dsa/mv88e6xxx/global1_atu.c
+++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c
@@ -457,7 +457,8 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
trace_mv88e6xxx_atu_full_violation(chip->dev, spid,
entry.portvec, entry.mac,
fid);
- chip->ports[spid].atu_full_violation++;
+ if (spid < ARRAY_SIZE(chip->ports))
+ chip->ports[spid].atu_full_violation++;
}

return IRQ_HANDLED;
--
2.17.1

Next message: Matthew Brost: "Re: [PATCH] workqueue: fix null-ptr-deref on __alloc_workqueue() error"
Previous message: Chen Wang: "Re: [PATCH] riscv: defconfig: sophgo: enable clks for sg2042"
Next in thread: Andrew Lunn: "Re: [PATCH v2 net 1/1] net: dsa: mv88e6xxx: Fix out-of-bound access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]