[PATCH net] dpaa2-switch: validate num_ifs to prevent out-of-bounds write

Next message: Danilo Krummrich: "Re: [RFC PATCH 2/4] rust: sync: Add dma_fence abstractions"
Previous message: Ryan Roberts: "Re: [PATCH 6.6 0/3] arm64: Speed up boot with faster linear map creation"
Next in thread: Jakub Kicinski: "Re: [PATCH net] dpaa2-switch: validate num_ifs to prevent out-of-bounds write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Tue Feb 17 2026 - 09:44:21 EST

The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
but never validates it against DPSW_MAX_IF (64). This value controls
iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
num_ifs >= 64, the loop can write past the array bounds.

Add a bound check for num_ifs in dpaa2_switch_init().

Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Reported-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
Fixes: f054e3e217e4 ("dpaa2-switch: refactor the egress flooding domain setup")
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index 66240c340492..78e21b46a5ba 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -3034,6 +3034,13 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev)
goto err_close;
}

+ if (ethsw->sw_attr.num_ifs >= DPSW_MAX_IF) {
+ dev_err(dev, "DPSW num_ifs %u exceeds max %u\n",
+ ethsw->sw_attr.num_ifs, DPSW_MAX_IF);
+ err = -EINVAL;
+ goto err_close;
+ }
+
err = dpsw_get_api_version(ethsw->mc_io, 0,
&ethsw->major,
&ethsw->minor);

---
base-commit: 9702969978695d9a699a1f34771580cdbb153b33
change-id: 20260217-fixes-32df5449b0ab

Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>