* [PATCH net] net: dsa: bcm_sf2: Fix array overrun in bcm_sf2_num_active_ports()
@ 2021-09-16 21:33 Florian Fainelli
2021-09-17 13:30 ` patchwork-bot+netdevbpf
2021-09-17 18:09 ` Rafał Miłecki
0 siblings, 2 replies; 3+ messages in thread
From: Florian Fainelli @ 2021-09-16 21:33 UTC (permalink / raw)
To: netdev
Cc: Florian Fainelli, Andrew Lunn, Vivien Didelot, Vladimir Oltean,
David S. Miller, Jakub Kicinski, Rafał Miłecki,
open list
After d12e1c464988 ("net: dsa: b53: Set correct number of ports in the
DSA struct") we stopped setting dsa_switch::num_ports to DSA_MAX_PORTS,
which created an off by one error between the statically allocated
bcm_sf2_priv::port_sts array (of size DSA_MAX_PORTS). When
dsa_is_cpu_port() is used, we end-up accessing an out of bounds member
and causing a NPD.
Fix this by iterating with the appropriate port count using
ds->num_ports.
Fixes: d12e1c464988 ("net: dsa: b53: Set correct number of ports in the DSA struct")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
---
drivers/net/dsa/bcm_sf2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
index 6ce9ec1283e0..b6c4b3adb171 100644
--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -68,7 +68,7 @@ static unsigned int bcm_sf2_num_active_ports(struct dsa_switch *ds)
struct bcm_sf2_priv *priv = bcm_sf2_to_priv(ds);
unsigned int port, count = 0;
- for (port = 0; port < ARRAY_SIZE(priv->port_sts); port++) {
+ for (port = 0; port < ds->num_ports; port++) {
if (dsa_is_cpu_port(ds, port))
continue;
if (priv->port_sts[port].enabled)
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] net: dsa: bcm_sf2: Fix array overrun in bcm_sf2_num_active_ports()
2021-09-16 21:33 [PATCH net] net: dsa: bcm_sf2: Fix array overrun in bcm_sf2_num_active_ports() Florian Fainelli
@ 2021-09-17 13:30 ` patchwork-bot+netdevbpf
2021-09-17 18:09 ` Rafał Miłecki
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-09-17 13:30 UTC (permalink / raw)
To: Florian Fainelli
Cc: netdev, andrew, vivien.didelot, olteanv, davem, kuba, rafal,
linux-kernel
Hello:
This patch was applied to netdev/net.git (refs/heads/master):
On Thu, 16 Sep 2021 14:33:35 -0700 you wrote:
> After d12e1c464988 ("net: dsa: b53: Set correct number of ports in the
> DSA struct") we stopped setting dsa_switch::num_ports to DSA_MAX_PORTS,
> which created an off by one error between the statically allocated
> bcm_sf2_priv::port_sts array (of size DSA_MAX_PORTS). When
> dsa_is_cpu_port() is used, we end-up accessing an out of bounds member
> and causing a NPD.
>
> [...]
Here is the summary with links:
- [net] net: dsa: bcm_sf2: Fix array overrun in bcm_sf2_num_active_ports()
https://git.kernel.org/netdev/net/c/02319bf15acf
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] net: dsa: bcm_sf2: Fix array overrun in bcm_sf2_num_active_ports()
2021-09-16 21:33 [PATCH net] net: dsa: bcm_sf2: Fix array overrun in bcm_sf2_num_active_ports() Florian Fainelli
2021-09-17 13:30 ` patchwork-bot+netdevbpf
@ 2021-09-17 18:09 ` Rafał Miłecki
1 sibling, 0 replies; 3+ messages in thread
From: Rafał Miłecki @ 2021-09-17 18:09 UTC (permalink / raw)
To: Florian Fainelli
Cc: netdev, Andrew Lunn, Vivien Didelot, Vladimir Oltean,
David S. Miller, Jakub Kicinski, linux-kernel
On 2021-09-16 23:33, Florian Fainelli wrote:
> After d12e1c464988 ("net: dsa: b53: Set correct number of ports in the
> DSA struct") we stopped setting dsa_switch::num_ports to DSA_MAX_PORTS,
> which created an off by one error between the statically allocated
> bcm_sf2_priv::port_sts array (of size DSA_MAX_PORTS). When
> dsa_is_cpu_port() is used, we end-up accessing an out of bounds member
> and causing a NPD.
>
> Fix this by iterating with the appropriate port count using
> ds->num_ports.
>
> Fixes: d12e1c464988 ("net: dsa: b53: Set correct number of ports in
> the DSA struct")
> Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Tested-by: Rafał Miłecki <rafal@milecki.pl>
This fixes:
[ 0.515409] Unable to handle kernel read from unreadable memory at
virtual address 0000000000000028
[ 0.524659] Mem abort info:
[ 0.527522] ESR = 0x96000005
[ 0.530656] EC = 0x25: DABT (current EL), IL = 32 bits
[ 0.536119] SET = 0, FnV = 0
[ 0.539262] EA = 0, S1PTW = 0
[ 0.542481] Data abort info:
[ 0.545438] ISV = 0, ISS = 0x00000005
[ 0.549383] CM = 0, WnR = 0
[ 0.552427] [0000000000000028] user address but active_mm is swapper
[ 0.558973] Internal error: Oops: 96000005 [#1] SMP
[ 0.563986] Modules linked in:
[ 0.567125] CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 5.10.64 #0
[ 0.573573] Hardware name: Netgear R8000P (DT)
[ 0.578155] Workqueue: events deferred_probe_work_func
[ 0.583431] pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
[ 0.589617] pc : bcm_sf2_recalc_clock+0x58/0xe4
[ 0.594271] lr : bcm_sf2_port_setup+0xc0/0x2ac
[ 0.598840] sp : ffffffc0109bb980
[ 0.602244] x29: ffffffc0109bb980 x28: ffffff801fef6f60
[ 0.607710] x27: ffffff8001242b30 x26: 0000000000039040
[ 0.613175] x25: 0000000000002380 x24: 0000000000000003
[ 0.618641] x23: ffffff800125f880 x22: 0000000000000003
[ 0.624107] x21: 0000000000000000 x20: 0000000000000000
[ 0.629572] x19: ffffff8001398280 x18: 0000002437b29c0a
[ 0.635039] x17: 00008cad14430a3a x16: 0000000000000008
[ 0.640503] x15: 0000000000000000 x14: 6863746977732d74
[ 0.645969] x13: 656e72656874652e x12: 3030303038303038
[ 0.651435] x11: 0002001d00000000 x10: 6d726f6674616c70
[ 0.656900] x9 : ffffff800125f880 x8 : ffffff8001398800
[ 0.662366] x7 : ffffff80013989b8 x6 : 0000000000000001
[ 0.667832] x5 : ffffff800125f97c x4 : ffffff8001242b30
[ 0.673297] x3 : 0000000000000009 x2 : ffffff8001242b30
[ 0.678763] x1 : 0000000000000000 x0 : ffffff8001398280
[ 0.684230] Call trace:
[ 0.686740] bcm_sf2_recalc_clock+0x58/0xe4
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-17 18:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-16 21:33 [PATCH net] net: dsa: bcm_sf2: Fix array overrun in bcm_sf2_num_active_ports() Florian Fainelli
2021-09-17 13:30 ` patchwork-bot+netdevbpf
2021-09-17 18:09 ` Rafał Miłecki
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.