[PATCH] net: dsa: sja1105: fix new_retagging table size

[PATCH] net: dsa: sja1105: fix new_retagging table size

[Radu Nicolae Pirea (OSS)]

Allocate more memory for the new_retagging table according to its size.

Kernel log:
[  208.509460] sja1105 spi5.0: Probed switch chip: SJA1105Q
[  208.647821] ==================================================================
[  208.647854] BUG: KASAN: slab-out-of-bounds in sja1105_build_vlan_table+0x1b8/0x1b14
[  208.647928] Write of size 8 at addr ffffff88081cf630 by task kworker/2:5/247
[  208.647955]
[  208.647972] CPU: 2 PID: 247 Comm: kworker/2:5 Tainted: G           O      5.10.145-rt74 #18
[  208.648003] Hardware name: NXP S32G2XXX-EVB (DT)
[  208.648024] Workqueue: events deferred_probe_work_func
[  208.648080] Call trace:
[  208.648089]  dump_backtrace+0x0/0x2b4
[  208.648137]  show_stack+0x18/0x24
[  208.648178]  dump_stack+0xfc/0x168
[  208.648224]  print_address_description.constprop.0+0x70/0x468
[  208.648276]  kasan_report+0x118/0x200
[  208.648321]  __asan_store8+0x98/0xd0
[  208.648363]  sja1105_build_vlan_table+0x1b8/0x1b14
[  208.648405]  sja1105_dsa_8021q_vlan_add+0x60/0x80
[  208.648446]  dsa_8021q_vid_apply.isra.0+0x11c/0x140
[  208.648501]  dsa_8021q_setup+0x224/0x610
[  208.648545]  sja1105_setup+0x398/0x13b4
[  208.648581]  dsa_register_switch+0xad8/0x1430
[  208.648620]  sja1105_probe+0x50c/0x744
[  208.648654]  spi_drv_probe+0xb0/0x110
[  208.648696]  really_probe+0x150/0x6d4
[  208.648734]  driver_probe_device+0x78/0xec
[  208.648773]  __device_attach_driver+0xe8/0x17c
[  208.648813]  bus_for_each_drv+0xf4/0x15c
[  208.648847]  __device_attach+0x120/0x26c
[  208.648883]  device_initial_probe+0x14/0x20
[  208.648921]  bus_probe_device+0xec/0x100
[  208.648956]  deferred_probe_work_func+0xe8/0x130
[  208.648995]  process_one_work+0x3b8/0x650
[  208.649031]  worker_thread+0xa0/0x72c
[  208.649062]  kthread+0x23c/0x244
[  208.649101]  ret_from_fork+0x10/0x38
[  208.649134]
[  208.649141] Allocated by task 247:
[  208.649155]  kasan_save_stack+0x28/0x60
[  208.649195]  __kasan_kmalloc.constprop.0+0xc8/0xf0
[  208.649237]  kasan_kmalloc+0x10/0x20
[  208.649275]  __kmalloc+0xd0/0x180
[  208.649307]  sja1105_build_vlan_table+0x160/0x1b14
[  208.649347]  sja1105_dsa_8021q_vlan_add+0x60/0x80
[  208.649386]  dsa_8021q_vid_apply.isra.0+0x11c/0x140
[  208.649435]  dsa_8021q_setup+0x224/0x610
[  208.649479]  sja1105_setup+0x398/0x13b4
[  208.649513]  dsa_register_switch+0xad8/0x1430
[  208.649550]  sja1105_probe+0x50c/0x744
[  208.649583]  spi_drv_probe+0xb0/0x110
[  208.649619]  really_probe+0x150/0x6d4
[  208.649654]  driver_probe_device+0x78/0xec
[  208.649691]  __device_attach_driver+0xe8/0x17c
[  208.649729]  bus_for_each_drv+0xf4/0x15c
[  208.649762]  __device_attach+0x120/0x26c
[  208.649797]  device_initial_probe+0x14/0x20
[  208.649834]  bus_probe_device+0xec/0x100
[  208.649868]  deferred_probe_work_func+0xe8/0x130
[  208.649906]  process_one_work+0x3b8/0x650
[  208.649938]  worker_thread+0xa0/0x72c
[  208.649967]  kthread+0x23c/0x244
[  208.650003]  ret_from_fork+0x10/0x38
[  208.650034]
[  208.650041] The buggy address belongs to the object at ffffff88081cf000
[  208.650041]  which belongs to the cache kmalloc-2k of size 2048
[  208.650068] The buggy address is located 1584 bytes inside of
[  208.650068]  2048-byte region [ffffff88081cf000, ffffff88081cf800)
[  208.650099] The buggy address belongs to the page:
[  208.650114] page:000000002c3ceac6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8881cf
[  208.650145] flags: 0x8000000000000200(slab)
[  208.650192] raw: 8000000000000200 ffffffff1bfc6518 ffffffff1bfd36a8 ffffff8800000400
[  208.650221] raw: 0000000000000000 ffffff88081cf000 0000000100000001
[  208.650237] page dumped because: kasan: bad access detected
[  208.650250]
[  208.650257] Memory state around the buggy address:
[  208.650275]  ffffff88081cf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  208.650299]  ffffff88081cf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  208.650325] >ffffff88081cf600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  208.650341]                                      ^
[  208.650359]  ffffff88081cf680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  208.650383]  ffffff88081cf700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  208.650400] ==================================================================

Signed-off-by: Radu Nicolae Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
---
 drivers/net/dsa/sja1105/sja1105_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Should be applied on top of 5.10.157.
It is not relevant for newer LTS kernels.

Cheers.
Radu P.

diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
index c03d76c10868..868303d931fc 100644
--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -2592,7 +2592,7 @@ static int sja1105_build_vlan_table(struct sja1105_private *priv, bool notify)
 	if (!new_vlan)
 		return -ENOMEM;
 
-	table = &priv->static_config.tables[BLK_IDX_VLAN_LOOKUP];
+	table = &priv->static_config.tables[BLK_IDX_RETAGGING];
 	new_retagging = kcalloc(SJA1105_MAX_RETAGGING_COUNT,
 				table->ops->unpacked_entry_size, GFP_KERNEL);
 	if (!new_retagging) {
-- 
2.34.1

Re: [PATCH] net: dsa: sja1105: fix new_retagging table size

[Vladimir Oltean]

I guess I would have named the subject-prefix "PATCH stable 5.10",
so this jumps out better.

On Tue, Dec 06, 2022 at 03:51:04PM +0200, Radu Nicolae Pirea (OSS) wrote:
> Allocate more memory for the new_retagging table according to its size.
> 
> Signed-off-by: Radu Nicolae Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
> ---
>  drivers/net/dsa/sja1105/sja1105_main.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Should be applied on top of 5.10.157.
> It is not relevant for newer LTS kernels.

The fix is correct.

Reviewed-by: Vladimir Oltean <olteanv@gmail.com>

The code it fixes was deleted in commit 6dfd23d35e75 ("net: dsa:
sja1105: delete vlan delta save/restore logic"), which first appeared in v5.15,
and was introduced in commit ec5ae61076d0 ("net: dsa: sja1105:
save/restore VLANs using a delta commit method"), which first appeared in v5.9.

So the patch should be applied only to the currently maintained linux-stable
branches older than linux-5.15.y. That is indeed only linux-5.10.y.

Re: [PATCH] net: dsa: sja1105: fix new_retagging table size

[Greg KH]

On Tue, Dec 06, 2022 at 03:51:04PM +0200, Radu Nicolae Pirea (OSS) wrote:
> Allocate more memory for the new_retagging table according to its size.
> 
> Kernel log:
> [  208.509460] sja1105 spi5.0: Probed switch chip: SJA1105Q
> [  208.647821] ==================================================================
> [  208.647854] BUG: KASAN: slab-out-of-bounds in sja1105_build_vlan_table+0x1b8/0x1b14
> [  208.647928] Write of size 8 at addr ffffff88081cf630 by task kworker/2:5/247
> [  208.647955]
> [  208.647972] CPU: 2 PID: 247 Comm: kworker/2:5 Tainted: G           O      5.10.145-rt74 #18
> [  208.648003] Hardware name: NXP S32G2XXX-EVB (DT)
> [  208.648024] Workqueue: events deferred_probe_work_func
> [  208.648080] Call trace:
> [  208.648089]  dump_backtrace+0x0/0x2b4
> [  208.648137]  show_stack+0x18/0x24
> [  208.648178]  dump_stack+0xfc/0x168
> [  208.648224]  print_address_description.constprop.0+0x70/0x468
> [  208.648276]  kasan_report+0x118/0x200
> [  208.648321]  __asan_store8+0x98/0xd0
> [  208.648363]  sja1105_build_vlan_table+0x1b8/0x1b14
> [  208.648405]  sja1105_dsa_8021q_vlan_add+0x60/0x80
> [  208.648446]  dsa_8021q_vid_apply.isra.0+0x11c/0x140
> [  208.648501]  dsa_8021q_setup+0x224/0x610
> [  208.648545]  sja1105_setup+0x398/0x13b4
> [  208.648581]  dsa_register_switch+0xad8/0x1430
> [  208.648620]  sja1105_probe+0x50c/0x744
> [  208.648654]  spi_drv_probe+0xb0/0x110
> [  208.648696]  really_probe+0x150/0x6d4
> [  208.648734]  driver_probe_device+0x78/0xec
> [  208.648773]  __device_attach_driver+0xe8/0x17c
> [  208.648813]  bus_for_each_drv+0xf4/0x15c
> [  208.648847]  __device_attach+0x120/0x26c
> [  208.648883]  device_initial_probe+0x14/0x20
> [  208.648921]  bus_probe_device+0xec/0x100
> [  208.648956]  deferred_probe_work_func+0xe8/0x130
> [  208.648995]  process_one_work+0x3b8/0x650
> [  208.649031]  worker_thread+0xa0/0x72c
> [  208.649062]  kthread+0x23c/0x244
> [  208.649101]  ret_from_fork+0x10/0x38
> [  208.649134]
> [  208.649141] Allocated by task 247:
> [  208.649155]  kasan_save_stack+0x28/0x60
> [  208.649195]  __kasan_kmalloc.constprop.0+0xc8/0xf0
> [  208.649237]  kasan_kmalloc+0x10/0x20
> [  208.649275]  __kmalloc+0xd0/0x180
> [  208.649307]  sja1105_build_vlan_table+0x160/0x1b14
> [  208.649347]  sja1105_dsa_8021q_vlan_add+0x60/0x80
> [  208.649386]  dsa_8021q_vid_apply.isra.0+0x11c/0x140
> [  208.649435]  dsa_8021q_setup+0x224/0x610
> [  208.649479]  sja1105_setup+0x398/0x13b4
> [  208.649513]  dsa_register_switch+0xad8/0x1430
> [  208.649550]  sja1105_probe+0x50c/0x744
> [  208.649583]  spi_drv_probe+0xb0/0x110
> [  208.649619]  really_probe+0x150/0x6d4
> [  208.649654]  driver_probe_device+0x78/0xec
> [  208.649691]  __device_attach_driver+0xe8/0x17c
> [  208.649729]  bus_for_each_drv+0xf4/0x15c
> [  208.649762]  __device_attach+0x120/0x26c
> [  208.649797]  device_initial_probe+0x14/0x20
> [  208.649834]  bus_probe_device+0xec/0x100
> [  208.649868]  deferred_probe_work_func+0xe8/0x130
> [  208.649906]  process_one_work+0x3b8/0x650
> [  208.649938]  worker_thread+0xa0/0x72c
> [  208.649967]  kthread+0x23c/0x244
> [  208.650003]  ret_from_fork+0x10/0x38
> [  208.650034]
> [  208.650041] The buggy address belongs to the object at ffffff88081cf000
> [  208.650041]  which belongs to the cache kmalloc-2k of size 2048
> [  208.650068] The buggy address is located 1584 bytes inside of
> [  208.650068]  2048-byte region [ffffff88081cf000, ffffff88081cf800)
> [  208.650099] The buggy address belongs to the page:
> [  208.650114] page:000000002c3ceac6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8881cf
> [  208.650145] flags: 0x8000000000000200(slab)
> [  208.650192] raw: 8000000000000200 ffffffff1bfc6518 ffffffff1bfd36a8 ffffff8800000400
> [  208.650221] raw: 0000000000000000 ffffff88081cf000 0000000100000001
> [  208.650237] page dumped because: kasan: bad access detected
> [  208.650250]
> [  208.650257] Memory state around the buggy address:
> [  208.650275]  ffffff88081cf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  208.650299]  ffffff88081cf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  208.650325] >ffffff88081cf600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  208.650341]                                      ^
> [  208.650359]  ffffff88081cf680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  208.650383]  ffffff88081cf700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  208.650400] ==================================================================
> 
> Signed-off-by: Radu Nicolae Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
> ---
>  drivers/net/dsa/sja1105/sja1105_main.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Should be applied on top of 5.10.157.
> It is not relevant for newer LTS kernels.

Why not?

Please describe in HUGE detail why that is the case, what commit changed
the tree to prevent this, and why only this one tree needs this specific
change.  We almost never want to take patches that are not in Linus's
tree so the justification to do so is a much much higher level.

And properly get the needed network maintainers ack as well.

thanks,

greg k-h

Re: [PATCH] net: dsa: sja1105: fix new_retagging table size

[Vladimir Oltean]

On Tue, Dec 06, 2022 at 05:08:17PM +0100, Greg KH wrote:
> > Should be applied on top of 5.10.157.
> > It is not relevant for newer LTS kernels.
> 
> Why not?
> 
> Please describe in HUGE detail why that is the case, what commit changed
> the tree to prevent this, and why only this one tree needs this specific
> change.  We almost never want to take patches that are not in Linus's
> tree so the justification to do so is a much much higher level.
> 
> And properly get the needed network maintainers ack as well.

Here I suppose that you would like the commit description to state that
VLAN retagging was a mechanism used by the sja1105 driver between kernels
5.9 and 5.15 solely to multiplex VLAN information with source port information
to the CPU. It was limited in that it could only multiplex up to 32 VLANs,
and it was replaced with the bridge TX forwarding offload feature once
that became available. As a result, kernels 5.15 and newer have all
support for VLAN retagging removed.

However, there is a bug in the delta commit procedure sja1105_build_vlan_table()
used by the VLAN retagging code, where the driver allocates less memory
than it needs. It intends to allocate a maximum sized (SJA1105_MAX_RETAGGING_COUNT = 32)
array of retagging table elements, but instead it allocates that number
of elements of a different size (the table->ops->unpacked_entry_size of
BLK_IDX_RETAGGING is sizeof(struct sja1105_retagging_entry) aka 56,
whereas the table->ops->unpacked_entry_size of BLK_IDX_VLAN_LOOKUP is
sizeof(struct sja1105_vlan_lookup_entry), aka 48).

32 elements of 48 bytes will only fit 27 elements of 56 bytes. So when
the VLAN Retagging table contains 28 elements or more, the last few will
be stored in memory that is out of the array that was pre-allocated.

This change fixes the typo that led to that.

Something like that?