From: Simon Horman <horms@kernel.org>
To: Andrew Lunn <andrew@lunn.ch>
Cc: Joseph Huang <Joseph.Huang@garmin.com>,
netdev@vger.kernel.org, Florian Fainelli <f.fainelli@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH net 1/1] net: dsa: mv88e6xxx: Fix out-of-bound access
Date: Tue, 20 Aug 2024 19:32:02 +0100 [thread overview]
Message-ID: <20240820183202.GA2898@kernel.org> (raw)
In-Reply-To: <72e02a72-ab98-4a64-99ac-769d28cfd758@lunn.ch>
On Tue, Aug 20, 2024 at 12:58:05AM +0200, Andrew Lunn wrote:
> On Mon, Aug 19, 2024 at 06:26:40PM -0400, Joseph Huang wrote:
> > If an ATU violation was caused by a CPU Load operation, the SPID is 0xf,
> > which is larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[]
> > array).
>
> The 6390X datasheet says "IF SPID = 0x1f the source of the violation
> was the CPU's registers interface."
>
> > +#define MV88E6XXX_G1_ATU_DATA_SPID_CPU 0x000f
>
> So it seems to depend on the family.
>
> >
> > /* Offset 0x0D: ATU MAC Address Register Bytes 0 & 1
> > * Offset 0x0E: ATU MAC Address Register Bytes 2 & 3
> > diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c
> > index ce3b3690c3c0..b6f15ae22c20 100644
> > --- a/drivers/net/dsa/mv88e6xxx/global1_atu.c
> > +++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c
> > @@ -457,7 +457,8 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
> > trace_mv88e6xxx_atu_full_violation(chip->dev, spid,
> > entry.portvec, entry.mac,
> > fid);
> > - chip->ports[spid].atu_full_violation++;
> > + if (spid != MV88E6XXX_G1_ATU_DATA_SPID_CPU)
> > + chip->ports[spid].atu_full_violation++;
>
> So i think it would be better to do something like:
>
> if (spid < ARRAY_SIZE(chip->ports))
> chip->ports[spid].atu_full_violation++;
Hi Joseph,
I am curious to know if bounds checking should also
be added to other accesses to chip->ports[spid] within this function.
next prev parent reply other threads:[~2024-08-20 18:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-19 22:26 [PATCH net 1/1] net: dsa: mv88e6xxx: Fix out-of-bound access Joseph Huang
2024-08-19 22:58 ` Andrew Lunn
2024-08-20 18:32 ` Simon Horman [this message]
2024-08-20 19:21 ` Joseph Huang
2024-08-21 14:13 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240820183202.GA2898@kernel.org \
--to=horms@kernel.org \
--cc=Joseph.Huang@garmin.com \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.