From: Paolo Abeni <pabeni@redhat.com>
To: "Daniel Golle" <daniel@makrotopia.org>,
"Chester A. Unal" <chester.a.unal@arinc9.com>,
"Andrew Lunn" <andrew@lunn.ch>,
"Vladimir Oltean" <olteanv@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Matthias Brugger" <matthias.bgg@gmail.com>,
"AngeloGioacchino Del Regno"
<angelogioacchino.delregno@collabora.com>,
"DENG Qingfang" <dqfext@gmail.com>,
"Florian Fainelli" <f.fainelli@gmail.com>,
"Arınç ÜNAL" <arinc.unal@arinc9.com>,
"Sean Wang" <sean.wang@mediatek.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org
Subject: Re: [PATCH net 1/5] net: dsa: mt7530: fix FDB entries not aging out with short timeout
Date: Thu, 7 May 2026 16:08:35 +0200 [thread overview]
Message-ID: <dc0f052e-797e-4849-87c4-a98b8ede19d3@redhat.com> (raw)
In-Reply-To: <f285707e09a0febffd1b987f204ff4eb71736489.1777986341.git.daniel@makrotopia.org>
On 5/5/26 4:16 PM, Daniel Golle wrote:
> When setting a low ageing time such as 10 seconds, the algorithm in
> mt7530_set_ageing_time() finds AGE_CNT=0 and AGE_UNIT=9 as the first
> exact match (starting the search from tmp_age_count=0).
>
> On the MT7530/MT7531 hardware, the per-entry aging counter is
> initialized to AGE_CNT when a MAC address is learned. With AGE_CNT=0,
> new entries start with a counter value of 0, which the hardware treats
> as "already aged" and never removes, effectively disabling aging.
>
> Fix this by starting the search from tmp_age_count=1 to ensure entries
> always have a non-zero initial aging counter. For a 10-second ageing
> time this yields AGE_CNT=1 and AGE_UNIT=4 instead: the timer ticks
> every 5 seconds and entries are removed after 2 ticks.
>
> Fixes: ea6d5c924e39 ("net: dsa: mt7530: support setting ageing time")
> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
> ---
> drivers/net/dsa/mt7530.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
> index 44d670904ad8..b1903da7d500 100644
> --- a/drivers/net/dsa/mt7530.c
> +++ b/drivers/net/dsa/mt7530.c
> @@ -1027,8 +1027,12 @@ mt7530_set_ageing_time(struct dsa_switch *ds, unsigned int msecs)
> if (secs < 1 || secs > (AGE_CNT_MAX + 1) * (AGE_UNIT_MAX + 1))
> return -ERANGE;
>
> - /* iterate through all possible age_count to find the closest pair */
> - for (tmp_age_count = 0; tmp_age_count <= AGE_CNT_MAX; ++tmp_age_count) {
> + /* Iterate through all possible age_count values to find the closest
> + * pair. Start from 1 because the per-entry aging counter is
> + * initialized to AGE_CNT and a value of 0 means the entry will
> + * never be aged out.
> + */
> + for (tmp_age_count = 1; tmp_age_count <= AGE_CNT_MAX; ++tmp_age_count) {
> unsigned int tmp_age_unit = secs / (tmp_age_count + 1) - 1;
>
> if (tmp_age_unit <= AGE_UNIT_MAX) {
Sashiko noted that the above will have problem with secs == 1:
What happens here if secs is 1?
Since the bounds check at the start of the function allows secs == 1,
tmp_age_unit would be calculated as 1 / (1 + 1) - 1, which evaluates to
0 - 1, resulting in an unsigned underflow to UINT_MAX.
> if (tmp_age_unit <= AGE_UNIT_MAX) {
Because UINT_MAX is greater than AGE_UNIT_MAX, this condition will fail for
all iterations of the loop.
[ ... ]
> mt7530_write(priv, MT7530_AAC, AGE_CNT(age_count) | AGE_UNIT(age_unit));
If the loop exits without ever finding a match and entering the if block,
age_count and age_unit will remain uninitialized. Could this result in
uninitialized stack variables being written to the MT7530_AAC hardware
register?
/P
next prev parent reply other threads:[~2026-05-07 14:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 14:15 [PATCH net 0/5] net: dsa: mt7530: assorted fixes Daniel Golle
2026-05-05 14:16 ` [PATCH net 1/5] net: dsa: mt7530: fix FDB entries not aging out with short timeout Daniel Golle
2026-05-07 14:08 ` Paolo Abeni [this message]
2026-05-05 14:16 ` [PATCH net 2/5] net: dsa: mt7530: preserve VLAN tags on trapped link-local frames Daniel Golle
2026-05-05 15:37 ` Chester A. Unal
2026-05-05 16:03 ` Daniel Golle
2026-05-05 16:12 ` Chester A. Unal
2026-05-05 14:16 ` [PATCH net 3/5] net: dsa: mt7530: fix CPU port VLAN not being reset to unaware Daniel Golle
2026-05-05 14:16 ` [PATCH net 4/5] net: dsa: mt7530: clear flood flags on bridge leave Daniel Golle
2026-05-05 14:16 ` [PATCH net 5/5] net: dsa: mt7530: untag VLAN-aware bridge PVID Daniel Golle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dc0f052e-797e-4849-87c4-a98b8ede19d3@redhat.com \
--to=pabeni@redhat.com \
--cc=andrew@lunn.ch \
--cc=angelogioacchino.delregno@collabora.com \
--cc=arinc.unal@arinc9.com \
--cc=chester.a.unal@arinc9.com \
--cc=daniel@makrotopia.org \
--cc=davem@davemloft.net \
--cc=dqfext@gmail.com \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=matthias.bgg@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=sean.wang@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox