* [PATCH net v2] dpaa2-switch: validate num_ifs to prevent out-of-bounds write
@ 2026-02-24 11:05 Junrui Luo
2026-02-25 15:36 ` Ioana Ciornei
2026-02-26 11:50 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Junrui Luo @ 2026-02-24 11:05 UTC (permalink / raw)
To: Ioana Ciornei, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Vladimir Oltean
Cc: netdev, linux-kernel, Junrui Luo
The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
but never validates it against DPSW_MAX_IF (64). This value controls
iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
num_ifs >= 64, the loop can write past the array bounds.
Add a bound check for num_ifs in dpaa2_switch_init().
dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port
num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all
ports match the flood filter, the loop fills all 64 slots and the control
interface write overflows by one entry.
The check uses >= because num_ifs == DPSW_MAX_IF is also functionally
broken.
build_if_id_bitmap() silently drops any ID >= 64:
if (id[i] < DPSW_MAX_IF)
bmap[id[i] / 64] |= ...
Fixes: 539dda3c5d19 ("staging: dpaa2-switch: properly setup switching domains")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
---
Changes in v2:
- Drop self-referential Reported-by tags
- Update Fixes tag to reference 539dda3c5d19
- Expand the commit description
- Link to v1: https://lore.kernel.org/all/SYBPR01MB788110DFE66BA1A5CE7E594FAF6DA@SYBPR01MB7881.ausprd01.prod.outlook.com/
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
index 66240c340492..78e21b46a5ba 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -3034,6 +3034,13 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev)
goto err_close;
}
+ if (ethsw->sw_attr.num_ifs >= DPSW_MAX_IF) {
+ dev_err(dev, "DPSW num_ifs %u exceeds max %u\n",
+ ethsw->sw_attr.num_ifs, DPSW_MAX_IF);
+ err = -EINVAL;
+ goto err_close;
+ }
+
err = dpsw_get_api_version(ethsw->mc_io, 0,
ðsw->major,
ðsw->minor);
---
base-commit: 9702969978695d9a699a1f34771580cdbb153b33
change-id: 20260224-fixes-a33979dd5060
Best regards,
--
Junrui Luo <moonafterrain@outlook.com>
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH net v2] dpaa2-switch: validate num_ifs to prevent out-of-bounds write
2026-02-24 11:05 [PATCH net v2] dpaa2-switch: validate num_ifs to prevent out-of-bounds write Junrui Luo
@ 2026-02-25 15:36 ` Ioana Ciornei
2026-02-26 11:50 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Ioana Ciornei @ 2026-02-25 15:36 UTC (permalink / raw)
To: Junrui Luo
Cc: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Vladimir Oltean, netdev, linux-kernel
On Tue, Feb 24, 2026 at 07:05:56PM +0800, Junrui Luo wrote:
> The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
> but never validates it against DPSW_MAX_IF (64). This value controls
> iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
> into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
> num_ifs >= 64, the loop can write past the array bounds.
>
> Add a bound check for num_ifs in dpaa2_switch_init().
>
> dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port
> num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all
> ports match the flood filter, the loop fills all 64 slots and the control
> interface write overflows by one entry.
>
> The check uses >= because num_ifs == DPSW_MAX_IF is also functionally
> broken.
>
> build_if_id_bitmap() silently drops any ID >= 64:
> if (id[i] < DPSW_MAX_IF)
> bmap[id[i] / 64] |= ...
>
> Fixes: 539dda3c5d19 ("staging: dpaa2-switch: properly setup switching domains")
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Thanks!
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH net v2] dpaa2-switch: validate num_ifs to prevent out-of-bounds write
2026-02-24 11:05 [PATCH net v2] dpaa2-switch: validate num_ifs to prevent out-of-bounds write Junrui Luo
2026-02-25 15:36 ` Ioana Ciornei
@ 2026-02-26 11:50 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-02-26 11:50 UTC (permalink / raw)
To: Junrui Luo
Cc: ioana.ciornei, andrew+netdev, davem, edumazet, kuba, pabeni,
vladimir.oltean, netdev, linux-kernel
Hello:
This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:
On Tue, 24 Feb 2026 19:05:56 +0800 you wrote:
> The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
> but never validates it against DPSW_MAX_IF (64). This value controls
> iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
> into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
> num_ifs >= 64, the loop can write past the array bounds.
>
> Add a bound check for num_ifs in dpaa2_switch_init().
>
> [...]
Here is the summary with links:
- [net,v2] dpaa2-switch: validate num_ifs to prevent out-of-bounds write
https://git.kernel.org/netdev/net/c/8a5752c6dcc0
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-02-26 11:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-24 11:05 [PATCH net v2] dpaa2-switch: validate num_ifs to prevent out-of-bounds write Junrui Luo
2026-02-25 15:36 ` Ioana Ciornei
2026-02-26 11:50 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox