Commit 92ac2735 authored by Joseph Huang's avatar Joseph Huang Committed by Zhang Changzhong
Browse files

net: dsa: mv88e6xxx: Fix out-of-bound access 

stable inclusion
from stable-v6.6.48
commit f7d8c2fabd39250cf2333fbf8eef67e837f90a5d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXZQ
CVE: CVE-2024-44988

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f7d8c2fabd39250cf2333fbf8eef67e837f90a5d



---------------------------

[ Upstream commit 528876d867a23b5198022baf2e388052ca67c952 ]

If an ATU violation was caused by a CPU Load operation, the SPID could
be larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array).

Fixes: 75c05a74 ("net: dsa: mv88e6xxx: Fix counting of ATU violations")
Signed-off-by: default avatarJoseph Huang <Joseph.Huang@garmin.com>
Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20240819235251.1331763-1-Joseph.Huang@garmin.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parent 13706c95

drivers/net/dsa/mv88e6xxx/global1_atu.c

+2 −1
Original line number Diff line number Diff line
@@ -457,6 +457,7 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id) 
		trace_mv88e6xxx_atu_full_violation(chip->dev, spid,

						   entry.portvec, entry.mac,

						   fid);

		if (spid < ARRAY_SIZE(chip->ports))

			chip->ports[spid].atu_full_violation++;

	}