Allocate more memory for the new_retagging table according to its size. Kernel log: [ 208.509460] sja1105 spi5.0: Probed switch chip: SJA1105Q [ 208.647821] ================================================================== [ 208.647854] BUG: KASAN: slab-out-of-bounds in sja1105_build_vlan_table+0x1b8/0x1b14 [ 208.647928] Write of size 8 at addr ffffff88081cf630 by task kworker/2:5/247 [ 208.647955] [ 208.647972] CPU: 2 PID: 247 Comm: kworker/2:5 Tainted: G O 5.10.145-rt74 #18 [ 208.648003] Hardware name: NXP S32G2XXX-EVB (DT) [ 208.648024] Workqueue: events deferred_probe_work_func [ 208.648080] Call trace: [ 208.648089] dump_backtrace+0x0/0x2b4 [ 208.648137] show_stack+0x18/0x24 [ 208.648178] dump_stack+0xfc/0x168 [ 208.648224] print_address_description.constprop.0+0x70/0x468 [ 208.648276] kasan_report+0x118/0x200 [ 208.648321] __asan_store8+0x98/0xd0 [ 208.648363] sja1105_build_vlan_table+0x1b8/0x1b14 [ 208.648405] sja1105_dsa_8021q_vlan_add+0x60/0x80 [ 208.648446] dsa_8021q_vid_apply.isra.0+0x11c/0x140 [ 208.648501] dsa_8021q_setup+0x224/0x610 [ 208.648545] sja1105_setup+0x398/0x13b4 [ 208.648581] dsa_register_switch+0xad8/0x1430 [ 208.648620] sja1105_probe+0x50c/0x744 [ 208.648654] spi_drv_probe+0xb0/0x110 [ 208.648696] really_probe+0x150/0x6d4 [ 208.648734] driver_probe_device+0x78/0xec [ 208.648773] __device_attach_driver+0xe8/0x17c [ 208.648813] bus_for_each_drv+0xf4/0x15c [ 208.648847] __device_attach+0x120/0x26c [ 208.648883] device_initial_probe+0x14/0x20 [ 208.648921] bus_probe_device+0xec/0x100 [ 208.648956] deferred_probe_work_func+0xe8/0x130 [ 208.648995] process_one_work+0x3b8/0x650 [ 208.649031] worker_thread+0xa0/0x72c [ 208.649062] kthread+0x23c/0x244 [ 208.649101] ret_from_fork+0x10/0x38 [ 208.649134] [ 208.649141] Allocated by task 247: [ 208.649155] kasan_save_stack+0x28/0x60 [ 208.649195] __kasan_kmalloc.constprop.0+0xc8/0xf0 [ 208.649237] kasan_kmalloc+0x10/0x20 [ 208.649275] __kmalloc+0xd0/0x180 [ 208.649307] sja1105_build_vlan_table+0x160/0x1b14 [ 208.649347] sja1105_dsa_8021q_vlan_add+0x60/0x80 [ 208.649386] dsa_8021q_vid_apply.isra.0+0x11c/0x140 [ 208.649435] dsa_8021q_setup+0x224/0x610 [ 208.649479] sja1105_setup+0x398/0x13b4 [ 208.649513] dsa_register_switch+0xad8/0x1430 [ 208.649550] sja1105_probe+0x50c/0x744 [ 208.649583] spi_drv_probe+0xb0/0x110 [ 208.649619] really_probe+0x150/0x6d4 [ 208.649654] driver_probe_device+0x78/0xec [ 208.649691] __device_attach_driver+0xe8/0x17c [ 208.649729] bus_for_each_drv+0xf4/0x15c [ 208.649762] __device_attach+0x120/0x26c [ 208.649797] device_initial_probe+0x14/0x20 [ 208.649834] bus_probe_device+0xec/0x100 [ 208.649868] deferred_probe_work_func+0xe8/0x130 [ 208.649906] process_one_work+0x3b8/0x650 [ 208.649938] worker_thread+0xa0/0x72c [ 208.649967] kthread+0x23c/0x244 [ 208.650003] ret_from_fork+0x10/0x38 [ 208.650034] [ 208.650041] The buggy address belongs to the object at ffffff88081cf000 [ 208.650041] which belongs to the cache kmalloc-2k of size 2048 [ 208.650068] The buggy address is located 1584 bytes inside of [ 208.650068] 2048-byte region [ffffff88081cf000, ffffff88081cf800) [ 208.650099] The buggy address belongs to the page: [ 208.650114] page:000000002c3ceac6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8881cf [ 208.650145] flags: 0x8000000000000200(slab) [ 208.650192] raw: 8000000000000200 ffffffff1bfc6518 ffffffff1bfd36a8 ffffff8800000400 [ 208.650221] raw: 0000000000000000 ffffff88081cf000 0000000100000001 [ 208.650237] page dumped because: kasan: bad access detected [ 208.650250] [ 208.650257] Memory state around the buggy address: [ 208.650275] ffffff88081cf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 208.650299] ffffff88081cf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 208.650325] >ffffff88081cf600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 208.650341] ^ [ 208.650359] ffffff88081cf680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 208.650383] ffffff88081cf700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 208.650400] ================================================================== Signed-off-by: Radu Nicolae Pirea (OSS) <radu-nicolae.pirea@xxxxxxxxxxx> --- drivers/net/dsa/sja1105/sja1105_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Should be applied on top of 5.10.157. It is not relevant for newer LTS kernels. Cheers. Radu P. diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c index c03d76c10868..868303d931fc 100644 --- a/drivers/net/dsa/sja1105/sja1105_main.c +++ b/drivers/net/dsa/sja1105/sja1105_main.c @@ -2592,7 +2592,7 @@ static int sja1105_build_vlan_table(struct sja1105_private *priv, bool notify) if (!new_vlan) return -ENOMEM; - table = &priv->static_config.tables[BLK_IDX_VLAN_LOOKUP]; + table = &priv->static_config.tables[BLK_IDX_RETAGGING]; new_retagging = kcalloc(SJA1105_MAX_RETAGGING_COUNT, table->ops->unpacked_entry_size, GFP_KERNEL); if (!new_retagging) { -- 2.34.1