[PATCH] net: dsa: sja1105: fix new_retagging table size

"Radu Nicolae Pirea (OSS)" <radu-nicolae.pirea@xxxxxxxxxxx> · Tue, 6 Dec 2022 15:51:04 +0200

Allocate more memory for the new_retagging table according to its size.

Kernel log:
[  208.509460] sja1105 spi5.0: Probed switch chip: SJA1105Q
[  208.647821] ==================================================================
[  208.647854] BUG: KASAN: slab-out-of-bounds in sja1105_build_vlan_table+0x1b8/0x1b14
[  208.647928] Write of size 8 at addr ffffff88081cf630 by task kworker/2:5/247
[  208.647955]
[  208.647972] CPU: 2 PID: 247 Comm: kworker/2:5 Tainted: G           O      5.10.145-rt74 #18
[  208.648003] Hardware name: NXP S32G2XXX-EVB (DT)
[  208.648024] Workqueue: events deferred_probe_work_func
[  208.648080] Call trace:
[  208.648089]  dump_backtrace+0x0/0x2b4
[  208.648137]  show_stack+0x18/0x24
[  208.648178]  dump_stack+0xfc/0x168
[  208.648224]  print_address_description.constprop.0+0x70/0x468
[  208.648276]  kasan_report+0x118/0x200
[  208.648321]  __asan_store8+0x98/0xd0
[  208.648363]  sja1105_build_vlan_table+0x1b8/0x1b14
[  208.648405]  sja1105_dsa_8021q_vlan_add+0x60/0x80
[  208.648446]  dsa_8021q_vid_apply.isra.0+0x11c/0x140
[  208.648501]  dsa_8021q_setup+0x224/0x610
[  208.648545]  sja1105_setup+0x398/0x13b4
[  208.648581]  dsa_register_switch+0xad8/0x1430
[  208.648620]  sja1105_probe+0x50c/0x744
[  208.648654]  spi_drv_probe+0xb0/0x110
[  208.648696]  really_probe+0x150/0x6d4
[  208.648734]  driver_probe_device+0x78/0xec
[  208.648773]  __device_attach_driver+0xe8/0x17c
[  208.648813]  bus_for_each_drv+0xf4/0x15c
[  208.648847]  __device_attach+0x120/0x26c
[  208.648883]  device_initial_probe+0x14/0x20
[  208.648921]  bus_probe_device+0xec/0x100
[  208.648956]  deferred_probe_work_func+0xe8/0x130
[  208.648995]  process_one_work+0x3b8/0x650
[  208.649031]  worker_thread+0xa0/0x72c
[  208.649062]  kthread+0x23c/0x244
[  208.649101]  ret_from_fork+0x10/0x38
[  208.649134]
[  208.649141] Allocated by task 247:
[  208.649155]  kasan_save_stack+0x28/0x60
[  208.649195]  __kasan_kmalloc.constprop.0+0xc8/0xf0
[  208.649237]  kasan_kmalloc+0x10/0x20
[  208.649275]  __kmalloc+0xd0/0x180
[  208.649307]  sja1105_build_vlan_table+0x160/0x1b14
[  208.649347]  sja1105_dsa_8021q_vlan_add+0x60/0x80
[  208.649386]  dsa_8021q_vid_apply.isra.0+0x11c/0x140
[  208.649435]  dsa_8021q_setup+0x224/0x610
[  208.649479]  sja1105_setup+0x398/0x13b4
[  208.649513]  dsa_register_switch+0xad8/0x1430
[  208.649550]  sja1105_probe+0x50c/0x744
[  208.649583]  spi_drv_probe+0xb0/0x110
[  208.649619]  really_probe+0x150/0x6d4
[  208.649654]  driver_probe_device+0x78/0xec
[  208.649691]  __device_attach_driver+0xe8/0x17c
[  208.649729]  bus_for_each_drv+0xf4/0x15c
[  208.649762]  __device_attach+0x120/0x26c
[  208.649797]  device_initial_probe+0x14/0x20
[  208.649834]  bus_probe_device+0xec/0x100
[  208.649868]  deferred_probe_work_func+0xe8/0x130
[  208.649906]  process_one_work+0x3b8/0x650
[  208.649938]  worker_thread+0xa0/0x72c
[  208.649967]  kthread+0x23c/0x244
[  208.650003]  ret_from_fork+0x10/0x38
[  208.650034]
[  208.650041] The buggy address belongs to the object at ffffff88081cf000
[  208.650041]  which belongs to the cache kmalloc-2k of size 2048
[  208.650068] The buggy address is located 1584 bytes inside of
[  208.650068]  2048-byte region [ffffff88081cf000, ffffff88081cf800)
[  208.650099] The buggy address belongs to the page:
[  208.650114] page:000000002c3ceac6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8881cf
[  208.650145] flags: 0x8000000000000200(slab)
[  208.650192] raw: 8000000000000200 ffffffff1bfc6518 ffffffff1bfd36a8 ffffff8800000400
[  208.650221] raw: 0000000000000000 ffffff88081cf000 0000000100000001
[  208.650237] page dumped because: kasan: bad access detected
[  208.650250]
[  208.650257] Memory state around the buggy address:
[  208.650275]  ffffff88081cf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  208.650299]  ffffff88081cf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  208.650325] >ffffff88081cf600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  208.650341]                                      ^
[  208.650359]  ffffff88081cf680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  208.650383]  ffffff88081cf700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  208.650400] ==================================================================

Signed-off-by: Radu Nicolae Pirea (OSS) <radu-nicolae.pirea@xxxxxxxxxxx>
---
 drivers/net/dsa/sja1105/sja1105_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Should be applied on top of 5.10.157.
It is not relevant for newer LTS kernels.

Cheers.
Radu P.

diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
index c03d76c10868..868303d931fc 100644
--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -2592,7 +2592,7 @@ static int sja1105_build_vlan_table(struct sja1105_private *priv, bool notify)
 	if (!new_vlan)
 		return -ENOMEM;
 
-	table = &priv->static_config.tables[BLK_IDX_VLAN_LOOKUP];
+	table = &priv->static_config.tables[BLK_IDX_RETAGGING];
 	new_retagging = kcalloc(SJA1105_MAX_RETAGGING_COUNT,
 				table->ops->unpacked_entry_size, GFP_KERNEL);
 	if (!new_retagging) {
-- 
2.34.1







