From: Radu Pirea <radu-nicolae.pirea@xxxxxxx> Fix slab-out-of-bounds in sja1105_setup. Kernel log: [ 98.394543] sja1105 spi5.0: Probed switch chip: SJA1105Q [ 98.425782] ================================================================== [ 98.425819] BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340 [ 98.425880] Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8 [ 98.425921] CPU: 0 PID: 8 Comm: kworker/u8:0 Tainted: G O 5.15.73-rt52-00001-g9f4226d49b44 #6 [ 98.425955] Hardware name: NXP S32G2XXX-EVB (DT) [ 98.425975] Workqueue: events_unbound deferred_probe_work_func [ 98.426039] Call trace: [ 98.426049] dump_backtrace+0x0/0x2b4 [ 98.426099] show_stack+0x18/0x24 [ 98.426140] dump_stack_lvl+0x68/0x84 [ 98.426179] print_address_description.constprop.0+0x78/0x29c [ 98.426221] kasan_report+0x1d4/0x240 [ 98.426261] __asan_store8+0x98/0xd0 [ 98.426299] sja1105_setup+0x1cbc/0x2340 [ 98.426331] dsa_register_switch+0x1284/0x18d0 [ 98.426381] sja1105_probe+0x748/0x840 [ 98.426411] spi_probe+0xb0/0x110 [ 98.426458] really_probe.part.0+0xf8/0x48c [ 98.426503] __driver_probe_device+0xd4/0x180 [ 98.426546] driver_probe_device+0xf8/0x1e0 [ 98.426588] __device_attach_driver+0xe8/0x1a0 [ 98.426631] bus_for_each_drv+0xf4/0x15c [ 98.426670] __device_attach+0x120/0x270 [ 98.426711] device_initial_probe+0x14/0x20 [ 98.426753] bus_probe_device+0xec/0x100 [ 98.426793] deferred_probe_work_func+0xe8/0x130 [ 98.426835] process_one_work+0x3cc/0x664 [ 98.426872] worker_thread+0xa0/0x72c [ 98.426904] kthread+0x21c/0x230 [ 98.426946] ret_from_fork+0x10/0x20 [ 98.426988] Allocated by task 8: [ 98.427004] kasan_save_stack+0x28/0x60 [ 98.427040] __kasan_kmalloc+0x8c/0xb0 [ 98.427072] __kmalloc+0xdc/0x1a0 [ 98.427100] kmalloc_array.constprop.0+0x20/0x34 [ 98.427131] sja1105_setup+0x1bcc/0x2340 [ 98.427160] dsa_register_switch+0x1284/0x18d0 [ 98.427203] sja1105_probe+0x748/0x840 [ 98.427232] spi_probe+0xb0/0x110 [ 98.427274] really_probe.part.0+0xf8/0x48c [ 98.427316] __driver_probe_device+0xd4/0x180 [ 98.427357] driver_probe_device+0xf8/0x1e0 [ 98.427398] __device_attach_driver+0xe8/0x1a0 [ 98.427441] bus_for_each_drv+0xf4/0x15c [ 98.427478] __device_attach+0x120/0x270 [ 98.427516] device_initial_probe+0x14/0x20 [ 98.427557] bus_probe_device+0xec/0x100 [ 98.427596] deferred_probe_work_func+0xe8/0x130 [ 98.427636] process_one_work+0x3cc/0x664 [ 98.427668] worker_thread+0xa0/0x72c [ 98.427698] kthread+0x21c/0x230 [ 98.427737] ret_from_fork+0x10/0x20 [ 98.427775] The buggy address belongs to the object at ffffff880bd57000 which belongs to the cache kmalloc-2k of size 2048 [ 98.427801] The buggy address is located 1800 bytes inside of 2048-byte region [ffffff880bd57000, ffffff880bd57800) [ 98.427833] The buggy address belongs to the page: [ 98.427848] page:0000000065dd1b0f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88bd57 [ 98.427881] flags: 0x8000000000000200(slab|zone=2) [ 98.427935] raw: 8000000000000200 fffffffe1c296ad8 fffffffe1c296b80 ffffff8800000400 [ 98.427966] raw: 0000000000000000 ffffff880bd57000 0000000100000001 [ 98.427982] page dumped because: kasan: bad access detected [ 98.428003] Memory state around the buggy address: [ 98.428021] ffffff880bd57600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 98.428046] ffffff880bd57680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 98.428072] >ffffff880bd57700: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 98.428088] ^ [ 98.428106] ffffff880bd57780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 98.428131] ffffff880bd57800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 98.428148] ================================================================== Signed-off-by: Radu Pirea <radu-nicolae.pirea@xxxxxxx> --- drivers/net/dsa/sja1105/sja1105_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Can be applied on top of 5.15.81 stable branch. Cheers. Radu P. diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c index 412666111b0c..b70dcf32a26d 100644 --- a/drivers/net/dsa/sja1105/sja1105_main.c +++ b/drivers/net/dsa/sja1105/sja1105_main.c @@ -1038,7 +1038,7 @@ static int sja1105_init_l2_policing(struct sja1105_private *priv) policing[bcast].sharindx = port; /* Only SJA1110 has multicast policers */ - if (mcast <= table->ops->max_entry_count) + if (mcast < table->ops->max_entry_count) policing[mcast].sharindx = port; } -- 2.34.1