diff mbox series

[net,1/1] net: dsa: mv88e6xxx: Fix out-of-bound access

Message ID 20240819222641.1292308-1-Joseph.Huang@garmin.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net,1/1] net: dsa: mv88e6xxx: Fix out-of-bound access | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 16 this patch: 16
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 16 this patch: 16
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 16 this patch: 16
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 16 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Joseph Huang Aug. 19, 2024, 10:26 p.m. UTC 
If an ATU violation was caused by a CPU Load operation, the SPID is 0xf,
which is larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[]
array).

Fixes: 75c05a74e745 ("net: dsa: mv88e6xxx: Fix counting of ATU violations")
Signed-off-by: Joseph Huang <Joseph.Huang@garmin.com>
---
 drivers/net/dsa/mv88e6xxx/global1.h     | 1 +
 drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

Comments

Andrew Lunn Aug. 19, 2024, 10:58 p.m. UTC | #1 
On Mon, Aug 19, 2024 at 06:26:40PM -0400, Joseph Huang wrote:
> If an ATU violation was caused by a CPU Load operation, the SPID is 0xf,
> which is larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[]
> array).

The 6390X datasheet says "IF SPID = 0x1f the source of the violation
was the CPU's registers interface."

> +#define MV88E6XXX_G1_ATU_DATA_SPID_CPU				0x000f

So it seems to depend on the family.

>  
>  /* Offset 0x0D: ATU MAC Address Register Bytes 0 & 1
>   * Offset 0x0E: ATU MAC Address Register Bytes 2 & 3
> diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c
> index ce3b3690c3c0..b6f15ae22c20 100644
> --- a/drivers/net/dsa/mv88e6xxx/global1_atu.c
> +++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c
> @@ -457,7 +457,8 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
>  		trace_mv88e6xxx_atu_full_violation(chip->dev, spid,
>  						   entry.portvec, entry.mac,
>  						   fid);
> -		chip->ports[spid].atu_full_violation++;
> +		if (spid != MV88E6XXX_G1_ATU_DATA_SPID_CPU)
> +			chip->ports[spid].atu_full_violation++;

So i think it would be better to do something like:

		if (spid < ARRAY_SIZE(chip->ports))
			chip->ports[spid].atu_full_violation++;

    Andrew

---
pw-bot: cr
Simon Horman Aug. 20, 2024, 6:32 p.m. UTC | #2 
On Tue, Aug 20, 2024 at 12:58:05AM +0200, Andrew Lunn wrote:
> On Mon, Aug 19, 2024 at 06:26:40PM -0400, Joseph Huang wrote:
> > If an ATU violation was caused by a CPU Load operation, the SPID is 0xf,
> > which is larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[]
> > array).
> 
> The 6390X datasheet says "IF SPID = 0x1f the source of the violation
> was the CPU's registers interface."
> 
> > +#define MV88E6XXX_G1_ATU_DATA_SPID_CPU				0x000f
> 
> So it seems to depend on the family.
> 
> >  
> >  /* Offset 0x0D: ATU MAC Address Register Bytes 0 & 1
> >   * Offset 0x0E: ATU MAC Address Register Bytes 2 & 3
> > diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c
> > index ce3b3690c3c0..b6f15ae22c20 100644
> > --- a/drivers/net/dsa/mv88e6xxx/global1_atu.c
> > +++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c
> > @@ -457,7 +457,8 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
> >  		trace_mv88e6xxx_atu_full_violation(chip->dev, spid,
> >  						   entry.portvec, entry.mac,
> >  						   fid);
> > -		chip->ports[spid].atu_full_violation++;
> > +		if (spid != MV88E6XXX_G1_ATU_DATA_SPID_CPU)
> > +			chip->ports[spid].atu_full_violation++;
> 
> So i think it would be better to do something like:
> 
> 		if (spid < ARRAY_SIZE(chip->ports))
> 			chip->ports[spid].atu_full_violation++;

Hi Joseph,

I am curious to know if bounds checking should also
be added to other accesses to chip->ports[spid] within this function.
Joseph Huang Aug. 20, 2024, 7:21 p.m. UTC | #3 
On 8/20/2024 2:32 PM, Simon Horman wrote:
> On Tue, Aug 20, 2024 at 12:58:05AM +0200, Andrew Lunn wrote:
>> On Mon, Aug 19, 2024 at 06:26:40PM -0400, Joseph Huang wrote:
>> > If an ATU violation was caused by a CPU Load operation, the SPID is 0xf,
>> > which is larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[]
>> > array).
>> 
>> The 6390X datasheet says "IF SPID = 0x1f the source of the violation
>> was the CPU's registers interface."
>> 
>> > +#define MV88E6XXX_G1_ATU_DATA_SPID_CPU				0x000f
>> 
>> So it seems to depend on the family.
>> 
>> >  
>> >  /* Offset 0x0D: ATU MAC Address Register Bytes 0 & 1
>> >   * Offset 0x0E: ATU MAC Address Register Bytes 2 & 3
>> > diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c
>> > index ce3b3690c3c0..b6f15ae22c20 100644
>> > --- a/drivers/net/dsa/mv88e6xxx/global1_atu.c
>> > +++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c
>> > @@ -457,7 +457,8 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
>> >  		trace_mv88e6xxx_atu_full_violation(chip->dev, spid,
>> >  						   entry.portvec, entry.mac,
>> >  						   fid);
>> > -		chip->ports[spid].atu_full_violation++;
>> > +		if (spid != MV88E6XXX_G1_ATU_DATA_SPID_CPU)
>> > +			chip->ports[spid].atu_full_violation++;
>> 
>> So i think it would be better to do something like:
>> 
>> 		if (spid < ARRAY_SIZE(chip->ports))
>> 			chip->ports[spid].atu_full_violation++;
> 
> Hi Joseph,
> 
> I am curious to know if bounds checking should also
> be added to other accesses to chip->ports[spid] within this function.
> 

Hi Simon,

 From the spec it is unclear to me whether the Load operation could 
actually cause other exceptions. I was only able to reproduce and verify 
the full violation, and that's why I only included that one in the patch.

I guess we could proactively include the fix for other exceptions as 
well, but without a way to verify them, they could be just dead code and 
never be exercised. Perhaps people who are more familiar with the chip 
than me could chime in. I'm fine either way.

Thanks,
Joseph
Simon Horman Aug. 21, 2024, 2:13 p.m. UTC | #4 
On Tue, Aug 20, 2024 at 03:21:57PM -0400, Joseph Huang wrote:
> On 8/20/2024 2:32 PM, Simon Horman wrote:
> > On Tue, Aug 20, 2024 at 12:58:05AM +0200, Andrew Lunn wrote:
> > > On Mon, Aug 19, 2024 at 06:26:40PM -0400, Joseph Huang wrote:
> > > > If an ATU violation was caused by a CPU Load operation, the SPID is 0xf,
> > > > which is larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[]
> > > > array).
> > > 
> > > The 6390X datasheet says "IF SPID = 0x1f the source of the violation
> > > was the CPU's registers interface."
> > > 
> > > > +#define MV88E6XXX_G1_ATU_DATA_SPID_CPU				0x000f
> > > 
> > > So it seems to depend on the family.
> > > 
> > > >  >  /* Offset 0x0D: ATU MAC Address Register Bytes 0 & 1
> > > >   * Offset 0x0E: ATU MAC Address Register Bytes 2 & 3
> > > > diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c
> > > > index ce3b3690c3c0..b6f15ae22c20 100644
> > > > --- a/drivers/net/dsa/mv88e6xxx/global1_atu.c
> > > > +++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c
> > > > @@ -457,7 +457,8 @@ static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
> > > >  		trace_mv88e6xxx_atu_full_violation(chip->dev, spid,
> > > >  						   entry.portvec, entry.mac,
> > > >  						   fid);
> > > > -		chip->ports[spid].atu_full_violation++;
> > > > +		if (spid != MV88E6XXX_G1_ATU_DATA_SPID_CPU)
> > > > +			chip->ports[spid].atu_full_violation++;
> > > 
> > > So i think it would be better to do something like:
> > > 
> > > 		if (spid < ARRAY_SIZE(chip->ports))
> > > 			chip->ports[spid].atu_full_violation++;
> > 
> > Hi Joseph,
> > 
> > I am curious to know if bounds checking should also
> > be added to other accesses to chip->ports[spid] within this function.
> > 
> 
> Hi Simon,
> 
> From the spec it is unclear to me whether the Load operation could actually
> cause other exceptions. I was only able to reproduce and verify the full
> violation, and that's why I only included that one in the patch.
> 
> I guess we could proactively include the fix for other exceptions as well,
> but without a way to verify them, they could be just dead code and never be
> exercised. Perhaps people who are more familiar with the chip than me could
> chime in. I'm fine either way.

Thanks Joseph,

From my PoV it would be nice to add the checks unless we can be sure they
are not needed. But I do not feel strongly about this.
diff mbox series

Patch

diff --git a/drivers/net/dsa/mv88e6xxx/global1.h b/drivers/net/dsa/mv88e6xxx/global1.h
index 3dbb7a1b8fe1..9676e2d42c9e 100644
--- a/drivers/net/dsa/mv88e6xxx/global1.h
+++ b/drivers/net/dsa/mv88e6xxx/global1.h
@@ -162,6 +162,7 @@ 
 #define MV88E6XXX_G1_ATU_DATA_STATE_MC_STATIC_AVB_NRL_PO	0x000d
 #define MV88E6XXX_G1_ATU_DATA_STATE_MC_STATIC_DA_MGMT_PO	0x000e
 #define MV88E6XXX_G1_ATU_DATA_STATE_MC_STATIC_PO		0x000f
+#define MV88E6XXX_G1_ATU_DATA_SPID_CPU				0x000f
 
 /* Offset 0x0D: ATU MAC Address Register Bytes 0 & 1
  * Offset 0x0E: ATU MAC Address Register Bytes 2 & 3
diff --git a/drivers/net/dsa/mv88e6xxx/global1_atu.c b/drivers/net/dsa/mv88e6xxx/global1_atu.c
index ce3b3690c3c0..b6f15ae22c20 100644
--- a/drivers/net/dsa/mv88e6xxx/global1_atu.c
+++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c
@@ -457,7 +457,8 @@  static irqreturn_t mv88e6xxx_g1_atu_prob_irq_thread_fn(int irq, void *dev_id)
 		trace_mv88e6xxx_atu_full_violation(chip->dev, spid,
 						   entry.portvec, entry.mac,
 						   fid);
-		chip->ports[spid].atu_full_violation++;
+		if (spid != MV88E6XXX_G1_ATU_DATA_SPID_CPU)
+			chip->ports[spid].atu_full_violation++;
 	}
 
 	return IRQ_HANDLED;