--- /dev/null
+From 02319bf15acf54004216e40ac9c171437f24be24 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 16 Sep 2021 14:33:35 -0700
+Subject: net: dsa: bcm_sf2: Fix array overrun in bcm_sf2_num_active_ports()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit 02319bf15acf54004216e40ac9c171437f24be24 upstream.
+
+After d12e1c464988 ("net: dsa: b53: Set correct number of ports in the
+DSA struct") we stopped setting dsa_switch::num_ports to DSA_MAX_PORTS,
+which created an off by one error between the statically allocated
+bcm_sf2_priv::port_sts array (of size DSA_MAX_PORTS). When
+dsa_is_cpu_port() is used, we end-up accessing an out of bounds member
+and causing a NPD.
+
+Fix this by iterating with the appropriate port count using
+ds->num_ports.
+
+Fixes: d12e1c464988 ("net: dsa: b53: Set correct number of ports in the DSA struct")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -68,7 +68,7 @@ static unsigned int bcm_sf2_num_active_p
+ struct bcm_sf2_priv *priv = bcm_sf2_to_priv(ds);
+ unsigned int port, count = 0;
+
+- for (port = 0; port < ARRAY_SIZE(priv->port_sts); port++) {
++ for (port = 0; port < ds->num_ports; port++) {
+ if (dsa_is_cpu_port(ds, port))
+ continue;
+ if (priv->port_sts[port].enabled)
projects / thirdparty / kernel / stable-queue.git / commitdiff
