From 9b1bd0dccc949010567cfeca43e9f2a0451bcd17 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 21 Sep 2021 08:37:36 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	net-dsa-bcm_sf2-fix-array-overrun-in-bcm_sf2_num_active_ports.patch
---
 ...-overrun-in-bcm_sf2_num_active_ports.patch | 38 +++++++++++++++++++
 queue-5.10/series                             |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 queue-5.10/net-dsa-bcm_sf2-fix-array-overrun-in-bcm_sf2_num_active_ports.patch

diff --git a/queue-5.10/net-dsa-bcm_sf2-fix-array-overrun-in-bcm_sf2_num_active_ports.patch b/queue-5.10/net-dsa-bcm_sf2-fix-array-overrun-in-bcm_sf2_num_active_ports.patch
new file mode 100644
index 00000000000..4b701c9f443
--- /dev/null
+++ b/queue-5.10/net-dsa-bcm_sf2-fix-array-overrun-in-bcm_sf2_num_active_ports.patch
@@ -0,0 +1,38 @@
+From 02319bf15acf54004216e40ac9c171437f24be24 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 16 Sep 2021 14:33:35 -0700
+Subject: net: dsa: bcm_sf2: Fix array overrun in bcm_sf2_num_active_ports()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit 02319bf15acf54004216e40ac9c171437f24be24 upstream.
+
+After d12e1c464988 ("net: dsa: b53: Set correct number of ports in the
+DSA struct") we stopped setting dsa_switch::num_ports to DSA_MAX_PORTS,
+which created an off by one error between the statically allocated
+bcm_sf2_priv::port_sts array (of size DSA_MAX_PORTS). When
+dsa_is_cpu_port() is used, we end-up accessing an out of bounds member
+and causing a NPD.
+
+Fix this by iterating with the appropriate port count using
+ds->num_ports.
+
+Fixes: d12e1c464988 ("net: dsa: b53: Set correct number of ports in the DSA struct")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/bcm_sf2.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -38,7 +38,7 @@ static unsigned int bcm_sf2_num_active_p
+ 	struct bcm_sf2_priv *priv = bcm_sf2_to_priv(ds);
+ 	unsigned int port, count = 0;
+ 
+-	for (port = 0; port < ARRAY_SIZE(priv->port_sts); port++) {
++	for (port = 0; port < ds->num_ports; port++) {
+ 		if (dsa_is_cpu_port(ds, port))
+ 			continue;
+ 		if (priv->port_sts[port].enabled)
diff --git a/queue-5.10/series b/queue-5.10/series
index 468d4f73aa2..71db5364bd6 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -121,3 +121,4 @@ mfd-lpc_sch-rename-gpiobase-to-prevent-build-error.patch
 net-renesas-sh_eth-fix-freeing-wrong-tx-descriptor.patch
 x86-mce-avoid-infinite-loop-for-copy-from-user-recovery.patch
 bnxt_en-fix-error-recovery-regression.patch
+net-dsa-bcm_sf2-fix-array-overrun-in-bcm_sf2_num_active_ports.patch
-- 
2.47.3