From nobody Mon Apr 6 20:29:58 2026 Received: from pidgin.makrotopia.org (pidgin.makrotopia.org [185.142.180.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C7A2D256C6C; Wed, 18 Mar 2026 03:08:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.142.180.65 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773803282; cv=none; b=lSQEtlbja68iiDUf6VlPu/vRgjIL9LBuKbho0Ixb9XTBHyvmI9nlGfSJHJa0oGQmqTMx6JvTOaYtaWKgstYTVxpNk+idNzSKj/0yTPg/URZ9+cFWYj9gxfsUdlPtxxePj1VA/+b/xvyvQM3eVw3bUfwZ3K1ryvUKBua8wevc+co= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773803282; c=relaxed/simple; bh=pzcrMZE7hNfVVvaxkldQYtyCSFl9v3tUWGWga5ZDz6A=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=EQ4juJ3H3bkyFvxe1W+7UnTjrhyMfelxDI95NcASMq5/VBWqXyT7oEDhP1L2WXnQKRfYv2w7bmbgHr7v8UzvgxGNlwWMXKE/UMeMZreaC5NpcRVbgDs7nHObYzkVwluv88fXuoZzH0eAhzM+TdazJ1cpyPZKv6FeKwIi4hWqG/Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=makrotopia.org; spf=pass smtp.mailfrom=makrotopia.org; arc=none smtp.client-ip=185.142.180.65 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=makrotopia.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=makrotopia.org Received: from local by pidgin.makrotopia.org with esmtpsa (TLS1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.99) (envelope-from ) id 1w2hGF-000000004GF-0jL3; Wed, 18 Mar 2026 03:07:55 +0000 Date: Wed, 18 Mar 2026 03:07:52 +0000 From: Daniel Golle To: Daniel Golle , Andrew Lunn , Vladimir Oltean , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net-next] net: dsa: mxl862xx: don't read out-of-bounds Message-ID: <83356ad9c9a4470dd49b6b3d661c2a8dd85cc6a1.1773803190.git.daniel@makrotopia.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The write loop in mxl862xx_api_wrap() computes the word count as (size + 1) / 2, rounding up for odd-sized structs. On the last iteration of an odd-sized buffer it reads a full __le16 from data[i], accessing one byte past the end of the caller's struct. KASAN catches this as a stack-out-of-bounds read during probe (e.g. from mxl862xx_bridge_config_fwd() because of the odd length of sizeof(struct mxl862xx_bridge_config) =3D=3D 49). The read-back loop already handles this case, it writes only a single byte when (i * 2 + 1) =3D=3D size. The write loop lacked the same guard. In practice the over-read is harmless: the extra stack byte is sent to the firmware which ignores trailing data beyond the command's declared payload size. Apply the same odd-size last-byte handling to the write path: when the final word contains only one valid byte, send *(u8 *)&data[i] instead of le16_to_cpu(data[i]). This is endian-safe because data is __le16-encoded and the low byte is always at the lowest address regardless of host byte order. Signed-off-by: Daniel Golle Reviewed-by: Simon Horman --- drivers/net/dsa/mxl862xx/mxl862xx-host.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/net/dsa/mxl862xx/mxl862xx-host.c b/drivers/net/dsa/mxl= 862xx/mxl862xx-host.c index 8c55497a0ce89..4eefd2a759a7d 100644 --- a/drivers/net/dsa/mxl862xx/mxl862xx-host.c +++ b/drivers/net/dsa/mxl862xx/mxl862xx-host.c @@ -175,8 +175,14 @@ int mxl862xx_api_wrap(struct mxl862xx_priv *priv, u16 = cmd, void *_data, goto out; } =20 - ret =3D mxl862xx_reg_write(priv, MXL862XX_MMD_REG_DATA_FIRST + off, - le16_to_cpu(data[i])); + if ((i * 2 + 1) =3D=3D size) + ret =3D mxl862xx_reg_write(priv, + MXL862XX_MMD_REG_DATA_FIRST + off, + *(u8 *)&data[i]); + else + ret =3D mxl862xx_reg_write(priv, + MXL862XX_MMD_REG_DATA_FIRST + off, + le16_to_cpu(data[i])); if (ret < 0) goto out; } --=20 2.53.0