Commit 31a7a0bb authored Jan 29, 2026 by Junrui Luo Committed by Jakub Kicinski Jan 29, 2026

dpaa2-switch: add bounds check for if_id in IRQ handler

The IRQ handler extracts if_id from the upper 16 bits of the hardware
status register and uses it to index into ethsw->ports[] without
validation. Since if_id can be any 16-bit value (0-65535) but the ports
array is only allocated with sw_attr.num_ifs elements, this can lead to
an out-of-bounds read potentially.

Add a bounds check before accessing the array, consistent with the
existing validation in dpaa2_switch_rx().

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 24ab724f ("dpaa2-switch: use the port index in the IRQ handler")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881D420AB43FF1A227B84AFAF91A@SYBPR01MB7881.ausprd01.prod.outlook.com

Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 82deb281

drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -1531,6 +1531,10 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg)
		}

		if_id = (status & 0xFFFF0000) >> 16;
		if (if_id >= ethsw->sw_attr.num_ifs) {
		dev_err(dev, "Invalid if_id %d in IRQ status\n", if_id);
		goto out;
		}
		port_priv = ethsw->ports[if_id];

		if (status & DPSW_IRQ_EVENT_LINK_CHANGED)