ptp_clock_ops.n_per_out sets the number of PPS outputs, which the PTP subsystem uses to validate userspace input, such as the index number used in a PTP_CLK_REQ_PEROUT request. stmmac_enable() uses this to index the priv->pps array, which is an array of size STMMAC_PPS_MAX. ptp_clock_ops.n_per_out is initialised using priv->dma_cap.pps_out_num, which is a three bit field read from hardware. Documentation that I've checked suggests that values >= 5 are reserved, but that doesn't mean such values won't appear, and if they do, we can overrun the priv->pps array in stmmac_enable(). stmmac_ptp_register() has protection against this in its loop, but it doesn't act to limit ptp_clock_ops.n_per_out. Fix this by introducing a local variable, pps_out_num which is limited to STMMAC_PPS_MAX, and use that when initialising the array and setting priv->ptp_clock_ops.n_per_out. Print a warning when we limit the number of outputs. Reviewed-by: Simon Horman Signed-off-by: Russell King (Oracle) --- This could be a user exploitable bug (although one has to be root so the gun is already pointing at one's foot.) This is the commit which introduced the problem: Fixes: 9a8a02c9d46d ("net: stmmac: Add Flexible PPS support") v2: add warning print --- .../net/ethernet/stmicro/stmmac/stmmac_ptp.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c index 3e30172fa129..98da499ba3b1 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c @@ -334,14 +334,19 @@ const struct ptp_clock_info dwmac1000_ptp_clock_ops = { */ void stmmac_ptp_register(struct stmmac_priv *priv) { + unsigned int pps_out_num = priv->dma_cap.pps_out_num; int i; - for (i = 0; i < priv->dma_cap.pps_out_num; i++) { - if (i >= STMMAC_PPS_MAX) - break; - priv->pps[i].available = true; + if (pps_out_num > STMMAC_PPS_MAX) { + dev_warn(priv->device, + "pps outputs (%u) exceeds driver maximum, limiting to %u\n", + pps_out_num, STMMAC_PPS_MAX); + pps_out_num = STMMAC_PPS_MAX; } + for (i = 0; i < pps_out_num; i++) + priv->pps[i].available = true; + /* Calculate the clock domain crossing (CDC) error if necessary */ priv->plat->cdc_error_adj = 0; if (priv->plat->core_type == DWMAC_CORE_GMAC4) @@ -350,8 +355,8 @@ void stmmac_ptp_register(struct stmmac_priv *priv) /* Update the ptp clock parameters based on feature discovery, when * available */ - if (priv->dma_cap.pps_out_num) - priv->ptp_clock_ops.n_per_out = priv->dma_cap.pps_out_num; + if (pps_out_num) + priv->ptp_clock_ops.n_per_out = pps_out_num; if (priv->dma_cap.aux_snapshot_n) priv->ptp_clock_ops.n_ext_ts = priv->dma_cap.aux_snapshot_n; -- 2.47.3