diff options
author | Grant Grundler <grundler@parisc-linux.org> | 2008-03-24 01:23:10 -0400 |
---|---|---|
committer | Jeff Garzik <jeff@garzik.org> | 2008-03-28 21:52:14 -0400 |
commit | 209261c019f56d77f6a0cc38048e9a6f25867589 (patch) | |
tree | 36824a55e62c33e4ae4c24ce824d2948a83924de | |
parent | 3480c63bdf008e9289aab94418f43b9592978fff (diff) |
[netdrvr] tulip_read_eeprom fixes for BUG 4420
If "location" is > "addr_len" bits, the high bits of location would interfere
with the READ_CMD sent to the eeprom controller.
A patch was submitted to bug:
http://bugzilla.kernel.org/show_bug.cgi?id=4420
which simply truncated the "location", read whatever was in "location
modulo addr_len", and returned that value. That avoids confusing the
eeprom but seems like the wrong solution to me.
Correct would be to not read beyond "1 << addr_len" address of the eeprom.
I am submitting two changes to implement this:
1) tulip_read_eeprom will return zero (since we can't return -EINVAL)
if this is attempted (defensive programming).
2) In tulip_core.c, fix the tulip_read_eeprom caller so they don't
iterate past addr_len bits and make sure the entire tp->eeprom[]
array is cleared.
I konw we don't strictly need both. I would prefer both in the tree
since it documents the issue and provides a second "defense" from
the bug from creeping back in.
Signed-off-by: Grant Grundler <grundler@parisc-linux.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
-rw-r--r-- | drivers/net/tulip/eeprom.c | 6 | ||||
-rw-r--r-- | drivers/net/tulip/tulip_core.c | 7 |
2 files changed, 12 insertions, 1 deletions
diff --git a/drivers/net/tulip/eeprom.c b/drivers/net/tulip/eeprom.c index 206918bad539..da2206f6021d 100644 --- a/drivers/net/tulip/eeprom.c +++ b/drivers/net/tulip/eeprom.c | |||
@@ -343,6 +343,12 @@ int __devinit tulip_read_eeprom(struct net_device *dev, int location, int addr_l | |||
343 | void __iomem *ee_addr = tp->base_addr + CSR9; | 343 | void __iomem *ee_addr = tp->base_addr + CSR9; |
344 | int read_cmd = location | (EE_READ_CMD << addr_len); | 344 | int read_cmd = location | (EE_READ_CMD << addr_len); |
345 | 345 | ||
346 | /* If location is past the end of what we can address, don't | ||
347 | * read some other location (ie truncate). Just return zero. | ||
348 | */ | ||
349 | if (location > (1 << addr_len) - 1) | ||
350 | return 0; | ||
351 | |||
346 | iowrite32(EE_ENB & ~EE_CS, ee_addr); | 352 | iowrite32(EE_ENB & ~EE_CS, ee_addr); |
347 | iowrite32(EE_ENB, ee_addr); | 353 | iowrite32(EE_ENB, ee_addr); |
348 | 354 | ||
diff --git a/drivers/net/tulip/tulip_core.c b/drivers/net/tulip/tulip_core.c index ed600bf56e78..82f404b76d81 100644 --- a/drivers/net/tulip/tulip_core.c +++ b/drivers/net/tulip/tulip_core.c | |||
@@ -1437,6 +1437,7 @@ static int __devinit tulip_init_one (struct pci_dev *pdev, | |||
1437 | EEPROM. | 1437 | EEPROM. |
1438 | */ | 1438 | */ |
1439 | ee_data = tp->eeprom; | 1439 | ee_data = tp->eeprom; |
1440 | memset(ee_data, 0, sizeof(tp->eeprom)); | ||
1440 | sum = 0; | 1441 | sum = 0; |
1441 | if (chip_idx == LC82C168) { | 1442 | if (chip_idx == LC82C168) { |
1442 | for (i = 0; i < 3; i++) { | 1443 | for (i = 0; i < 3; i++) { |
@@ -1458,8 +1459,12 @@ static int __devinit tulip_init_one (struct pci_dev *pdev, | |||
1458 | /* A serial EEPROM interface, we read now and sort it out later. */ | 1459 | /* A serial EEPROM interface, we read now and sort it out later. */ |
1459 | int sa_offset = 0; | 1460 | int sa_offset = 0; |
1460 | int ee_addr_size = tulip_read_eeprom(dev, 0xff, 8) & 0x40000 ? 8 : 6; | 1461 | int ee_addr_size = tulip_read_eeprom(dev, 0xff, 8) & 0x40000 ? 8 : 6; |
1462 | int ee_max_addr = ((1 << ee_addr_size) - 1) * sizeof(u16); | ||
1461 | 1463 | ||
1462 | for (i = 0; i < sizeof(tp->eeprom); i+=2) { | 1464 | if (ee_max_addr > sizeof(tp->eeprom)) |
1465 | ee_max_addr = sizeof(tp->eeprom); | ||
1466 | |||
1467 | for (i = 0; i < ee_max_addr ; i += sizeof(u16)) { | ||
1463 | u16 data = tulip_read_eeprom(dev, i/2, ee_addr_size); | 1468 | u16 data = tulip_read_eeprom(dev, i/2, ee_addr_size); |
1464 | ee_data[i] = data & 0xff; | 1469 | ee_data[i] = data & 0xff; |
1465 | ee_data[i + 1] = data >> 8; | 1470 | ee_data[i + 1] = data >> 8; |