r8169: explicit firmware format check.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
author: Francois Romieu <romieu@fr.zoreil.com> 2011-06-17 11:16:24 -0400
committer: Francois Romieu <romieu@fr.zoreil.com> 2011-06-18 05:34:32 -0400
commit: 1c361efb226d609a07403057a71557faf500b17a (patch)
tree: ff97f697d1634e160d76cf225ae52dceff55bcdb /drivers/net/r8169.c
parent: b6ffd97f5bcfd12df88ece6bc6df7a761ac5a049 (diff)
1 files changed, 49 insertions, 13 deletions
diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
index 3eeefe4b49e0..8fc9af246944 100644
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -669,6 +669,15 @@ struct rtl8169_private {
        struct rtl_fw {
                const struct firmware *fw;
+#define RTL_VER_SIZE            32
+                char version[RTL_VER_SIZE];
+                struct rtl_fw_phy_action {
+                        __le32 *code;
+                        size_t size;
+                } phy_action;
        } *rtl_fw;
 #define RTL_FIRMWARE_UNKNOWN    ERR_PTR(-EAGAIN);
 };
@@ -1229,8 +1238,9 @@ static void rtl8169_get_drvinfo(struct net_device *dev,
        strcpy(info->driver, MODULENAME);
        strcpy(info->version, RTL8169_VERSION);
        strcpy(info->bus_info, pci_name(tp->pci_dev));
-        strncpy(info->fw_version, IS_ERR_OR_NULL(rtl_fw) ? "N/A" :
+        BUILD_BUG_ON(sizeof(info->fw_version) < sizeof(rtl_fw->version));
-                rtl_lookup_firmware_name(tp), sizeof(info->fw_version) - 1);
+        strcpy(info->fw_version, IS_ERR_OR_NULL(rtl_fw) ? "N/A" :
+               rtl_fw->version);
 }
 static int rtl8169_get_regs_len(struct net_device *dev)
@@ -1744,21 +1754,47 @@ static void rtl_writephy_batch(struct rtl8169_private *tp,
 #define PHY_DELAY_MS            0xe0000000
 #define PHY_WRITE_ERI_WORD      0xf0000000
-static void rtl_phy_write_fw(struct rtl8169_private *tp, struct rtl_fw *rtl_fw)
+#define FW_OPCODE_SIZE  sizeof(typeof(*((struct rtl_fw_phy_action *)0)->code))
+static bool rtl_fw_format_ok(struct rtl8169_private *tp, struct rtl_fw *rtl_fw)
 {
        const struct firmware *fw = rtl_fw->fw;
-        __le32 *phytable = (__le32 *)fw->data;
+        struct rtl_fw_phy_action *pa = &rtl_fw->phy_action;
+        char *version = rtl_fw->version;
+        bool rc = false;
+        if (fw->size < FW_OPCODE_SIZE)
+                goto out;
+        else {
+                if (fw->size % FW_OPCODE_SIZE)
+                        goto out;
+                strlcpy(version, rtl_lookup_firmware_name(tp), RTL_VER_SIZE);
+                pa->code = (__le32 *)fw->data;
+                pa->size = fw->size / FW_OPCODE_SIZE;
+        }
+        version[RTL_VER_SIZE - 1] = 0;
+        rc = true;
+out:
+        return rc;
+}
+static void rtl_phy_write_fw(struct rtl8169_private *tp, struct rtl_fw *rtl_fw)
+{
+        struct rtl_fw_phy_action *pa = &rtl_fw->phy_action;
        struct net_device *dev = tp->dev;
-        size_t index, fw_size = fw->size / sizeof(*phytable);
        u32 predata, count;
+        size_t index;
-        if (fw->size % sizeof(*phytable)) {
+        if (!rtl_fw_format_ok(tp, rtl_fw)) {
-                netif_err(tp, probe, dev, "odd sized firmware %zd\n", fw->size);
+                netif_err(tp, probe, dev, "invalid firwmare\n");
                return;
        }
-        for (index = 0; index < fw_size; index++) {
+        for (index = 0; index < pa->size; index++) {
-                u32 action = le32_to_cpu(phytable[index]);
+                u32 action = le32_to_cpu(pa->code[index]);
                u32 regno = (action & 0x0fff0000) >> 16;
                switch(action & 0xf0000000) {
@@ -1780,7 +1816,7 @@ static void rtl_phy_write_fw(struct rtl8169_private *tp, struct rtl_fw *rtl_fw)
                        }
                        break;
                case PHY_READCOUNT_EQ_SKIP:
-                        if (index + 2 >= fw_size) {
+                        if (index + 2 >= pa->size) {
                                netif_err(tp, probe, tp->dev,
                                          "Out of range of firmware\n");
                                return;
@@ -1789,7 +1825,7 @@ static void rtl_phy_write_fw(struct rtl8169_private *tp, struct rtl_fw *rtl_fw)
                case PHY_COMP_EQ_SKIPN:
                case PHY_COMP_NEQ_SKIPN:
                case PHY_SKIPN:
-                        if (index + 1 + regno >= fw_size) {
+                        if (index + 1 + regno >= pa->size) {
                                netif_err(tp, probe, tp->dev,
                                          "Out of range of firmware\n");
                                return;
@@ -1809,8 +1845,8 @@ static void rtl_phy_write_fw(struct rtl8169_private *tp, struct rtl_fw *rtl_fw)
        predata = 0;
        count = 0;
-        for (index = 0; index < fw_size; ) {
+        for (index = 0; index < pa->size; ) {
-                u32 action = le32_to_cpu(phytable[index]);
+                u32 action = le32_to_cpu(pa->code[index]);
                u32 data = action & 0x0000ffff;
                u32 regno = (action & 0x0fff0000) >> 16;
author	Francois Romieu <romieu@fr.zoreil.com>	2011-06-17 11:16:24 -0400
committer	Francois Romieu <romieu@fr.zoreil.com>	2011-06-18 05:34:32 -0400
commit	1c361efb226d609a07403057a71557faf500b17a (patch)
tree	ff97f697d1634e160d76cf225ae52dceff55bcdb /drivers/net/r8169.c
parent	b6ffd97f5bcfd12df88ece6bc6df7a761ac5a049 (diff)