From 761172fbf672c5784b2a0d71ca2f4389eb7a2c21 Mon Sep 17 00:00:00 2001 From: Abraham Arce Date: Fri, 16 Apr 2010 14:48:43 +0000 Subject: KS8851: NULL pointer dereference if list is empty Fix NULL pointer dereference in ks8851_tx_work by checking if dequeued list is already empty before writing the packet to TX FIFO Unable to handle kernel NULL pointer dereference at virtual address 00000050 PC is at ks8851_tx_work+0xdc/0x1b0 LR is at wait_for_common+0x148/0x164 pc : [] lr : [] psr: 20000013 Backtrace: ks8851_tx_work+0x0/0x1b0 worker_thread+0x0/0x190 kthread+0x0/0x90 Signed-off-by: Abraham Arce Signed-off-by: David S. Miller --- drivers/net/ks8851.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'drivers/net/ks8851.c') diff --git a/drivers/net/ks8851.c b/drivers/net/ks8851.c index 13cc1ca261d9..9e9f9b349766 100644 --- a/drivers/net/ks8851.c +++ b/drivers/net/ks8851.c @@ -722,12 +722,14 @@ static void ks8851_tx_work(struct work_struct *work) txb = skb_dequeue(&ks->txq); last = skb_queue_empty(&ks->txq); - ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA); - ks8851_wrpkt(ks, txb, last); - ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr); - ks8851_wrreg16(ks, KS_TXQCR, TXQCR_METFE); + if (txb != NULL) { + ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA); + ks8851_wrpkt(ks, txb, last); + ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr); + ks8851_wrreg16(ks, KS_TXQCR, TXQCR_METFE); - ks8851_done_tx(ks, txb); + ks8851_done_tx(ks, txb); + } } mutex_unlock(&ks->lock); -- cgit v1.2.2 From 7d9974666e0dc2cbbeac80fa4d550df0bbea6fad Mon Sep 17 00:00:00 2001 From: Sebastien Jan Date: Wed, 5 May 2010 08:45:52 +0000 Subject: ks8851: Add caching of CCR register CCR register contains information on companion eeprom availability. Signed-off-by: Sebastien Jan Signed-off-by: David S. Miller --- drivers/net/ks8851.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'drivers/net/ks8851.c') diff --git a/drivers/net/ks8851.c b/drivers/net/ks8851.c index b8ed1ee37ac1..623171f37d99 100644 --- a/drivers/net/ks8851.c +++ b/drivers/net/ks8851.c @@ -78,7 +78,9 @@ union ks8851_tx_hdr { * @msg_enable: The message flags controlling driver output (see ethtool). * @fid: Incrementing frame id tag. * @rc_ier: Cached copy of KS_IER. + * @rc_ccr: Cached copy of KS_CCR. * @rc_rxqcr: Cached copy of KS_RXQCR. + * @eeprom_size: Companion eeprom size in Bytes, 0 if no eeprom * * The @lock ensures that the chip is protected when certain operations are * in progress. When the read or write packet transfer is in progress, most @@ -109,6 +111,8 @@ struct ks8851_net { u16 rc_ier; u16 rc_rxqcr; + u16 rc_ccr; + u16 eeprom_size; struct mii_if_info mii; struct ks8851_rxctrl rxctrl; @@ -1269,6 +1273,14 @@ static int __devinit ks8851_probe(struct spi_device *spi) goto err_id; } + /* cache the contents of the CCR register for EEPROM, etc. */ + ks->rc_ccr = ks8851_rdreg16(ks, KS_CCR); + + if (ks->rc_ccr & CCR_EEPROM) + ks->eeprom_size = 128; + else + ks->eeprom_size = 0; + ks8851_read_selftest(ks); ks8851_init_mac(ks); -- cgit v1.2.2 From a4bdfff74464f86d7e3b8feaf42d18960adc5514 Mon Sep 17 00:00:00 2001 From: Sebastien Jan Date: Wed, 5 May 2010 08:45:53 +0000 Subject: ks8851: Low level functions for read/write to companion eeprom Low-level functions provide 16bits words read and write capability to ks8851 companion eeprom. Signed-off-by: Sebastien Jan Signed-off-by: David S. Miller --- drivers/net/ks8851.c | 228 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 228 insertions(+) (limited to 'drivers/net/ks8851.c') diff --git a/drivers/net/ks8851.c b/drivers/net/ks8851.c index 623171f37d99..3dba57b72ef8 100644 --- a/drivers/net/ks8851.c +++ b/drivers/net/ks8851.c @@ -1034,6 +1034,234 @@ static const struct net_device_ops ks8851_netdev_ops = { .ndo_validate_addr = eth_validate_addr, }; +/* Companion eeprom access */ + +enum { /* EEPROM programming states */ + EEPROM_CONTROL, + EEPROM_ADDRESS, + EEPROM_DATA, + EEPROM_COMPLETE +}; + +/** + * ks8851_eeprom_read - read a 16bits word in ks8851 companion EEPROM + * @dev: The network device the PHY is on. + * @addr: EEPROM address to read + * + * eeprom_size: used to define the data coding length. Can be changed + * through debug-fs. + * + * Programs a read on the EEPROM using ks8851 EEPROM SW access feature. + * Warning: The READ feature is not supported on ks8851 revision 0. + * + * Rough programming model: + * - on period start: set clock high and read value on bus + * - on period / 2: set clock low and program value on bus + * - start on period / 2 + */ +unsigned int ks8851_eeprom_read(struct net_device *dev, unsigned int addr) +{ + struct ks8851_net *ks = netdev_priv(dev); + int eepcr; + int ctrl = EEPROM_OP_READ; + int state = EEPROM_CONTROL; + int bit_count = EEPROM_OP_LEN - 1; + unsigned int data = 0; + int dummy; + unsigned int addr_len; + + addr_len = (ks->eeprom_size == 128) ? 6 : 8; + + /* start transaction: chip select high, authorize write */ + mutex_lock(&ks->lock); + eepcr = EEPCR_EESA | EEPCR_EESRWA; + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + eepcr |= EEPCR_EECS; + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + mutex_unlock(&ks->lock); + + while (state != EEPROM_COMPLETE) { + /* falling clock period starts... */ + /* set EED_IO pin for control and address */ + eepcr &= ~EEPCR_EEDO; + switch (state) { + case EEPROM_CONTROL: + eepcr |= ((ctrl >> bit_count) & 1) << 2; + if (bit_count-- <= 0) { + bit_count = addr_len - 1; + state = EEPROM_ADDRESS; + } + break; + case EEPROM_ADDRESS: + eepcr |= ((addr >> bit_count) & 1) << 2; + bit_count--; + break; + case EEPROM_DATA: + /* Change to receive mode */ + eepcr &= ~EEPCR_EESRWA; + break; + } + + /* lower clock */ + eepcr &= ~EEPCR_EESCK; + + mutex_lock(&ks->lock); + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + mutex_unlock(&ks->lock); + + /* waitread period / 2 */ + udelay(EEPROM_SK_PERIOD / 2); + + /* rising clock period starts... */ + + /* raise clock */ + mutex_lock(&ks->lock); + eepcr |= EEPCR_EESCK; + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + mutex_unlock(&ks->lock); + + /* Manage read */ + switch (state) { + case EEPROM_ADDRESS: + if (bit_count < 0) { + bit_count = EEPROM_DATA_LEN - 1; + state = EEPROM_DATA; + } + break; + case EEPROM_DATA: + mutex_lock(&ks->lock); + dummy = ks8851_rdreg16(ks, KS_EEPCR); + mutex_unlock(&ks->lock); + data |= ((dummy >> EEPCR_EESB_OFFSET) & 1) << bit_count; + if (bit_count-- <= 0) + state = EEPROM_COMPLETE; + break; + } + + /* wait period / 2 */ + udelay(EEPROM_SK_PERIOD / 2); + } + + /* close transaction */ + mutex_lock(&ks->lock); + eepcr &= ~EEPCR_EECS; + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + eepcr = 0; + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + mutex_unlock(&ks->lock); + + return data; +} + +/** + * ks8851_eeprom_write - write a 16bits word in ks8851 companion EEPROM + * @dev: The network device the PHY is on. + * @op: operand (can be WRITE, EWEN, EWDS) + * @addr: EEPROM address to write + * @data: data to write + * + * eeprom_size: used to define the data coding length. Can be changed + * through debug-fs. + * + * Programs a write on the EEPROM using ks8851 EEPROM SW access feature. + * + * Note that a write enable is required before writing data. + * + * Rough programming model: + * - on period start: set clock high + * - on period / 2: set clock low and program value on bus + * - start on period / 2 + */ +void ks8851_eeprom_write(struct net_device *dev, unsigned int op, + unsigned int addr, unsigned int data) +{ + struct ks8851_net *ks = netdev_priv(dev); + int eepcr; + int state = EEPROM_CONTROL; + int bit_count = EEPROM_OP_LEN - 1; + unsigned int addr_len; + + addr_len = (ks->eeprom_size == 128) ? 6 : 8; + + switch (op) { + case EEPROM_OP_EWEN: + addr = 0x30; + break; + case EEPROM_OP_EWDS: + addr = 0; + break; + } + + /* start transaction: chip select high, authorize write */ + mutex_lock(&ks->lock); + eepcr = EEPCR_EESA | EEPCR_EESRWA; + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + eepcr |= EEPCR_EECS; + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + mutex_unlock(&ks->lock); + + while (state != EEPROM_COMPLETE) { + /* falling clock period starts... */ + /* set EED_IO pin for control and address */ + eepcr &= ~EEPCR_EEDO; + switch (state) { + case EEPROM_CONTROL: + eepcr |= ((op >> bit_count) & 1) << 2; + if (bit_count-- <= 0) { + bit_count = addr_len - 1; + state = EEPROM_ADDRESS; + } + break; + case EEPROM_ADDRESS: + eepcr |= ((addr >> bit_count) & 1) << 2; + if (bit_count-- <= 0) { + if (op == EEPROM_OP_WRITE) { + bit_count = EEPROM_DATA_LEN - 1; + state = EEPROM_DATA; + } else { + state = EEPROM_COMPLETE; + } + } + break; + case EEPROM_DATA: + eepcr |= ((data >> bit_count) & 1) << 2; + if (bit_count-- <= 0) + state = EEPROM_COMPLETE; + break; + } + + /* lower clock */ + eepcr &= ~EEPCR_EESCK; + + mutex_lock(&ks->lock); + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + mutex_unlock(&ks->lock); + + /* wait period / 2 */ + udelay(EEPROM_SK_PERIOD / 2); + + /* rising clock period starts... */ + + /* raise clock */ + eepcr |= EEPCR_EESCK; + mutex_lock(&ks->lock); + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + mutex_unlock(&ks->lock); + + /* wait period / 2 */ + udelay(EEPROM_SK_PERIOD / 2); + } + + /* close transaction */ + mutex_lock(&ks->lock); + eepcr &= ~EEPCR_EECS; + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + eepcr = 0; + ks8851_wrreg16(ks, KS_EEPCR, eepcr); + mutex_unlock(&ks->lock); + +} + /* ethtool support */ static void ks8851_get_drvinfo(struct net_device *dev, -- cgit v1.2.2 From a84afa40e07b6882ca46a7287d8ca4a8c5430f60 Mon Sep 17 00:00:00 2001 From: Sebastien Jan Date: Wed, 5 May 2010 08:45:54 +0000 Subject: ks8851: companion eeprom access through ethtool Accessing ks8851 companion eeprom permits modifying the ks8851 stored MAC address. Example how to change the MAC address using ethtool, to set the 01:23:45:67:89:AB MAC address: $ echo "0:AB8976452301" | xxd -r > mac.bin $ sudo ethtool -E eth0 magic 0x8870 offset 2 < mac.bin Signed-off-by: Sebastien Jan Signed-off-by: David S. Miller --- drivers/net/ks8851.c | 114 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) (limited to 'drivers/net/ks8851.c') diff --git a/drivers/net/ks8851.c b/drivers/net/ks8851.c index 3dba57b72ef8..b4fb07a6f13f 100644 --- a/drivers/net/ks8851.c +++ b/drivers/net/ks8851.c @@ -1308,6 +1308,117 @@ static int ks8851_nway_reset(struct net_device *dev) return mii_nway_restart(&ks->mii); } +static int ks8851_get_eeprom_len(struct net_device *dev) +{ + struct ks8851_net *ks = netdev_priv(dev); + return ks->eeprom_size; +} + +static int ks8851_get_eeprom(struct net_device *dev, + struct ethtool_eeprom *eeprom, u8 *bytes) +{ + struct ks8851_net *ks = netdev_priv(dev); + u16 *eeprom_buff; + int first_word; + int last_word; + int ret_val = 0; + u16 i; + + if (eeprom->len == 0) + return -EINVAL; + + if (eeprom->len > ks->eeprom_size) + return -EINVAL; + + eeprom->magic = ks8851_rdreg16(ks, KS_CIDER); + + first_word = eeprom->offset >> 1; + last_word = (eeprom->offset + eeprom->len - 1) >> 1; + + eeprom_buff = kmalloc(sizeof(u16) * + (last_word - first_word + 1), GFP_KERNEL); + if (!eeprom_buff) + return -ENOMEM; + + for (i = 0; i < last_word - first_word + 1; i++) + eeprom_buff[i] = ks8851_eeprom_read(dev, first_word + 1); + + /* Device's eeprom is little-endian, word addressable */ + for (i = 0; i < last_word - first_word + 1; i++) + le16_to_cpus(&eeprom_buff[i]); + + memcpy(bytes, (u8 *)eeprom_buff + (eeprom->offset & 1), eeprom->len); + kfree(eeprom_buff); + + return ret_val; +} + +static int ks8851_set_eeprom(struct net_device *dev, + struct ethtool_eeprom *eeprom, u8 *bytes) +{ + struct ks8851_net *ks = netdev_priv(dev); + u16 *eeprom_buff; + void *ptr; + int max_len; + int first_word; + int last_word; + int ret_val = 0; + u16 i; + + if (eeprom->len == 0) + return -EOPNOTSUPP; + + if (eeprom->len > ks->eeprom_size) + return -EINVAL; + + if (eeprom->magic != ks8851_rdreg16(ks, KS_CIDER)) + return -EFAULT; + + first_word = eeprom->offset >> 1; + last_word = (eeprom->offset + eeprom->len - 1) >> 1; + max_len = (last_word - first_word + 1) * 2; + eeprom_buff = kmalloc(max_len, GFP_KERNEL); + if (!eeprom_buff) + return -ENOMEM; + + ptr = (void *)eeprom_buff; + + if (eeprom->offset & 1) { + /* need read/modify/write of first changed EEPROM word */ + /* only the second byte of the word is being modified */ + eeprom_buff[0] = ks8851_eeprom_read(dev, first_word); + ptr++; + } + if ((eeprom->offset + eeprom->len) & 1) + /* need read/modify/write of last changed EEPROM word */ + /* only the first byte of the word is being modified */ + eeprom_buff[last_word - first_word] = + ks8851_eeprom_read(dev, last_word); + + + /* Device's eeprom is little-endian, word addressable */ + le16_to_cpus(&eeprom_buff[0]); + le16_to_cpus(&eeprom_buff[last_word - first_word]); + + memcpy(ptr, bytes, eeprom->len); + + for (i = 0; i < last_word - first_word + 1; i++) + eeprom_buff[i] = cpu_to_le16(eeprom_buff[i]); + + ks8851_eeprom_write(dev, EEPROM_OP_EWEN, 0, 0); + + for (i = 0; i < last_word - first_word + 1; i++) { + ks8851_eeprom_write(dev, EEPROM_OP_WRITE, first_word + i, + eeprom_buff[i]); + mdelay(EEPROM_WRITE_TIME); + } + + ks8851_eeprom_write(dev, EEPROM_OP_EWDS, 0, 0); + + kfree(eeprom_buff); + return ret_val; +} + static const struct ethtool_ops ks8851_ethtool_ops = { .get_drvinfo = ks8851_get_drvinfo, .get_msglevel = ks8851_get_msglevel, @@ -1316,6 +1427,9 @@ static const struct ethtool_ops ks8851_ethtool_ops = { .set_settings = ks8851_set_settings, .get_link = ks8851_get_link, .nway_reset = ks8851_nway_reset, + .get_eeprom_len = ks8851_get_eeprom_len, + .get_eeprom = ks8851_get_eeprom, + .set_eeprom = ks8851_set_eeprom, }; /* MII interface controls */ -- cgit v1.2.2