diff options
author | Grant Grundler <grundler@parisc-linux.org> | 2008-03-24 06:23:10 +0100 |
---|---|---|
committer | Jeff Garzik <jeff@garzik.org> | 2008-03-29 02:52:14 +0100 |
commit | 209261c019f56d77f6a0cc38048e9a6f25867589 (patch) | |
tree | 36824a55e62c33e4ae4c24ce824d2948a83924de /drivers/net/tulip/eeprom.c | |
parent | [LLC]: Restrict LLC sockets to root (diff) | |
download | linux-209261c019f56d77f6a0cc38048e9a6f25867589.tar.xz linux-209261c019f56d77f6a0cc38048e9a6f25867589.zip |
[netdrvr] tulip_read_eeprom fixes for BUG 4420
If "location" is > "addr_len" bits, the high bits of location would interfere
with the READ_CMD sent to the eeprom controller.
A patch was submitted to bug:
http://bugzilla.kernel.org/show_bug.cgi?id=4420
which simply truncated the "location", read whatever was in "location
modulo addr_len", and returned that value. That avoids confusing the
eeprom but seems like the wrong solution to me.
Correct would be to not read beyond "1 << addr_len" address of the eeprom.
I am submitting two changes to implement this:
1) tulip_read_eeprom will return zero (since we can't return -EINVAL)
if this is attempted (defensive programming).
2) In tulip_core.c, fix the tulip_read_eeprom caller so they don't
iterate past addr_len bits and make sure the entire tp->eeprom[]
array is cleared.
I konw we don't strictly need both. I would prefer both in the tree
since it documents the issue and provides a second "defense" from
the bug from creeping back in.
Signed-off-by: Grant Grundler <grundler@parisc-linux.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Diffstat (limited to 'drivers/net/tulip/eeprom.c')
-rw-r--r-- | drivers/net/tulip/eeprom.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/net/tulip/eeprom.c b/drivers/net/tulip/eeprom.c index 206918bad539..da2206f6021d 100644 --- a/drivers/net/tulip/eeprom.c +++ b/drivers/net/tulip/eeprom.c @@ -343,6 +343,12 @@ int __devinit tulip_read_eeprom(struct net_device *dev, int location, int addr_l void __iomem *ee_addr = tp->base_addr + CSR9; int read_cmd = location | (EE_READ_CMD << addr_len); + /* If location is past the end of what we can address, don't + * read some other location (ie truncate). Just return zero. + */ + if (location > (1 << addr_len) - 1) + return 0; + iowrite32(EE_ENB & ~EE_CS, ee_addr); iowrite32(EE_ENB, ee_addr); |