From: Al Viro Date: Tue, 18 Dec 2007 07:00:31 +0000 (-0800) Subject: [TG3]: Endianness bugfix. X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=286e310f94b9459f3fa975333781c969b1041522;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git [TG3]: Endianness bugfix. tg3_nvram_write_block_unbuffered() is reading data from nvram into allocated buffer before overwriting a part of it with user-supplied data. Then it feeds the entire page back to nvram. It should be storing the words it had read as little-endian, not as host-endian. Note that tg3_set_eeprom() does exactly that for padding the same data to full words before it gets passed down to tg3_nvram_write_block() and then to tg3_nvram_write_block_unbuffered(). Moreover, when we get to sending the entire thing back to nvram, we go through it word-by-word, doing essentially writel(swab32(le32_to_cpu(word)), ...) so if we want them to reach the card in host-independent endianness, we'd better really have all that buffer filled with fixed-endian. For user-supplied part we obviously do have that (it's an array of octets memcpy'd in), ditto for padding of user-supplied part to word boundaries (taken care of in tg3_set_eeprom()). The rest of the buffer gets filled by tg3_nvram_write_block_unbuffered() and it would damn better be consistent with that (and with tg3_get_eeprom(), while we are at it - there we also convert the words read from nvram to little-endian before returning the buffer to user). The bug should get triggered on big-endian boxen when set_eeprom is done for less than entire page. Then the words that should've been unaffected at all will actually get byteswapped in place in nvram. Signed-off-by: Al Viro Signed-off-by: David S. Miller --- diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c index a76bb3dd30f..22eb7c8c1a2 100644 --- a/drivers/net/tg3.c +++ b/drivers/net/tg3.c @@ -10251,8 +10251,7 @@ static int tg3_nvram_write_block_unbuffered(struct tg3 *tp, u32 offset, u32 len, phy_addr = offset & ~pagemask; for (j = 0; j < pagesize; j += 4) { - /* Almost certainly should be tg3_nvram_read_le */ - if ((ret = tg3_nvram_read(tp, phy_addr + j, + if ((ret = tg3_nvram_read_le(tp, phy_addr + j, (__le32 *) (tmp + j)))) break; }