* [patch] USB: cdc_ether: remove unneeded check
From: Dan Carpenter @ 2010-12-25 22:23 UTC (permalink / raw)
To: Oliver Neukum; +Cc: Greg Kroah-Hartman, linux-usb, netdev, kernel-janitors
We already verified that "dev->udev->actconfig->extralen" was non-zero
so "len" is non-zero here as well.
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
Compile tested.
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index b3fe0de..9a60e41 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -99,9 +99,7 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
*/
buf = dev->udev->actconfig->extra;
len = dev->udev->actconfig->extralen;
- if (len)
- dev_dbg(&intf->dev,
- "CDC descriptors on config\n");
+ dev_dbg(&intf->dev, "CDC descriptors on config\n");
}
/* Maybe CDC descriptors are after the endpoint? This bug has
^ permalink raw reply related
* Re: [PATCH] CAN: Use inode instead of kernel address for /proc file
From: Oliver Hartkopp @ 2010-12-25 22:22 UTC (permalink / raw)
To: Dan Rosenberg; +Cc: Urs Thuermann, David S. Miller, netdev, security
In-Reply-To: <1293315371.9764.44.camel@Dan>
On 25.12.2010 23:16, Dan Rosenberg wrote:
> Since the socket address is just being used as a unique identifier, its
> inode number is an alternative that does not leak potentially sensitive
> information.
>
> CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: stable <stable@kernel.org>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Thanks Dan.
> ---
> net/can/bcm.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/can/bcm.c b/net/can/bcm.c
> index 6faa825..5748901 100644
> --- a/net/can/bcm.c
> +++ b/net/can/bcm.c
> @@ -1520,8 +1520,8 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
> bo->bound = 1;
>
> if (proc_dir) {
> - /* unique socket address as filename */
> - sprintf(bo->procname, "%p", sock);
> + /* socket inode as filename */
> + sprintf(bo->procname, "%lx", sock_i_ino(sk));
> bo->bcm_proc_read = proc_create_data(bo->procname, 0644,
> proc_dir,
> &bcm_proc_fops, sk);
>
^ permalink raw reply
* Re: [PATCH] 3c59x: Don't assign when a comparison is intended
From: Wolfram Sang @ 2010-12-25 22:17 UTC (permalink / raw)
To: richard -rw- weinberger
Cc: Jesper Juhl, netdev, vortex, becker, Steffen Klassert,
linux-kernel
In-Reply-To: <AANLkTi=Y4wDG6+AY1=8NuFLGuCidgqaU1LginfB1YpZH@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1075 bytes --]
On Sat, Dec 25, 2010 at 09:50:56PM +0100, richard -rw- weinberger wrote:
> On Sat, Dec 25, 2010 at 9:30 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> > Hi,
> >
> > In drivers/net/3c59x.c::vortex_probe1() we have this code:
> >
> > if (gendev) {
> > if ((pdev = DEVICE_PCI(gendev))) {
> > print_name = pci_name(pdev);
> > }
> >
> > if ((edev = DEVICE_EISA(gendev))) {
> > print_name = dev_name(&edev->dev);
> > }
> > }
> >
> > I believe these assignments were intended to be comparisons.
> > If I'm correct, then here's a patch to fix that up.
>
> I don't think so. Look at the extra brackets.
>
> The code can also written as:
>
> pdev = DEVICE_PCI(gendev);
> if(pdev)
> print_name = pci_name(pdev);
... which looks much better and could be worth a patch as well.
--
Pengutronix e.K. | Wolfram Sang |
Industrial Linux Solutions | http://www.pengutronix.de/ |
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply
* [PATCH] CAN: Use inode instead of kernel address for /proc file
From: Dan Rosenberg @ 2010-12-25 22:16 UTC (permalink / raw)
To: Oliver Hartkopp, Urs Thuermann, David S. Miller; +Cc: netdev, security
Since the socket address is just being used as a unique identifier, its
inode number is an alternative that does not leak potentially sensitive
information.
CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable <stable@kernel.org>
---
net/can/bcm.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 6faa825..5748901 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1520,8 +1520,8 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
bo->bound = 1;
if (proc_dir) {
- /* unique socket address as filename */
- sprintf(bo->procname, "%p", sock);
+ /* socket inode as filename */
+ sprintf(bo->procname, "%lx", sock_i_ino(sk));
bo->bcm_proc_read = proc_create_data(bo->procname, 0644,
proc_dir,
&bcm_proc_fops, sk);
^ permalink raw reply related
* Re: [PATCH] Ceph: Fix a use-after-free bug in ceph_destroy_client().
From: richard -rw- weinberger @ 2010-12-25 21:40 UTC (permalink / raw)
To: Jesper Juhl; +Cc: ceph-devel, linux-kernel, netdev, Sage Weil, David S. Miller
In-Reply-To: <alpine.LNX.2.00.1012252223380.10759@swampdragon.chaosbits.net>
On Sat, Dec 25, 2010 at 10:24 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> On Sat, 25 Dec 2010, richard -rw- weinberger wrote:
>
>> On Sat, Dec 25, 2010 at 7:17 PM, Jesper Juhl <jj@chaosbits.net> wrote:
>> > Hello,
>> >
>> > In net/ceph/ceph_common.c::ceph_destroy_client() the pointer 'client' is
>> > freed by kfree() and subsequently used in a call to dout() - use after
>> > free bug.
>>
>> Not really. %p reads only the address of "client".
>> kfree() does not alter this address.
>>
>
> Ok, I see your point and you are correct. But still, the patch does not
> change behaviour and it makes it absolutely clear that there's no
> use-after-free bug, so it might still have merit... or?
Your patch does not fix a bug.
I would say it's a style fix.
> --
> Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
>
--
Thanks,
//richard
^ permalink raw reply
* Re: [PATCH] Ceph: Fix a use-after-free bug in ceph_destroy_client().
From: Jesper Juhl @ 2010-12-25 21:35 UTC (permalink / raw)
To: richard -rw- weinberger
Cc: ceph-devel, linux-kernel, netdev, Sage Weil, David S. Miller
In-Reply-To: <AANLkTincx8rSM+72czJ+tTrG=D=aOJLBb9nd9Jt_RsD2@mail.gmail.com>
On Sat, 25 Dec 2010, richard -rw- weinberger wrote:
> On Sat, Dec 25, 2010 at 10:24 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> > On Sat, 25 Dec 2010, richard -rw- weinberger wrote:
> >
> >> On Sat, Dec 25, 2010 at 7:17 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> >> > Hello,
> >> >
> >> > In net/ceph/ceph_common.c::ceph_destroy_client() the pointer 'client' is
> >> > freed by kfree() and subsequently used in a call to dout() - use after
> >> > free bug.
> >>
> >> Not really. %p reads only the address of "client".
> >> kfree() does not alter this address.
> >>
> >
> > Ok, I see your point and you are correct. But still, the patch does not
> > change behaviour and it makes it absolutely clear that there's no
> > use-after-free bug, so it might still have merit... or?
>
> Your patch does not fix a bug.
> I would say it's a style fix.
>
At this point in time I'd agree. :-)
--
Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
^ permalink raw reply
* Re: [PATCH] Ceph: Fix a use-after-free bug in ceph_destroy_client().
From: Jesper Juhl @ 2010-12-25 21:24 UTC (permalink / raw)
To: richard -rw- weinberger
Cc: ceph-devel, linux-kernel, netdev, Sage Weil, David S. Miller
In-Reply-To: <AANLkTik+yrpY8T69w_RQ84ZbRqwkjvFhvxHLBvU14N3f@mail.gmail.com>
On Sat, 25 Dec 2010, richard -rw- weinberger wrote:
> On Sat, Dec 25, 2010 at 7:17 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> > Hello,
> >
> > In net/ceph/ceph_common.c::ceph_destroy_client() the pointer 'client' is
> > freed by kfree() and subsequently used in a call to dout() - use after
> > free bug.
>
> Not really. %p reads only the address of "client".
> kfree() does not alter this address.
>
Ok, I see your point and you are correct. But still, the patch does not
change behaviour and it makes it absolutely clear that there's no
use-after-free bug, so it might still have merit... or?
--
Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
^ permalink raw reply
* Re: [PATCH] Ceph: Fix use-after-free bug in ceph_messenger_destroy()
From: richard -rw- weinberger @ 2010-12-25 21:14 UTC (permalink / raw)
To: Jesper Juhl; +Cc: ceph-devel, netdev, linux-kernel, David S. Miller, Sage Weil
In-Reply-To: <alpine.LNX.2.00.1012251908410.10759@swampdragon.chaosbits.net>
On Sat, Dec 25, 2010 at 7:11 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> Hi,
>
> In net/ceph/messenger.c::ceph_messenger_destroy() the pointer 'msgr' is
> freed by kfree() and subsequently used in a call to dout() - use after
> free bug.
As I sad before, %p reads only the address.
> Easily fixed by simply moving the kfree() call after the dout() call.
>
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
> messenger.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
> index b6ff4a1..26514a7 100644
> --- a/net/ceph/messenger.c
> +++ b/net/ceph/messenger.c
> @@ -2131,8 +2131,8 @@ void ceph_messenger_destroy(struct ceph_messenger *msgr)
> dout("destroy %p\n", msgr);
> kunmap(msgr->zero_page);
> __free_page(msgr->zero_page);
> - kfree(msgr);
> dout("destroyed messenger %p\n", msgr);
> + kfree(msgr);
> }
> EXPORT_SYMBOL(ceph_messenger_destroy);
>
>
> --
> Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
Thanks,
//richard
^ permalink raw reply
* Re: [PATCH] Ceph: Fix a use-after-free bug in ceph_destroy_client().
From: richard -rw- weinberger @ 2010-12-25 21:12 UTC (permalink / raw)
To: Jesper Juhl; +Cc: ceph-devel, linux-kernel, netdev, Sage Weil, David S. Miller
In-Reply-To: <alpine.LNX.2.00.1012251914370.10759@swampdragon.chaosbits.net>
On Sat, Dec 25, 2010 at 7:17 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> Hello,
>
> In net/ceph/ceph_common.c::ceph_destroy_client() the pointer 'client' is
> freed by kfree() and subsequently used in a call to dout() - use after
> free bug.
Not really. %p reads only the address of "client".
kfree() does not alter this address.
> Easily fixed by simply moving the kfree() call after the dout() call.
>
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
> ceph_common.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
> index f3e4a13..890bbbf 100644
> --- a/net/ceph/ceph_common.c
> +++ b/net/ceph/ceph_common.c
> @@ -408,8 +408,8 @@ void ceph_destroy_client(struct ceph_client *client)
>
> ceph_destroy_options(client->options);
>
> - kfree(client);
> dout("destroy_client %p done\n", client);
> + kfree(client);
> }
> EXPORT_SYMBOL(ceph_destroy_client);
>
>
> --
> Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
--
Thanks,
//richard
^ permalink raw reply
* Re: [PATCH] 3c59x: Don't assign when a comparison is intended
From: richard -rw- weinberger @ 2010-12-25 21:00 UTC (permalink / raw)
To: Jesper Juhl; +Cc: netdev, Steffen Klassert, linux-kernel
In-Reply-To: <alpine.LNX.2.00.1012252144030.10759@swampdragon.chaosbits.net>
On Sat, Dec 25, 2010 at 9:45 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> On Sat, 25 Dec 2010, richard -rw- weinberger wrote:
>
>> On Sat, Dec 25, 2010 at 9:30 PM, Jesper Juhl <jj@chaosbits.net> wrote:
>> > Hi,
>> >
>> > In drivers/net/3c59x.c::vortex_probe1() we have this code:
>> >
>> > if (gendev) {
>> > if ((pdev = DEVICE_PCI(gendev))) {
>> > print_name = pci_name(pdev);
>> > }
>> >
>> > if ((edev = DEVICE_EISA(gendev))) {
>> > print_name = dev_name(&edev->dev);
>> > }
>> > }
>> >
>> > I believe these assignments were intended to be comparisons.
>> > If I'm correct, then here's a patch to fix that up.
>>
>> I don't think so. Look at the extra brackets.
>>
>> The code can also written as:
>>
>> pdev = DEVICE_PCI(gendev);
>> if(pdev)
>> print_name = pci_name(pdev);
>>
>
> Arrgh, I completely missed that - damn.
> You are correct I think and my patch is wrong.
> Thanks for taking a look.
BTW: gcc is smart enough to catch such typos.
if(x = 3){
...
}
...would trigger a warning like this one:
"warning: suggest parentheses around assignment used as truth value"
>
> --
> Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
--
Thanks,
//richard
^ permalink raw reply
* Re: [PATCH] 3c59x: Don't assign when a comparison is intended
From: richard -rw- weinberger @ 2010-12-25 20:50 UTC (permalink / raw)
To: Jesper Juhl; +Cc: netdev, vortex, becker, Steffen Klassert, linux-kernel
In-Reply-To: <alpine.LNX.2.00.1012252125410.10759@swampdragon.chaosbits.net>
On Sat, Dec 25, 2010 at 9:30 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> Hi,
>
> In drivers/net/3c59x.c::vortex_probe1() we have this code:
>
> if (gendev) {
> if ((pdev = DEVICE_PCI(gendev))) {
> print_name = pci_name(pdev);
> }
>
> if ((edev = DEVICE_EISA(gendev))) {
> print_name = dev_name(&edev->dev);
> }
> }
>
> I believe these assignments were intended to be comparisons.
> If I'm correct, then here's a patch to fix that up.
I don't think so. Look at the extra brackets.
The code can also written as:
pdev = DEVICE_PCI(gendev);
if(pdev)
print_name = pci_name(pdev);
>
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
> 3c59x.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
> diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c
> index 0a92436f..db8a80e 100644
> --- a/drivers/net/3c59x.c
> +++ b/drivers/net/3c59x.c
> @@ -1110,11 +1110,11 @@ static int __devinit vortex_probe1(struct device *gendev,
> }
>
> if (gendev) {
> - if ((pdev = DEVICE_PCI(gendev))) {
> + if ((pdev == DEVICE_PCI(gendev))) {
> print_name = pci_name(pdev);
> }
>
> - if ((edev = DEVICE_EISA(gendev))) {
> + if ((edev == DEVICE_EISA(gendev))) {
> print_name = dev_name(&edev->dev);
> }
> }
>
>
> --
> Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
--
Thanks,
//richard
^ permalink raw reply
* Re: [PATCH] 3c59x: Don't assign when a comparison is intended
From: Jesper Juhl @ 2010-12-25 20:45 UTC (permalink / raw)
To: richard -rw- weinberger; +Cc: netdev, Steffen Klassert, linux-kernel
In-Reply-To: <AANLkTi=Y4wDG6+AY1=8NuFLGuCidgqaU1LginfB1YpZH@mail.gmail.com>
[-- Attachment #1: Type: TEXT/PLAIN, Size: 1093 bytes --]
On Sat, 25 Dec 2010, richard -rw- weinberger wrote:
> On Sat, Dec 25, 2010 at 9:30 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> > Hi,
> >
> > In drivers/net/3c59x.c::vortex_probe1() we have this code:
> >
> > if (gendev) {
> > if ((pdev = DEVICE_PCI(gendev))) {
> > print_name = pci_name(pdev);
> > }
> >
> > if ((edev = DEVICE_EISA(gendev))) {
> > print_name = dev_name(&edev->dev);
> > }
> > }
> >
> > I believe these assignments were intended to be comparisons.
> > If I'm correct, then here's a patch to fix that up.
>
> I don't think so. Look at the extra brackets.
>
> The code can also written as:
>
> pdev = DEVICE_PCI(gendev);
> if(pdev)
> print_name = pci_name(pdev);
>
Arrgh, I completely missed that - damn.
You are correct I think and my patch is wrong.
Thanks for taking a look.
--
Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
^ permalink raw reply
* [PATCH] 3c59x: Don't assign when a comparison is intended
From: Jesper Juhl @ 2010-12-25 20:30 UTC (permalink / raw)
To: netdev; +Cc: vortex, becker, Steffen Klassert, linux-kernel
Hi,
In drivers/net/3c59x.c::vortex_probe1() we have this code:
if (gendev) {
if ((pdev = DEVICE_PCI(gendev))) {
print_name = pci_name(pdev);
}
if ((edev = DEVICE_EISA(gendev))) {
print_name = dev_name(&edev->dev);
}
}
I believe these assignments were intended to be comparisons.
If I'm correct, then here's a patch to fix that up.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
3c59x.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c
index 0a92436f..db8a80e 100644
--- a/drivers/net/3c59x.c
+++ b/drivers/net/3c59x.c
@@ -1110,11 +1110,11 @@ static int __devinit vortex_probe1(struct device *gendev,
}
if (gendev) {
- if ((pdev = DEVICE_PCI(gendev))) {
+ if ((pdev == DEVICE_PCI(gendev))) {
print_name = pci_name(pdev);
}
- if ((edev = DEVICE_EISA(gendev))) {
+ if ((edev == DEVICE_EISA(gendev))) {
print_name = dev_name(&edev->dev);
}
}
--
Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
^ permalink raw reply related
* Re: [PATCH V7 1/8] ntp: add ADJ_SETOFFSET mode bit
From: Kuwahara,T. @ 2010-12-25 20:38 UTC (permalink / raw)
To: Richard Cochran
Cc: john stultz, linux-kernel, linux-api, netdev, Alan Cox,
Arnd Bergmann, Christoph Lameter, David Miller, Krzysztof Halasa,
Peter Zijlstra, Rodolfo Giometti, Thomas Gleixner
In-Reply-To: <20101223061359.GA7169@riccoc20.at.omicron.at>
After all, I'd prefer your earlier patchset. Leaving aside the
compatibility issue, there's no particular reason we have to re-use
the struct timex, which requires otherwise unnecessary conditional
branches as well as unit conversions. Don't you agree?
^ permalink raw reply
* [PATCH] Ceph: Fix a use-after-free bug in ceph_destroy_client().
From: Jesper Juhl @ 2010-12-25 18:17 UTC (permalink / raw)
To: ceph-devel; +Cc: linux-kernel, netdev, Sage Weil, David S. Miller
Hello,
In net/ceph/ceph_common.c::ceph_destroy_client() the pointer 'client' is
freed by kfree() and subsequently used in a call to dout() - use after
free bug.
Easily fixed by simply moving the kfree() call after the dout() call.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
ceph_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index f3e4a13..890bbbf 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -408,8 +408,8 @@ void ceph_destroy_client(struct ceph_client *client)
ceph_destroy_options(client->options);
- kfree(client);
dout("destroy_client %p done\n", client);
+ kfree(client);
}
EXPORT_SYMBOL(ceph_destroy_client);
--
Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
^ permalink raw reply related
* [PATCH] Ceph: Fix use-after-free bug in ceph_messenger_destroy()
From: Jesper Juhl @ 2010-12-25 18:11 UTC (permalink / raw)
To: ceph-devel; +Cc: netdev, linux-kernel, David S. Miller, Sage Weil
Hi,
In net/ceph/messenger.c::ceph_messenger_destroy() the pointer 'msgr' is
freed by kfree() and subsequently used in a call to dout() - use after
free bug.
Easily fixed by simply moving the kfree() call after the dout() call.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
messenger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index b6ff4a1..26514a7 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2131,8 +2131,8 @@ void ceph_messenger_destroy(struct ceph_messenger *msgr)
dout("destroy %p\n", msgr);
kunmap(msgr->zero_page);
__free_page(msgr->zero_page);
- kfree(msgr);
dout("destroyed messenger %p\n", msgr);
+ kfree(msgr);
}
EXPORT_SYMBOL(ceph_messenger_destroy);
--
Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
^ permalink raw reply related
* [PATCH net-2.6 v2] epic100: hamachi: yellowfin: Fix skb allocation size
From: Jarek Poplawski @ 2010-12-25 17:39 UTC (permalink / raw)
To: David Miller
Cc: Joel Soete, Eric Dumazet, Andrew Morton, Linux Kernel, netdev
In-Reply-To: <20101225151217.GA1994@del.dom.local>
Joel Soete reported oopses during pppoe over sundance NIC, caused by
a bug in skb allocation and dma mapping code, where skb_reserve()
bytes weren't taken into account. As a followup to the patch:
"sundance: Fix oopses with corrupted skb_shared_info" very similar
code is fixed here for three other drivers.
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Cc: Joel Soete <soete.joel@scarlet.be>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
---
v2: a tiny changelog fix only
drivers/net/epic100.c | 4 ++--
drivers/net/hamachi.c | 4 ++--
drivers/net/yellowfin.c | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/epic100.c b/drivers/net/epic100.c
index aa56963..c353bf3 100644
--- a/drivers/net/epic100.c
+++ b/drivers/net/epic100.c
@@ -935,7 +935,7 @@ static void epic_init_ring(struct net_device *dev)
/* Fill in the Rx buffers. Handle allocation failure gracefully. */
for (i = 0; i < RX_RING_SIZE; i++) {
- struct sk_buff *skb = dev_alloc_skb(ep->rx_buf_sz);
+ struct sk_buff *skb = dev_alloc_skb(ep->rx_buf_sz + 2);
ep->rx_skbuff[i] = skb;
if (skb == NULL)
break;
@@ -1233,7 +1233,7 @@ static int epic_rx(struct net_device *dev, int budget)
entry = ep->dirty_rx % RX_RING_SIZE;
if (ep->rx_skbuff[entry] == NULL) {
struct sk_buff *skb;
- skb = ep->rx_skbuff[entry] = dev_alloc_skb(ep->rx_buf_sz);
+ skb = ep->rx_skbuff[entry] = dev_alloc_skb(ep->rx_buf_sz + 2);
if (skb == NULL)
break;
skb_reserve(skb, 2); /* Align IP on 16 byte boundaries */
diff --git a/drivers/net/hamachi.c b/drivers/net/hamachi.c
index 9a64858..80d25ed 100644
--- a/drivers/net/hamachi.c
+++ b/drivers/net/hamachi.c
@@ -1202,7 +1202,7 @@ static void hamachi_init_ring(struct net_device *dev)
}
/* Fill in the Rx buffers. Handle allocation failure gracefully. */
for (i = 0; i < RX_RING_SIZE; i++) {
- struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz);
+ struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz + 2);
hmp->rx_skbuff[i] = skb;
if (skb == NULL)
break;
@@ -1669,7 +1669,7 @@ static int hamachi_rx(struct net_device *dev)
entry = hmp->dirty_rx % RX_RING_SIZE;
desc = &(hmp->rx_ring[entry]);
if (hmp->rx_skbuff[entry] == NULL) {
- struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz);
+ struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz + 2);
hmp->rx_skbuff[entry] = skb;
if (skb == NULL)
diff --git a/drivers/net/yellowfin.c b/drivers/net/yellowfin.c
index cd1b3dc..ec47e22 100644
--- a/drivers/net/yellowfin.c
+++ b/drivers/net/yellowfin.c
@@ -744,7 +744,7 @@ static int yellowfin_init_ring(struct net_device *dev)
}
for (i = 0; i < RX_RING_SIZE; i++) {
- struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz);
+ struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz + 2);
yp->rx_skbuff[i] = skb;
if (skb == NULL)
break;
@@ -1157,7 +1157,7 @@ static int yellowfin_rx(struct net_device *dev)
for (; yp->cur_rx - yp->dirty_rx > 0; yp->dirty_rx++) {
entry = yp->dirty_rx % RX_RING_SIZE;
if (yp->rx_skbuff[entry] == NULL) {
- struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz);
+ struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz + 2);
if (skb == NULL)
break; /* Better luck next round. */
yp->rx_skbuff[entry] = skb;
^ permalink raw reply related
* [PATCH net-2.6] epic100: hamachi: yellowfin: Fix skb allocation size
From: Jarek Poplawski @ 2010-12-25 17:31 UTC (permalink / raw)
To: David Miller
Cc: Joel Soete, Eric Dumazet, Andrew Morton, Linux Kernel, netdev
In-Reply-To: <20101225151217.GA1994@del.dom.local>
Joel Soete reported oopses during pppoe over sundance NIC, caused by
a bug in skb allocation and dma mapping code, where skb_reserve()
bytes weren't taken into account. As a followup to the patch:
"sundance: Fix oopses with corrupted" very similar code is fixed here
for three other drivers.
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Cc: Joel Soete <soete.joel@scarlet.be>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
---
drivers/net/epic100.c | 4 ++--
drivers/net/hamachi.c | 4 ++--
drivers/net/yellowfin.c | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/epic100.c b/drivers/net/epic100.c
index aa56963..c353bf3 100644
--- a/drivers/net/epic100.c
+++ b/drivers/net/epic100.c
@@ -935,7 +935,7 @@ static void epic_init_ring(struct net_device *dev)
/* Fill in the Rx buffers. Handle allocation failure gracefully. */
for (i = 0; i < RX_RING_SIZE; i++) {
- struct sk_buff *skb = dev_alloc_skb(ep->rx_buf_sz);
+ struct sk_buff *skb = dev_alloc_skb(ep->rx_buf_sz + 2);
ep->rx_skbuff[i] = skb;
if (skb == NULL)
break;
@@ -1233,7 +1233,7 @@ static int epic_rx(struct net_device *dev, int budget)
entry = ep->dirty_rx % RX_RING_SIZE;
if (ep->rx_skbuff[entry] == NULL) {
struct sk_buff *skb;
- skb = ep->rx_skbuff[entry] = dev_alloc_skb(ep->rx_buf_sz);
+ skb = ep->rx_skbuff[entry] = dev_alloc_skb(ep->rx_buf_sz + 2);
if (skb == NULL)
break;
skb_reserve(skb, 2); /* Align IP on 16 byte boundaries */
diff --git a/drivers/net/hamachi.c b/drivers/net/hamachi.c
index 9a64858..80d25ed 100644
--- a/drivers/net/hamachi.c
+++ b/drivers/net/hamachi.c
@@ -1202,7 +1202,7 @@ static void hamachi_init_ring(struct net_device *dev)
}
/* Fill in the Rx buffers. Handle allocation failure gracefully. */
for (i = 0; i < RX_RING_SIZE; i++) {
- struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz);
+ struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz + 2);
hmp->rx_skbuff[i] = skb;
if (skb == NULL)
break;
@@ -1669,7 +1669,7 @@ static int hamachi_rx(struct net_device *dev)
entry = hmp->dirty_rx % RX_RING_SIZE;
desc = &(hmp->rx_ring[entry]);
if (hmp->rx_skbuff[entry] == NULL) {
- struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz);
+ struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz + 2);
hmp->rx_skbuff[entry] = skb;
if (skb == NULL)
diff --git a/drivers/net/yellowfin.c b/drivers/net/yellowfin.c
index cd1b3dc..ec47e22 100644
--- a/drivers/net/yellowfin.c
+++ b/drivers/net/yellowfin.c
@@ -744,7 +744,7 @@ static int yellowfin_init_ring(struct net_device *dev)
}
for (i = 0; i < RX_RING_SIZE; i++) {
- struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz);
+ struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz + 2);
yp->rx_skbuff[i] = skb;
if (skb == NULL)
break;
@@ -1157,7 +1157,7 @@ static int yellowfin_rx(struct net_device *dev)
for (; yp->cur_rx - yp->dirty_rx > 0; yp->dirty_rx++) {
entry = yp->dirty_rx % RX_RING_SIZE;
if (yp->rx_skbuff[entry] == NULL) {
- struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz);
+ struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz + 2);
if (skb == NULL)
break; /* Better luck next round. */
yp->rx_skbuff[entry] = skb;
^ permalink raw reply related
* [PATCH v2 9/9] can: pch_can: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
To: netdev; +Cc: socketcan-core, Marc Kleine-Budde, Tomoya
In-Reply-To: <1293296117-27624-1-git-send-email-mkl@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Tomoya <tomoya-linux@dsn.okisemi.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
Changes since v1:
- fix data copy: copy if rtr is _not_ set (thanks Oliver)
drivers/net/can/pch_can.c | 15 ++++++++-------
1 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/net/can/pch_can.c b/drivers/net/can/pch_can.c
index c42e972..cd6b27d 100644
--- a/drivers/net/can/pch_can.c
+++ b/drivers/net/can/pch_can.c
@@ -692,16 +692,17 @@ static int pch_can_rx_normal(struct net_device *ndev, u32 obj_num, int quota)
cf->can_id = id;
}
- if (id2 & PCH_ID2_DIR)
- cf->can_id |= CAN_RTR_FLAG;
-
cf->can_dlc = get_can_dlc((ioread32(&priv->regs->
ifregs[0].mcont)) & 0xF);
- for (i = 0; i < cf->can_dlc; i += 2) {
- data_reg = ioread16(&priv->regs->ifregs[0].data[i / 2]);
- cf->data[i] = data_reg;
- cf->data[i + 1] = data_reg >> 8;
+ if (id2 & PCH_ID2_DIR)
+ cf->can_id |= CAN_RTR_FLAG;
+ else {
+ for (i = 0; i < cf->can_dlc; i += 2) {
+ data_reg = ioread16(&priv->regs->ifregs[0].data[i / 2]);
+ cf->data[i] = data_reg;
+ cf->data[i + 1] = data_reg >> 8;
+ }
}
netif_receive_skb(skb);
--
1.7.2.3
^ permalink raw reply related
* [PATCH v2 8/9] can: janz-ican3: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
To: netdev; +Cc: socketcan-core, Marc Kleine-Budde
In-Reply-To: <1293296117-27624-1-git-send-email-mkl@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Acked-by: Ira W. Snyder <iws@ovro.caltech.edu>
Acked-by: Wolfgang Grandegger <wg@grandegger.com>
---
drivers/net/can/janz-ican3.c | 19 ++++++++++---------
1 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/drivers/net/can/janz-ican3.c b/drivers/net/can/janz-ican3.c
index 810345f..77c8413 100644
--- a/drivers/net/can/janz-ican3.c
+++ b/drivers/net/can/janz-ican3.c
@@ -807,18 +807,15 @@ static void ican3_to_can_frame(struct ican3_dev *mod,
struct can_frame *cf)
{
if ((desc->command & ICAN3_CAN_TYPE_MASK) == ICAN3_CAN_TYPE_SFF) {
- if (desc->data[1] & ICAN3_SFF_RTR)
- cf->can_id |= CAN_RTR_FLAG;
-
cf->can_id |= desc->data[0] << 3;
cf->can_id |= (desc->data[1] & 0xe0) >> 5;
+
cf->can_dlc = get_can_dlc(desc->data[1] & ICAN3_CAN_DLC_MASK);
- memcpy(cf->data, &desc->data[2], cf->can_dlc);
- } else {
- cf->can_dlc = get_can_dlc(desc->data[0] & ICAN3_CAN_DLC_MASK);
- if (desc->data[0] & ICAN3_EFF_RTR)
+ if (desc->data[1] & ICAN3_SFF_RTR)
cf->can_id |= CAN_RTR_FLAG;
-
+ else
+ memcpy(cf->data, &desc->data[2], cf->can_dlc);
+ } else {
if (desc->data[0] & ICAN3_EFF) {
cf->can_id |= CAN_EFF_FLAG;
cf->can_id |= desc->data[2] << 21; /* 28-21 */
@@ -830,7 +827,11 @@ static void ican3_to_can_frame(struct ican3_dev *mod,
cf->can_id |= desc->data[3] >> 5; /* 2-0 */
}
- memcpy(cf->data, &desc->data[6], cf->can_dlc);
+ cf->can_dlc = get_can_dlc(desc->data[0] & ICAN3_CAN_DLC_MASK);
+ if (desc->data[0] & ICAN3_EFF_RTR)
+ cf->can_id |= CAN_RTR_FLAG;
+ else
+ memcpy(cf->data, &desc->data[6], cf->can_dlc);
}
}
--
1.7.2.3
^ permalink raw reply related
* [PATCH v2 7/9] can: janz-ican3: cleanup of ican3_to_can_frame and can_frame_to_ican3
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
To: netdev; +Cc: socketcan-core, Marc Kleine-Budde, Ira W. Snyder
In-Reply-To: <1293296117-27624-1-git-send-email-mkl@pengutronix.de>
This patch cleans up the ICAN3 to Linux CAN frame and vice versa
conversion functions:
- RX: Use get_can_dlc() to limit the dlc value.
- TX: Drop invalid skbs wiht can_dropped_invalid_skb
- both: Don't copy the whole frame, only copy the amount of bytes specified
in cf->can_dlc.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ira W. Snyder <iws@ovro.caltech.edu>
Acked-by: Wolfgang Grandegger <wg@grandegger.com>
---
drivers/net/can/janz-ican3.c | 13 ++++++++-----
1 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/net/can/janz-ican3.c b/drivers/net/can/janz-ican3.c
index b9a6d7a..810345f 100644
--- a/drivers/net/can/janz-ican3.c
+++ b/drivers/net/can/janz-ican3.c
@@ -812,10 +812,10 @@ static void ican3_to_can_frame(struct ican3_dev *mod,
cf->can_id |= desc->data[0] << 3;
cf->can_id |= (desc->data[1] & 0xe0) >> 5;
- cf->can_dlc = desc->data[1] & ICAN3_CAN_DLC_MASK;
- memcpy(cf->data, &desc->data[2], sizeof(cf->data));
+ cf->can_dlc = get_can_dlc(desc->data[1] & ICAN3_CAN_DLC_MASK);
+ memcpy(cf->data, &desc->data[2], cf->can_dlc);
} else {
- cf->can_dlc = desc->data[0] & ICAN3_CAN_DLC_MASK;
+ cf->can_dlc = get_can_dlc(desc->data[0] & ICAN3_CAN_DLC_MASK);
if (desc->data[0] & ICAN3_EFF_RTR)
cf->can_id |= CAN_RTR_FLAG;
@@ -830,7 +830,7 @@ static void ican3_to_can_frame(struct ican3_dev *mod,
cf->can_id |= desc->data[3] >> 5; /* 2-0 */
}
- memcpy(cf->data, &desc->data[6], sizeof(cf->data));
+ memcpy(cf->data, &desc->data[6], cf->can_dlc);
}
}
@@ -862,7 +862,7 @@ static void can_frame_to_ican3(struct ican3_dev *mod,
}
/* copy the data bits into the descriptor */
- memcpy(&desc->data[6], cf->data, sizeof(cf->data));
+ memcpy(&desc->data[6], cf->data, cf->can_dlc);
}
/*
@@ -1421,6 +1421,9 @@ static int ican3_xmit(struct sk_buff *skb, struct net_device *ndev)
void __iomem *desc_addr;
unsigned long flags;
+ if (can_dropped_invalid_skb(dev, skb))
+ return NETDEV_TX_OK;
+
spin_lock_irqsave(&mod->lock, flags);
/* check that we can actually transmit */
--
1.7.2.3
^ permalink raw reply related
* [PATCH v2 6/9] can: ti_hecc: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
To: netdev; +Cc: socketcan-core, Marc Kleine-Budde
In-Reply-To: <1293296117-27624-1-git-send-email-mkl@pengutronix.de>
While there, remove clearing of data if the dlc isn't longer as 4.
can frames have data initializes to zero.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Cc:Anant Gole <anantgole@ti.com>
Acked-by: Wolfgang Grandegger <wg@grandegger.com>
---
drivers/net/can/ti_hecc.c | 18 ++++++++++--------
1 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c
index 4d07f1e..b33581b 100644
--- a/drivers/net/can/ti_hecc.c
+++ b/drivers/net/can/ti_hecc.c
@@ -560,18 +560,20 @@ static int ti_hecc_rx_pkt(struct ti_hecc_priv *priv, int mbxno)
cf->can_id = (data & CAN_EFF_MASK) | CAN_EFF_FLAG;
else
cf->can_id = (data >> 18) & CAN_SFF_MASK;
+
data = hecc_read_mbx(priv, mbxno, HECC_CANMCF);
+ cf->can_dlc = get_can_dlc(data & 0xF);
if (data & HECC_CANMCF_RTR)
cf->can_id |= CAN_RTR_FLAG;
- cf->can_dlc = get_can_dlc(data & 0xF);
- data = hecc_read_mbx(priv, mbxno, HECC_CANMDL);
- *(u32 *)(cf->data) = cpu_to_be32(data);
- if (cf->can_dlc > 4) {
- data = hecc_read_mbx(priv, mbxno, HECC_CANMDH);
- *(u32 *)(cf->data + 4) = cpu_to_be32(data);
- } else {
- *(u32 *)(cf->data + 4) = 0;
+ else {
+ data = hecc_read_mbx(priv, mbxno, HECC_CANMDL);
+ *(u32 *)(cf->data) = cpu_to_be32(data);
+ if (cf->can_dlc > 4) {
+ data = hecc_read_mbx(priv, mbxno, HECC_CANMDH);
+ *(u32 *)(cf->data + 4) = cpu_to_be32(data);
+ }
}
+
spin_lock_irqsave(&priv->mbx_lock, flags);
hecc_clear_bit(priv, HECC_CANME, mbx_mask);
hecc_write(priv, HECC_CANRMP, mbx_mask);
--
1.7.2.3
^ permalink raw reply related
* [PATCH v2 4/9] can: sja1000: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
To: netdev; +Cc: socketcan-core, Marc Kleine-Budde, Wolfgang Grandegger
In-Reply-To: <1293296117-27624-1-git-send-email-mkl@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Wolfgang Grandegger <wg@grandegger.com>
Acked-by: Wolfgang Grandegger <wg@grandegger.com>
---
drivers/net/can/sja1000/sja1000.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c
index 0a8de01..bb4bfe3 100644
--- a/drivers/net/can/sja1000/sja1000.c
+++ b/drivers/net/can/sja1000/sja1000.c
@@ -346,13 +346,12 @@ static void sja1000_rx(struct net_device *dev)
| (priv->read_reg(priv, REG_ID2) >> 5);
}
- if (fi & FI_RTR) {
+ cf->can_dlc = get_can_dlc(fi & 0x0F);
+ if (fi & FI_RTR)
id |= CAN_RTR_FLAG;
- } else {
- cf->can_dlc = get_can_dlc(fi & 0x0F);
+ else
for (i = 0; i < cf->can_dlc; i++)
cf->data[i] = priv->read_reg(priv, dreg++);
- }
cf->can_id = id;
--
1.7.2.3
^ permalink raw reply related
* [PATCH v2 5/9] can: mcp251x: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
To: netdev-u79uwXL29TY76Z2rM5mHXA
Cc: socketcan-core-0fE9KPoRgkgATYTw5x5z8w, Marc Kleine-Budde,
Christian Pellegrin
In-Reply-To: <1293296117-27624-1-git-send-email-mkl-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>
Signed-off-by: Marc Kleine-Budde <mkl-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>
Cc: Christian Pellegrin <chripell-VaTbYqLCNhc@public.gmane.org>
Acked-by: Wolfgang Grandegger <wg-5Yr1BZd7O62+XT7JhA+gdA@public.gmane.org>
---
drivers/net/can/mcp251x.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/net/can/mcp251x.c b/drivers/net/can/mcp251x.c
index 7ab534a..9e08acc 100644
--- a/drivers/net/can/mcp251x.c
+++ b/drivers/net/can/mcp251x.c
@@ -481,7 +481,8 @@ static void mcp251x_hw_rx(struct spi_device *spi, int buf_idx)
}
/* Data length */
frame->can_dlc = get_can_dlc(buf[RXBDLC_OFF] & RXBDLC_LEN_MASK);
- memcpy(frame->data, buf + RXBDAT_OFF, frame->can_dlc);
+ if (!(frame->can_id & CAN_RTR_FLAG))
+ memcpy(frame->data, buf + RXBDAT_OFF, frame->can_dlc);
priv->net->stats.rx_packets++;
priv->net->stats.rx_bytes += frame->can_dlc;
--
1.7.2.3
^ permalink raw reply related
* [PATCH v2 3/9] can: flexcan: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
To: netdev-u79uwXL29TY76Z2rM5mHXA
Cc: socketcan-core-0fE9KPoRgkgATYTw5x5z8w, Marc Kleine-Budde
In-Reply-To: <1293296117-27624-1-git-send-email-mkl-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>
Signed-off-by: Marc Kleine-Budde <mkl-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>
Acked-by: Wolfgang Grandegger <wg-5Yr1BZd7O62+XT7JhA+gdA@public.gmane.org>
---
drivers/net/can/flexcan.c | 10 ++++++----
1 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
index d499056..b0e16f5 100644
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -471,12 +471,14 @@ static void flexcan_read_fifo(const struct net_device *dev,
else
cf->can_id = (reg_id >> 18) & CAN_SFF_MASK;
- if (reg_ctrl & FLEXCAN_MB_CNT_RTR)
- cf->can_id |= CAN_RTR_FLAG;
cf->can_dlc = get_can_dlc((reg_ctrl >> 16) & 0xf);
- *(__be32 *)(cf->data + 0) = cpu_to_be32(readl(&mb->data[0]));
- *(__be32 *)(cf->data + 4) = cpu_to_be32(readl(&mb->data[1]));
+ if (reg_ctrl & FLEXCAN_MB_CNT_RTR)
+ cf->can_id |= CAN_RTR_FLAG;
+ else {
+ *(__be32 *)(cf->data + 0) = cpu_to_be32(readl(&mb->data[0]));
+ *(__be32 *)(cf->data + 4) = cpu_to_be32(readl(&mb->data[1]));
+ }
/* mark as read */
writel(FLEXCAN_IFLAG_RX_FIFO_AVAILABLE, ®s->iflag1);
--
1.7.2.3
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox