Netdev List
 help / color / mirror / Atom feed
* [patch] USB: cdc_ether: remove unneeded check
From: Dan Carpenter @ 2010-12-25 22:23 UTC (permalink / raw)
  To: Oliver Neukum; +Cc: Greg Kroah-Hartman, linux-usb, netdev, kernel-janitors

We already verified that "dev->udev->actconfig->extralen" was non-zero
so "len" is non-zero here as well.

Signed-off-by: Dan Carpenter <error27@gmail.com>
---
Compile tested.

diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index b3fe0de..9a60e41 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -99,9 +99,7 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
 		 */
 		buf = dev->udev->actconfig->extra;
 		len = dev->udev->actconfig->extralen;
-		if (len)
-			dev_dbg(&intf->dev,
-				"CDC descriptors on config\n");
+		dev_dbg(&intf->dev, "CDC descriptors on config\n");
 	}
 
 	/* Maybe CDC descriptors are after the endpoint?  This bug has

^ permalink raw reply related

* Re: [PATCH] CAN: Use inode instead of kernel address for /proc file
From: Oliver Hartkopp @ 2010-12-25 22:22 UTC (permalink / raw)
  To: Dan Rosenberg; +Cc: Urs Thuermann, David S. Miller, netdev, security
In-Reply-To: <1293315371.9764.44.camel@Dan>

On 25.12.2010 23:16, Dan Rosenberg wrote:
> Since the socket address is just being used as a unique identifier, its
> inode number is an alternative that does not leak potentially sensitive
> information.
> 
> CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
> 
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: stable <stable@kernel.org>

Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>

Thanks Dan.

> ---
>  net/can/bcm.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/can/bcm.c b/net/can/bcm.c
> index 6faa825..5748901 100644
> --- a/net/can/bcm.c
> +++ b/net/can/bcm.c
> @@ -1520,8 +1520,8 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
>  	bo->bound = 1;
>  
>  	if (proc_dir) {
> -		/* unique socket address as filename */
> -		sprintf(bo->procname, "%p", sock);
> +		/* socket inode as filename */
> +		sprintf(bo->procname, "%lx", sock_i_ino(sk));
>  		bo->bcm_proc_read = proc_create_data(bo->procname, 0644,
>  						     proc_dir,
>  						     &bcm_proc_fops, sk);
> 


^ permalink raw reply

* Re: [PATCH] 3c59x: Don't assign when a comparison is intended
From: Wolfram Sang @ 2010-12-25 22:17 UTC (permalink / raw)
  To: richard -rw- weinberger
  Cc: Jesper Juhl, netdev, vortex, becker, Steffen Klassert,
	linux-kernel
In-Reply-To: <AANLkTi=Y4wDG6+AY1=8NuFLGuCidgqaU1LginfB1YpZH@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1075 bytes --]

On Sat, Dec 25, 2010 at 09:50:56PM +0100, richard -rw- weinberger wrote:
> On Sat, Dec 25, 2010 at 9:30 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> > Hi,
> >
> > In drivers/net/3c59x.c::vortex_probe1() we have this code:
> >
> >        if (gendev) {
> >                if ((pdev = DEVICE_PCI(gendev))) {
> >                        print_name = pci_name(pdev);
> >                }
> >
> >                if ((edev = DEVICE_EISA(gendev))) {
> >                        print_name = dev_name(&edev->dev);
> >                }
> >        }
> >
> > I believe these assignments were intended to be comparisons.
> > If I'm correct, then here's a patch to fix that up.
> 
> I don't think so. Look at the extra brackets.
> 
> The code can also written as:
> 
> pdev = DEVICE_PCI(gendev);
> if(pdev)
>   print_name = pci_name(pdev);

... which looks much better and could be worth a patch as well.

-- 
Pengutronix e.K.                           | Wolfram Sang                |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

^ permalink raw reply

* [PATCH] CAN: Use inode instead of kernel address for /proc file
From: Dan Rosenberg @ 2010-12-25 22:16 UTC (permalink / raw)
  To: Oliver Hartkopp, Urs Thuermann, David S. Miller; +Cc: netdev, security

Since the socket address is just being used as a unique identifier, its
inode number is an alternative that does not leak potentially sensitive
information.

CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable <stable@kernel.org>
---
 net/can/bcm.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/can/bcm.c b/net/can/bcm.c
index 6faa825..5748901 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1520,8 +1520,8 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
 	bo->bound = 1;
 
 	if (proc_dir) {
-		/* unique socket address as filename */
-		sprintf(bo->procname, "%p", sock);
+		/* socket inode as filename */
+		sprintf(bo->procname, "%lx", sock_i_ino(sk));
 		bo->bcm_proc_read = proc_create_data(bo->procname, 0644,
 						     proc_dir,
 						     &bcm_proc_fops, sk);



^ permalink raw reply related

* Re: [PATCH] Ceph: Fix a use-after-free bug in ceph_destroy_client().
From: richard -rw- weinberger @ 2010-12-25 21:40 UTC (permalink / raw)
  To: Jesper Juhl; +Cc: ceph-devel, linux-kernel, netdev, Sage Weil, David S. Miller
In-Reply-To: <alpine.LNX.2.00.1012252223380.10759@swampdragon.chaosbits.net>

On Sat, Dec 25, 2010 at 10:24 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> On Sat, 25 Dec 2010, richard -rw- weinberger wrote:
>
>> On Sat, Dec 25, 2010 at 7:17 PM, Jesper Juhl <jj@chaosbits.net> wrote:
>> > Hello,
>> >
>> > In net/ceph/ceph_common.c::ceph_destroy_client() the pointer 'client' is
>> > freed by kfree() and subsequently used in a call to dout() - use after
>> > free bug.
>>
>> Not really. %p reads only the address of "client".
>> kfree() does not alter this address.
>>
>
> Ok, I see your point and you are correct. But still, the patch does not
> change behaviour and it makes it absolutely clear that there's no
> use-after-free bug, so it might still have merit... or?

Your patch does not fix a bug.
I would say it's a style fix.

> --
> Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
>



-- 
Thanks,
//richard

^ permalink raw reply

* Re: [PATCH] Ceph: Fix a use-after-free bug in ceph_destroy_client().
From: Jesper Juhl @ 2010-12-25 21:35 UTC (permalink / raw)
  To: richard -rw- weinberger
  Cc: ceph-devel, linux-kernel, netdev, Sage Weil, David S. Miller
In-Reply-To: <AANLkTincx8rSM+72czJ+tTrG=D=aOJLBb9nd9Jt_RsD2@mail.gmail.com>

On Sat, 25 Dec 2010, richard -rw- weinberger wrote:

> On Sat, Dec 25, 2010 at 10:24 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> > On Sat, 25 Dec 2010, richard -rw- weinberger wrote:
> >
> >> On Sat, Dec 25, 2010 at 7:17 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> >> > Hello,
> >> >
> >> > In net/ceph/ceph_common.c::ceph_destroy_client() the pointer 'client' is
> >> > freed by kfree() and subsequently used in a call to dout() - use after
> >> > free bug.
> >>
> >> Not really. %p reads only the address of "client".
> >> kfree() does not alter this address.
> >>
> >
> > Ok, I see your point and you are correct. But still, the patch does not
> > change behaviour and it makes it absolutely clear that there's no
> > use-after-free bug, so it might still have merit... or?
> 
> Your patch does not fix a bug.
> I would say it's a style fix.
> 
At this point in time I'd agree. :-)

-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.


^ permalink raw reply

* Re: [PATCH] Ceph: Fix a use-after-free bug in ceph_destroy_client().
From: Jesper Juhl @ 2010-12-25 21:24 UTC (permalink / raw)
  To: richard -rw- weinberger
  Cc: ceph-devel, linux-kernel, netdev, Sage Weil, David S. Miller
In-Reply-To: <AANLkTik+yrpY8T69w_RQ84ZbRqwkjvFhvxHLBvU14N3f@mail.gmail.com>

On Sat, 25 Dec 2010, richard -rw- weinberger wrote:

> On Sat, Dec 25, 2010 at 7:17 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> > Hello,
> >
> > In net/ceph/ceph_common.c::ceph_destroy_client() the pointer 'client' is
> > freed by kfree() and subsequently used in a call to dout() - use after
> > free bug.
> 
> Not really. %p reads only the address of "client".
> kfree() does not alter this address.
> 

Ok, I see your point and you are correct. But still, the patch does not 
change behaviour and it makes it absolutely clear that there's no 
use-after-free bug, so it might still have merit... or?

-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.


^ permalink raw reply

* Re: [PATCH] Ceph: Fix use-after-free bug in ceph_messenger_destroy()
From: richard -rw- weinberger @ 2010-12-25 21:14 UTC (permalink / raw)
  To: Jesper Juhl; +Cc: ceph-devel, netdev, linux-kernel, David S. Miller, Sage Weil
In-Reply-To: <alpine.LNX.2.00.1012251908410.10759@swampdragon.chaosbits.net>

On Sat, Dec 25, 2010 at 7:11 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> Hi,
>
> In net/ceph/messenger.c::ceph_messenger_destroy() the pointer 'msgr' is
> freed by kfree() and subsequently used in a call to dout() - use after
> free bug.

As I sad before, %p reads only the address.

> Easily fixed by simply moving the kfree() call after the dout() call.
>
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
>  messenger.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
> index b6ff4a1..26514a7 100644
> --- a/net/ceph/messenger.c
> +++ b/net/ceph/messenger.c
> @@ -2131,8 +2131,8 @@ void ceph_messenger_destroy(struct ceph_messenger *msgr)
>        dout("destroy %p\n", msgr);
>        kunmap(msgr->zero_page);
>        __free_page(msgr->zero_page);
> -       kfree(msgr);
>        dout("destroyed messenger %p\n", msgr);
> +       kfree(msgr);
>  }
>  EXPORT_SYMBOL(ceph_messenger_destroy);
>
>
> --
> Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Thanks,
//richard

^ permalink raw reply

* Re: [PATCH] Ceph: Fix a use-after-free bug in ceph_destroy_client().
From: richard -rw- weinberger @ 2010-12-25 21:12 UTC (permalink / raw)
  To: Jesper Juhl; +Cc: ceph-devel, linux-kernel, netdev, Sage Weil, David S. Miller
In-Reply-To: <alpine.LNX.2.00.1012251914370.10759@swampdragon.chaosbits.net>

On Sat, Dec 25, 2010 at 7:17 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> Hello,
>
> In net/ceph/ceph_common.c::ceph_destroy_client() the pointer 'client' is
> freed by kfree() and subsequently used in a call to dout() - use after
> free bug.

Not really. %p reads only the address of "client".
kfree() does not alter this address.

> Easily fixed by simply moving the kfree() call after the dout() call.
>
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
>  ceph_common.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
> index f3e4a13..890bbbf 100644
> --- a/net/ceph/ceph_common.c
> +++ b/net/ceph/ceph_common.c
> @@ -408,8 +408,8 @@ void ceph_destroy_client(struct ceph_client *client)
>
>        ceph_destroy_options(client->options);
>
> -       kfree(client);
>        dout("destroy_client %p done\n", client);
> +       kfree(client);
>  }
>  EXPORT_SYMBOL(ceph_destroy_client);
>
>
> --
> Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>


-- 
Thanks,
//richard

^ permalink raw reply

* Re: [PATCH] 3c59x: Don't assign when a comparison is intended
From: richard -rw- weinberger @ 2010-12-25 21:00 UTC (permalink / raw)
  To: Jesper Juhl; +Cc: netdev, Steffen Klassert, linux-kernel
In-Reply-To: <alpine.LNX.2.00.1012252144030.10759@swampdragon.chaosbits.net>

On Sat, Dec 25, 2010 at 9:45 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> On Sat, 25 Dec 2010, richard -rw- weinberger wrote:
>
>> On Sat, Dec 25, 2010 at 9:30 PM, Jesper Juhl <jj@chaosbits.net> wrote:
>> > Hi,
>> >
>> > In drivers/net/3c59x.c::vortex_probe1() we have this code:
>> >
>> >        if (gendev) {
>> >                if ((pdev = DEVICE_PCI(gendev))) {
>> >                        print_name = pci_name(pdev);
>> >                }
>> >
>> >                if ((edev = DEVICE_EISA(gendev))) {
>> >                        print_name = dev_name(&edev->dev);
>> >                }
>> >        }
>> >
>> > I believe these assignments were intended to be comparisons.
>> > If I'm correct, then here's a patch to fix that up.
>>
>> I don't think so. Look at the extra brackets.
>>
>> The code can also written as:
>>
>> pdev = DEVICE_PCI(gendev);
>> if(pdev)
>>   print_name = pci_name(pdev);
>>
>
> Arrgh, I completely missed that - damn.
> You are correct I think and my patch is wrong.
> Thanks for taking a look.

BTW: gcc is smart enough to catch such typos.

if(x = 3){
 ...
}

...would trigger a warning like this one:
"warning: suggest parentheses around assignment used as truth value"

>
> --
> Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>

-- 
Thanks,
//richard

^ permalink raw reply

* Re: [PATCH] 3c59x: Don't assign when a comparison is intended
From: richard -rw- weinberger @ 2010-12-25 20:50 UTC (permalink / raw)
  To: Jesper Juhl; +Cc: netdev, vortex, becker, Steffen Klassert, linux-kernel
In-Reply-To: <alpine.LNX.2.00.1012252125410.10759@swampdragon.chaosbits.net>

On Sat, Dec 25, 2010 at 9:30 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> Hi,
>
> In drivers/net/3c59x.c::vortex_probe1() we have this code:
>
>        if (gendev) {
>                if ((pdev = DEVICE_PCI(gendev))) {
>                        print_name = pci_name(pdev);
>                }
>
>                if ((edev = DEVICE_EISA(gendev))) {
>                        print_name = dev_name(&edev->dev);
>                }
>        }
>
> I believe these assignments were intended to be comparisons.
> If I'm correct, then here's a patch to fix that up.

I don't think so. Look at the extra brackets.

The code can also written as:

pdev = DEVICE_PCI(gendev);
if(pdev)
  print_name = pci_name(pdev);


>
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
>  3c59x.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c
> index 0a92436f..db8a80e 100644
> --- a/drivers/net/3c59x.c
> +++ b/drivers/net/3c59x.c
> @@ -1110,11 +1110,11 @@ static int __devinit vortex_probe1(struct device *gendev,
>        }
>
>        if (gendev) {
> -               if ((pdev = DEVICE_PCI(gendev))) {
> +               if ((pdev == DEVICE_PCI(gendev))) {
>                        print_name = pci_name(pdev);
>                }
>
> -               if ((edev = DEVICE_EISA(gendev))) {
> +               if ((edev == DEVICE_EISA(gendev))) {
>                        print_name = dev_name(&edev->dev);
>                }
>        }
>
>
> --
> Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
> Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
> Plain text mails only, please.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

-- 
Thanks,
//richard

^ permalink raw reply

* Re: [PATCH] 3c59x: Don't assign when a comparison is intended
From: Jesper Juhl @ 2010-12-25 20:45 UTC (permalink / raw)
  To: richard -rw- weinberger; +Cc: netdev, Steffen Klassert, linux-kernel
In-Reply-To: <AANLkTi=Y4wDG6+AY1=8NuFLGuCidgqaU1LginfB1YpZH@mail.gmail.com>

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1093 bytes --]

On Sat, 25 Dec 2010, richard -rw- weinberger wrote:

> On Sat, Dec 25, 2010 at 9:30 PM, Jesper Juhl <jj@chaosbits.net> wrote:
> > Hi,
> >
> > In drivers/net/3c59x.c::vortex_probe1() we have this code:
> >
> >        if (gendev) {
> >                if ((pdev = DEVICE_PCI(gendev))) {
> >                        print_name = pci_name(pdev);
> >                }
> >
> >                if ((edev = DEVICE_EISA(gendev))) {
> >                        print_name = dev_name(&edev->dev);
> >                }
> >        }
> >
> > I believe these assignments were intended to be comparisons.
> > If I'm correct, then here's a patch to fix that up.
> 
> I don't think so. Look at the extra brackets.
> 
> The code can also written as:
> 
> pdev = DEVICE_PCI(gendev);
> if(pdev)
>   print_name = pci_name(pdev);
> 

Arrgh, I completely missed that - damn.
You are correct I think and my patch is wrong.
Thanks for taking a look.


-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.

^ permalink raw reply

* [PATCH] 3c59x: Don't assign when a comparison is intended
From: Jesper Juhl @ 2010-12-25 20:30 UTC (permalink / raw)
  To: netdev; +Cc: vortex, becker, Steffen Klassert, linux-kernel

Hi,

In drivers/net/3c59x.c::vortex_probe1() we have this code:

        if (gendev) {
                if ((pdev = DEVICE_PCI(gendev))) {
                        print_name = pci_name(pdev);
                }

                if ((edev = DEVICE_EISA(gendev))) {
                        print_name = dev_name(&edev->dev);
                }
        }

I believe these assignments were intended to be comparisons.
If I'm correct, then here's a patch to fix that up.


Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 3c59x.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c
index 0a92436f..db8a80e 100644
--- a/drivers/net/3c59x.c
+++ b/drivers/net/3c59x.c
@@ -1110,11 +1110,11 @@ static int __devinit vortex_probe1(struct device *gendev,
 	}
 
 	if (gendev) {
-		if ((pdev = DEVICE_PCI(gendev))) {
+		if ((pdev == DEVICE_PCI(gendev))) {
 			print_name = pci_name(pdev);
 		}
 
-		if ((edev = DEVICE_EISA(gendev))) {
+		if ((edev == DEVICE_EISA(gendev))) {
 			print_name = dev_name(&edev->dev);
 		}
 	}


-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.


^ permalink raw reply related

* Re: [PATCH V7 1/8] ntp: add ADJ_SETOFFSET mode bit
From: Kuwahara,T. @ 2010-12-25 20:38 UTC (permalink / raw)
  To: Richard Cochran
  Cc: john stultz, linux-kernel, linux-api, netdev, Alan Cox,
	Arnd Bergmann, Christoph Lameter, David Miller, Krzysztof Halasa,
	Peter Zijlstra, Rodolfo Giometti, Thomas Gleixner
In-Reply-To: <20101223061359.GA7169@riccoc20.at.omicron.at>

After all, I'd prefer your earlier patchset.  Leaving aside the
compatibility issue, there's no particular reason we have to re-use
the struct timex, which requires otherwise unnecessary conditional
branches as well as unit conversions.  Don't you agree?

^ permalink raw reply

* [PATCH] Ceph: Fix a use-after-free bug in ceph_destroy_client().
From: Jesper Juhl @ 2010-12-25 18:17 UTC (permalink / raw)
  To: ceph-devel; +Cc: linux-kernel, netdev, Sage Weil, David S. Miller

Hello,

In net/ceph/ceph_common.c::ceph_destroy_client() the pointer 'client' is 
freed by kfree() and subsequently used in a call to dout() - use after 
free bug.
Easily fixed by simply moving the kfree() call after the dout() call.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 ceph_common.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index f3e4a13..890bbbf 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -408,8 +408,8 @@ void ceph_destroy_client(struct ceph_client *client)
 
 	ceph_destroy_options(client->options);
 
-	kfree(client);
 	dout("destroy_client %p done\n", client);
+	kfree(client);
 }
 EXPORT_SYMBOL(ceph_destroy_client);
 

-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.

^ permalink raw reply related

* [PATCH] Ceph: Fix use-after-free bug in ceph_messenger_destroy()
From: Jesper Juhl @ 2010-12-25 18:11 UTC (permalink / raw)
  To: ceph-devel; +Cc: netdev, linux-kernel, David S. Miller, Sage Weil

Hi,

In net/ceph/messenger.c::ceph_messenger_destroy() the pointer 'msgr' is 
freed by kfree() and subsequently used in a call to dout() - use after 
free bug.
Easily fixed by simply moving the kfree() call after the dout() call.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 messenger.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index b6ff4a1..26514a7 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2131,8 +2131,8 @@ void ceph_messenger_destroy(struct ceph_messenger *msgr)
 	dout("destroy %p\n", msgr);
 	kunmap(msgr->zero_page);
 	__free_page(msgr->zero_page);
-	kfree(msgr);
 	dout("destroyed messenger %p\n", msgr);
+	kfree(msgr);
 }
 EXPORT_SYMBOL(ceph_messenger_destroy);
 

-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.


^ permalink raw reply related

* [PATCH net-2.6 v2] epic100: hamachi: yellowfin: Fix skb allocation size
From: Jarek Poplawski @ 2010-12-25 17:39 UTC (permalink / raw)
  To: David Miller
  Cc: Joel Soete, Eric Dumazet, Andrew Morton, Linux Kernel, netdev
In-Reply-To: <20101225151217.GA1994@del.dom.local>

Joel Soete reported oopses during pppoe over sundance NIC, caused by
a bug in skb allocation and dma mapping code, where skb_reserve()
bytes weren't taken into account. As a followup to the patch:
"sundance: Fix oopses with corrupted skb_shared_info" very similar
code is fixed here for three other drivers.

Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Cc: Joel Soete <soete.joel@scarlet.be>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
---
v2: a tiny changelog fix only

 drivers/net/epic100.c   |    4 ++--
 drivers/net/hamachi.c   |    4 ++--
 drivers/net/yellowfin.c |    4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/epic100.c b/drivers/net/epic100.c
index aa56963..c353bf3 100644
--- a/drivers/net/epic100.c
+++ b/drivers/net/epic100.c
@@ -935,7 +935,7 @@ static void epic_init_ring(struct net_device *dev)
 
 	/* Fill in the Rx buffers.  Handle allocation failure gracefully. */
 	for (i = 0; i < RX_RING_SIZE; i++) {
-		struct sk_buff *skb = dev_alloc_skb(ep->rx_buf_sz);
+		struct sk_buff *skb = dev_alloc_skb(ep->rx_buf_sz + 2);
 		ep->rx_skbuff[i] = skb;
 		if (skb == NULL)
 			break;
@@ -1233,7 +1233,7 @@ static int epic_rx(struct net_device *dev, int budget)
 		entry = ep->dirty_rx % RX_RING_SIZE;
 		if (ep->rx_skbuff[entry] == NULL) {
 			struct sk_buff *skb;
-			skb = ep->rx_skbuff[entry] = dev_alloc_skb(ep->rx_buf_sz);
+			skb = ep->rx_skbuff[entry] = dev_alloc_skb(ep->rx_buf_sz + 2);
 			if (skb == NULL)
 				break;
 			skb_reserve(skb, 2);	/* Align IP on 16 byte boundaries */
diff --git a/drivers/net/hamachi.c b/drivers/net/hamachi.c
index 9a64858..80d25ed 100644
--- a/drivers/net/hamachi.c
+++ b/drivers/net/hamachi.c
@@ -1202,7 +1202,7 @@ static void hamachi_init_ring(struct net_device *dev)
 	}
 	/* Fill in the Rx buffers.  Handle allocation failure gracefully. */
 	for (i = 0; i < RX_RING_SIZE; i++) {
-		struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz);
+		struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz + 2);
 		hmp->rx_skbuff[i] = skb;
 		if (skb == NULL)
 			break;
@@ -1669,7 +1669,7 @@ static int hamachi_rx(struct net_device *dev)
 		entry = hmp->dirty_rx % RX_RING_SIZE;
 		desc = &(hmp->rx_ring[entry]);
 		if (hmp->rx_skbuff[entry] == NULL) {
-			struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz);
+			struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz + 2);
 
 			hmp->rx_skbuff[entry] = skb;
 			if (skb == NULL)
diff --git a/drivers/net/yellowfin.c b/drivers/net/yellowfin.c
index cd1b3dc..ec47e22 100644
--- a/drivers/net/yellowfin.c
+++ b/drivers/net/yellowfin.c
@@ -744,7 +744,7 @@ static int yellowfin_init_ring(struct net_device *dev)
 	}
 
 	for (i = 0; i < RX_RING_SIZE; i++) {
-		struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz);
+		struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz + 2);
 		yp->rx_skbuff[i] = skb;
 		if (skb == NULL)
 			break;
@@ -1157,7 +1157,7 @@ static int yellowfin_rx(struct net_device *dev)
 	for (; yp->cur_rx - yp->dirty_rx > 0; yp->dirty_rx++) {
 		entry = yp->dirty_rx % RX_RING_SIZE;
 		if (yp->rx_skbuff[entry] == NULL) {
-			struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz);
+			struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz + 2);
 			if (skb == NULL)
 				break;				/* Better luck next round. */
 			yp->rx_skbuff[entry] = skb;

^ permalink raw reply related

* [PATCH net-2.6] epic100: hamachi: yellowfin: Fix skb allocation size
From: Jarek Poplawski @ 2010-12-25 17:31 UTC (permalink / raw)
  To: David Miller
  Cc: Joel Soete, Eric Dumazet, Andrew Morton, Linux Kernel, netdev
In-Reply-To: <20101225151217.GA1994@del.dom.local>

Joel Soete reported oopses during pppoe over sundance NIC, caused by
a bug in skb allocation and dma mapping code, where skb_reserve()
bytes weren't taken into account. As a followup to the patch:
"sundance: Fix oopses with corrupted" very similar code is fixed here
for three other drivers.

Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Cc: Joel Soete <soete.joel@scarlet.be>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
---

 drivers/net/epic100.c   |    4 ++--
 drivers/net/hamachi.c   |    4 ++--
 drivers/net/yellowfin.c |    4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/epic100.c b/drivers/net/epic100.c
index aa56963..c353bf3 100644
--- a/drivers/net/epic100.c
+++ b/drivers/net/epic100.c
@@ -935,7 +935,7 @@ static void epic_init_ring(struct net_device *dev)
 
 	/* Fill in the Rx buffers.  Handle allocation failure gracefully. */
 	for (i = 0; i < RX_RING_SIZE; i++) {
-		struct sk_buff *skb = dev_alloc_skb(ep->rx_buf_sz);
+		struct sk_buff *skb = dev_alloc_skb(ep->rx_buf_sz + 2);
 		ep->rx_skbuff[i] = skb;
 		if (skb == NULL)
 			break;
@@ -1233,7 +1233,7 @@ static int epic_rx(struct net_device *dev, int budget)
 		entry = ep->dirty_rx % RX_RING_SIZE;
 		if (ep->rx_skbuff[entry] == NULL) {
 			struct sk_buff *skb;
-			skb = ep->rx_skbuff[entry] = dev_alloc_skb(ep->rx_buf_sz);
+			skb = ep->rx_skbuff[entry] = dev_alloc_skb(ep->rx_buf_sz + 2);
 			if (skb == NULL)
 				break;
 			skb_reserve(skb, 2);	/* Align IP on 16 byte boundaries */
diff --git a/drivers/net/hamachi.c b/drivers/net/hamachi.c
index 9a64858..80d25ed 100644
--- a/drivers/net/hamachi.c
+++ b/drivers/net/hamachi.c
@@ -1202,7 +1202,7 @@ static void hamachi_init_ring(struct net_device *dev)
 	}
 	/* Fill in the Rx buffers.  Handle allocation failure gracefully. */
 	for (i = 0; i < RX_RING_SIZE; i++) {
-		struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz);
+		struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz + 2);
 		hmp->rx_skbuff[i] = skb;
 		if (skb == NULL)
 			break;
@@ -1669,7 +1669,7 @@ static int hamachi_rx(struct net_device *dev)
 		entry = hmp->dirty_rx % RX_RING_SIZE;
 		desc = &(hmp->rx_ring[entry]);
 		if (hmp->rx_skbuff[entry] == NULL) {
-			struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz);
+			struct sk_buff *skb = dev_alloc_skb(hmp->rx_buf_sz + 2);
 
 			hmp->rx_skbuff[entry] = skb;
 			if (skb == NULL)
diff --git a/drivers/net/yellowfin.c b/drivers/net/yellowfin.c
index cd1b3dc..ec47e22 100644
--- a/drivers/net/yellowfin.c
+++ b/drivers/net/yellowfin.c
@@ -744,7 +744,7 @@ static int yellowfin_init_ring(struct net_device *dev)
 	}
 
 	for (i = 0; i < RX_RING_SIZE; i++) {
-		struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz);
+		struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz + 2);
 		yp->rx_skbuff[i] = skb;
 		if (skb == NULL)
 			break;
@@ -1157,7 +1157,7 @@ static int yellowfin_rx(struct net_device *dev)
 	for (; yp->cur_rx - yp->dirty_rx > 0; yp->dirty_rx++) {
 		entry = yp->dirty_rx % RX_RING_SIZE;
 		if (yp->rx_skbuff[entry] == NULL) {
-			struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz);
+			struct sk_buff *skb = dev_alloc_skb(yp->rx_buf_sz + 2);
 			if (skb == NULL)
 				break;				/* Better luck next round. */
 			yp->rx_skbuff[entry] = skb;

^ permalink raw reply related

* [PATCH v2 9/9] can: pch_can: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
  To: netdev; +Cc: socketcan-core, Marc Kleine-Budde, Tomoya
In-Reply-To: <1293296117-27624-1-git-send-email-mkl@pengutronix.de>

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Tomoya <tomoya-linux@dsn.okisemi.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---

Changes since v1:
- fix data copy: copy if rtr is _not_ set (thanks Oliver)

 drivers/net/can/pch_can.c |   15 ++++++++-------
 1 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/drivers/net/can/pch_can.c b/drivers/net/can/pch_can.c
index c42e972..cd6b27d 100644
--- a/drivers/net/can/pch_can.c
+++ b/drivers/net/can/pch_can.c
@@ -692,16 +692,17 @@ static int pch_can_rx_normal(struct net_device *ndev, u32 obj_num, int quota)
 			cf->can_id = id;
 		}
 
-		if (id2 & PCH_ID2_DIR)
-			cf->can_id |= CAN_RTR_FLAG;
-
 		cf->can_dlc = get_can_dlc((ioread32(&priv->regs->
 						    ifregs[0].mcont)) & 0xF);
 
-		for (i = 0; i < cf->can_dlc; i += 2) {
-			data_reg = ioread16(&priv->regs->ifregs[0].data[i / 2]);
-			cf->data[i] = data_reg;
-			cf->data[i + 1] = data_reg >> 8;
+		if (id2 & PCH_ID2_DIR)
+			cf->can_id |= CAN_RTR_FLAG;
+		else {
+			for (i = 0; i < cf->can_dlc; i += 2) {
+				data_reg = ioread16(&priv->regs->ifregs[0].data[i / 2]);
+				cf->data[i] = data_reg;
+				cf->data[i + 1] = data_reg >> 8;
+			}
 		}
 
 		netif_receive_skb(skb);
-- 
1.7.2.3


^ permalink raw reply related

* [PATCH v2 8/9] can: janz-ican3: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
  To: netdev; +Cc: socketcan-core, Marc Kleine-Budde
In-Reply-To: <1293296117-27624-1-git-send-email-mkl@pengutronix.de>

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Acked-by: Ira W. Snyder <iws@ovro.caltech.edu>
Acked-by: Wolfgang Grandegger <wg@grandegger.com>
---
 drivers/net/can/janz-ican3.c |   19 ++++++++++---------
 1 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/drivers/net/can/janz-ican3.c b/drivers/net/can/janz-ican3.c
index 810345f..77c8413 100644
--- a/drivers/net/can/janz-ican3.c
+++ b/drivers/net/can/janz-ican3.c
@@ -807,18 +807,15 @@ static void ican3_to_can_frame(struct ican3_dev *mod,
 			       struct can_frame *cf)
 {
 	if ((desc->command & ICAN3_CAN_TYPE_MASK) == ICAN3_CAN_TYPE_SFF) {
-		if (desc->data[1] & ICAN3_SFF_RTR)
-			cf->can_id |= CAN_RTR_FLAG;
-
 		cf->can_id |= desc->data[0] << 3;
 		cf->can_id |= (desc->data[1] & 0xe0) >> 5;
+
 		cf->can_dlc = get_can_dlc(desc->data[1] & ICAN3_CAN_DLC_MASK);
-		memcpy(cf->data, &desc->data[2], cf->can_dlc);
-	} else {
-		cf->can_dlc = get_can_dlc(desc->data[0] & ICAN3_CAN_DLC_MASK);
-		if (desc->data[0] & ICAN3_EFF_RTR)
+		if (desc->data[1] & ICAN3_SFF_RTR)
 			cf->can_id |= CAN_RTR_FLAG;
-
+		else
+			memcpy(cf->data, &desc->data[2], cf->can_dlc);
+	} else {
 		if (desc->data[0] & ICAN3_EFF) {
 			cf->can_id |= CAN_EFF_FLAG;
 			cf->can_id |= desc->data[2] << 21; /* 28-21 */
@@ -830,7 +827,11 @@ static void ican3_to_can_frame(struct ican3_dev *mod,
 			cf->can_id |= desc->data[3] >> 5;  /* 2-0   */
 		}
 
-		memcpy(cf->data, &desc->data[6], cf->can_dlc);
+		cf->can_dlc = get_can_dlc(desc->data[0] & ICAN3_CAN_DLC_MASK);
+		if (desc->data[0] & ICAN3_EFF_RTR)
+			cf->can_id |= CAN_RTR_FLAG;
+		else
+			memcpy(cf->data, &desc->data[6], cf->can_dlc);
 	}
 }
 
-- 
1.7.2.3


^ permalink raw reply related

* [PATCH v2 7/9] can: janz-ican3: cleanup of ican3_to_can_frame and can_frame_to_ican3
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
  To: netdev; +Cc: socketcan-core, Marc Kleine-Budde, Ira W. Snyder
In-Reply-To: <1293296117-27624-1-git-send-email-mkl@pengutronix.de>

This patch cleans up the ICAN3 to Linux CAN frame and vice versa
conversion functions:

- RX: Use get_can_dlc() to limit the dlc value.
- TX: Drop invalid skbs wiht can_dropped_invalid_skb
- both: Don't copy the whole frame, only copy the amount of bytes specified
  in cf->can_dlc.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ira W. Snyder <iws@ovro.caltech.edu>
Acked-by: Wolfgang Grandegger <wg@grandegger.com>
---
 drivers/net/can/janz-ican3.c |   13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/net/can/janz-ican3.c b/drivers/net/can/janz-ican3.c
index b9a6d7a..810345f 100644
--- a/drivers/net/can/janz-ican3.c
+++ b/drivers/net/can/janz-ican3.c
@@ -812,10 +812,10 @@ static void ican3_to_can_frame(struct ican3_dev *mod,
 
 		cf->can_id |= desc->data[0] << 3;
 		cf->can_id |= (desc->data[1] & 0xe0) >> 5;
-		cf->can_dlc = desc->data[1] & ICAN3_CAN_DLC_MASK;
-		memcpy(cf->data, &desc->data[2], sizeof(cf->data));
+		cf->can_dlc = get_can_dlc(desc->data[1] & ICAN3_CAN_DLC_MASK);
+		memcpy(cf->data, &desc->data[2], cf->can_dlc);
 	} else {
-		cf->can_dlc = desc->data[0] & ICAN3_CAN_DLC_MASK;
+		cf->can_dlc = get_can_dlc(desc->data[0] & ICAN3_CAN_DLC_MASK);
 		if (desc->data[0] & ICAN3_EFF_RTR)
 			cf->can_id |= CAN_RTR_FLAG;
 
@@ -830,7 +830,7 @@ static void ican3_to_can_frame(struct ican3_dev *mod,
 			cf->can_id |= desc->data[3] >> 5;  /* 2-0   */
 		}
 
-		memcpy(cf->data, &desc->data[6], sizeof(cf->data));
+		memcpy(cf->data, &desc->data[6], cf->can_dlc);
 	}
 }
 
@@ -862,7 +862,7 @@ static void can_frame_to_ican3(struct ican3_dev *mod,
 	}
 
 	/* copy the data bits into the descriptor */
-	memcpy(&desc->data[6], cf->data, sizeof(cf->data));
+	memcpy(&desc->data[6], cf->data, cf->can_dlc);
 }
 
 /*
@@ -1421,6 +1421,9 @@ static int ican3_xmit(struct sk_buff *skb, struct net_device *ndev)
 	void __iomem *desc_addr;
 	unsigned long flags;
 
+	if (can_dropped_invalid_skb(dev, skb))
+		return NETDEV_TX_OK;
+
 	spin_lock_irqsave(&mod->lock, flags);
 
 	/* check that we can actually transmit */
-- 
1.7.2.3


^ permalink raw reply related

* [PATCH v2 6/9] can: ti_hecc: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
  To: netdev; +Cc: socketcan-core, Marc Kleine-Budde
In-Reply-To: <1293296117-27624-1-git-send-email-mkl@pengutronix.de>

While there, remove clearing of data if the dlc isn't longer as 4.
can frames have data initializes to zero.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Cc:Anant Gole <anantgole@ti.com>
Acked-by: Wolfgang Grandegger <wg@grandegger.com>
---
 drivers/net/can/ti_hecc.c |   18 ++++++++++--------
 1 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c
index 4d07f1e..b33581b 100644
--- a/drivers/net/can/ti_hecc.c
+++ b/drivers/net/can/ti_hecc.c
@@ -560,18 +560,20 @@ static int ti_hecc_rx_pkt(struct ti_hecc_priv *priv, int mbxno)
 		cf->can_id = (data & CAN_EFF_MASK) | CAN_EFF_FLAG;
 	else
 		cf->can_id = (data >> 18) & CAN_SFF_MASK;
+
 	data = hecc_read_mbx(priv, mbxno, HECC_CANMCF);
+	cf->can_dlc = get_can_dlc(data & 0xF);
 	if (data & HECC_CANMCF_RTR)
 		cf->can_id |= CAN_RTR_FLAG;
-	cf->can_dlc = get_can_dlc(data & 0xF);
-	data = hecc_read_mbx(priv, mbxno, HECC_CANMDL);
-	*(u32 *)(cf->data) = cpu_to_be32(data);
-	if (cf->can_dlc > 4) {
-		data = hecc_read_mbx(priv, mbxno, HECC_CANMDH);
-		*(u32 *)(cf->data + 4) = cpu_to_be32(data);
-	} else {
-		*(u32 *)(cf->data + 4) = 0;
+	else {
+		data = hecc_read_mbx(priv, mbxno, HECC_CANMDL);
+		*(u32 *)(cf->data) = cpu_to_be32(data);
+		if (cf->can_dlc > 4) {
+			data = hecc_read_mbx(priv, mbxno, HECC_CANMDH);
+			*(u32 *)(cf->data + 4) = cpu_to_be32(data);
+		}
 	}
+
 	spin_lock_irqsave(&priv->mbx_lock, flags);
 	hecc_clear_bit(priv, HECC_CANME, mbx_mask);
 	hecc_write(priv, HECC_CANRMP, mbx_mask);
-- 
1.7.2.3


^ permalink raw reply related

* [PATCH v2 4/9] can: sja1000: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
  To: netdev; +Cc: socketcan-core, Marc Kleine-Budde, Wolfgang Grandegger
In-Reply-To: <1293296117-27624-1-git-send-email-mkl@pengutronix.de>

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Wolfgang Grandegger <wg@grandegger.com>
Acked-by: Wolfgang Grandegger <wg@grandegger.com>
---
 drivers/net/can/sja1000/sja1000.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c
index 0a8de01..bb4bfe3 100644
--- a/drivers/net/can/sja1000/sja1000.c
+++ b/drivers/net/can/sja1000/sja1000.c
@@ -346,13 +346,12 @@ static void sja1000_rx(struct net_device *dev)
 		    | (priv->read_reg(priv, REG_ID2) >> 5);
 	}
 
-	if (fi & FI_RTR) {
+	cf->can_dlc = get_can_dlc(fi & 0x0F);
+	if (fi & FI_RTR)
 		id |= CAN_RTR_FLAG;
-	} else {
-		cf->can_dlc = get_can_dlc(fi & 0x0F);
+	else
 		for (i = 0; i < cf->can_dlc; i++)
 			cf->data[i] = priv->read_reg(priv, dreg++);
-	}
 
 	cf->can_id = id;
 
-- 
1.7.2.3


^ permalink raw reply related

* [PATCH v2 5/9] can: mcp251x: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: socketcan-core-0fE9KPoRgkgATYTw5x5z8w, Marc Kleine-Budde,
	Christian Pellegrin
In-Reply-To: <1293296117-27624-1-git-send-email-mkl-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>

Signed-off-by: Marc Kleine-Budde <mkl-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>
Cc: Christian Pellegrin <chripell-VaTbYqLCNhc@public.gmane.org>
Acked-by: Wolfgang Grandegger <wg-5Yr1BZd7O62+XT7JhA+gdA@public.gmane.org>
---
 drivers/net/can/mcp251x.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/drivers/net/can/mcp251x.c b/drivers/net/can/mcp251x.c
index 7ab534a..9e08acc 100644
--- a/drivers/net/can/mcp251x.c
+++ b/drivers/net/can/mcp251x.c
@@ -481,7 +481,8 @@ static void mcp251x_hw_rx(struct spi_device *spi, int buf_idx)
 	}
 	/* Data length */
 	frame->can_dlc = get_can_dlc(buf[RXBDLC_OFF] & RXBDLC_LEN_MASK);
-	memcpy(frame->data, buf + RXBDAT_OFF, frame->can_dlc);
+	if (!(frame->can_id & CAN_RTR_FLAG))
+		memcpy(frame->data, buf + RXBDAT_OFF, frame->can_dlc);
 
 	priv->net->stats.rx_packets++;
 	priv->net->stats.rx_bytes += frame->can_dlc;
-- 
1.7.2.3

^ permalink raw reply related

* [PATCH v2 3/9] can: flexcan: don't copy data to rx'ed RTR frames
From: Marc Kleine-Budde @ 2010-12-25 16:55 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: socketcan-core-0fE9KPoRgkgATYTw5x5z8w, Marc Kleine-Budde
In-Reply-To: <1293296117-27624-1-git-send-email-mkl-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>

Signed-off-by: Marc Kleine-Budde <mkl-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>
Acked-by: Wolfgang Grandegger <wg-5Yr1BZd7O62+XT7JhA+gdA@public.gmane.org>
---
 drivers/net/can/flexcan.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
index d499056..b0e16f5 100644
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -471,12 +471,14 @@ static void flexcan_read_fifo(const struct net_device *dev,
 	else
 		cf->can_id = (reg_id >> 18) & CAN_SFF_MASK;
 
-	if (reg_ctrl & FLEXCAN_MB_CNT_RTR)
-		cf->can_id |= CAN_RTR_FLAG;
 	cf->can_dlc = get_can_dlc((reg_ctrl >> 16) & 0xf);
 
-	*(__be32 *)(cf->data + 0) = cpu_to_be32(readl(&mb->data[0]));
-	*(__be32 *)(cf->data + 4) = cpu_to_be32(readl(&mb->data[1]));
+	if (reg_ctrl & FLEXCAN_MB_CNT_RTR)
+		cf->can_id |= CAN_RTR_FLAG;
+	else {
+		*(__be32 *)(cf->data + 0) = cpu_to_be32(readl(&mb->data[0]));
+		*(__be32 *)(cf->data + 4) = cpu_to_be32(readl(&mb->data[1]));
+	}
 
 	/* mark as read */
 	writel(FLEXCAN_IFLAG_RX_FIFO_AVAILABLE, &regs->iflag1);
-- 
1.7.2.3

^ permalink raw reply related


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox