ar71xx: fix NULL pointer dereference in the ethernet driver
[openwrt.git] / target / linux / brcm-2.4 / patches / 110-b44_alignment.patch
1 --- a/drivers/net/b44.c
2 +++ b/drivers/net/b44.c
3 @@ -101,7 +101,8 @@ static int instance = 0;
4 (BP)->tx_cons - (BP)->tx_prod - TX_RING_GAP(BP))
5 #define NEXT_TX(N) (((N) + 1) & (B44_TX_RING_SIZE - 1))
6
7 -#define RX_PKT_BUF_SZ (1536 + bp->rx_offset + 64)
8 +#define RX_HEADER_OFS (RX_HEADER_LEN + 2)
9 +#define RX_PKT_BUF_SZ (1536 + RX_HEADER_OFS)
10
11 /* minimum number of free TX descriptors required to wake up TX process */
12 #define B44_TX_WAKEUP_THRESH (B44_TX_RING_SIZE / 4)
13 @@ -734,10 +735,8 @@ static int b44_alloc_rx_skb(struct b44 *
14 mapping = pci_map_single(bp->pdev, skb->data,
15 RX_PKT_BUF_SZ,
16 PCI_DMA_FROMDEVICE);
17 - skb_reserve(skb, bp->rx_offset);
18
19 - rh = (struct rx_header *)
20 - (skb->data - bp->rx_offset);
21 + rh = (struct rx_header *) skb->data;
22 rh->len = 0;
23 rh->flags = 0;
24
25 @@ -747,13 +746,13 @@ static int b44_alloc_rx_skb(struct b44 *
26 if (src_map != NULL)
27 src_map->skb = NULL;
28
29 - ctrl = (DESC_CTRL_LEN & (RX_PKT_BUF_SZ - bp->rx_offset));
30 + ctrl = (DESC_CTRL_LEN & RX_PKT_BUF_SZ);
31 if (dest_idx == (B44_RX_RING_SIZE - 1))
32 ctrl |= DESC_CTRL_EOT;
33
34 dp = &bp->rx_ring[dest_idx];
35 dp->ctrl = cpu_to_le32(ctrl);
36 - dp->addr = cpu_to_le32((u32) mapping + bp->rx_offset + bp->dma_offset);
37 + dp->addr = cpu_to_le32((u32) mapping + bp->dma_offset);
38
39 return RX_PKT_BUF_SZ;
40 }
41 @@ -812,7 +811,7 @@ static int b44_rx(struct b44 *bp, int bu
42 PCI_DMA_FROMDEVICE);
43 rh = (struct rx_header *) skb->data;
44 len = cpu_to_le16(rh->len);
45 - if ((len > (RX_PKT_BUF_SZ - bp->rx_offset)) ||
46 + if ((len > (RX_PKT_BUF_SZ - RX_HEADER_OFS)) ||
47 (rh->flags & cpu_to_le16(RX_FLAG_ERRORS))) {
48 drop_it:
49 b44_recycle_rx(bp, cons, bp->rx_prod);
50 @@ -844,8 +843,8 @@ static int b44_rx(struct b44 *bp, int bu
51 pci_unmap_single(bp->pdev, map,
52 skb_size, PCI_DMA_FROMDEVICE);
53 /* Leave out rx_header */
54 - skb_put(skb, len+bp->rx_offset);
55 - skb_pull(skb,bp->rx_offset);
56 + skb_put(skb, len+RX_HEADER_OFS);
57 + skb_pull(skb,RX_HEADER_OFS);
58 } else {
59 struct sk_buff *copy_skb;
60
61 @@ -858,7 +857,7 @@ static int b44_rx(struct b44 *bp, int bu
62 skb_reserve(copy_skb, 2);
63 skb_put(copy_skb, len);
64 /* DMA sync done above, copy just the actual packet */
65 - memcpy(copy_skb->data, skb->data+bp->rx_offset, len);
66 + memcpy(copy_skb->data, skb->data+RX_HEADER_OFS, len);
67
68 skb = copy_skb;
69 }
70 @@ -1344,7 +1343,7 @@ static void b44_init_hw(struct b44 *bp)
71 bw32(B44_DMATX_CTRL, DMATX_CTRL_ENABLE);
72 bw32(B44_DMATX_ADDR, bp->tx_ring_dma + bp->dma_offset);
73 bw32(B44_DMARX_CTRL, (DMARX_CTRL_ENABLE |
74 - (bp->rx_offset << DMARX_CTRL_ROSHIFT)));
75 + (RX_HEADER_OFS << DMARX_CTRL_ROSHIFT)));
76 bw32(B44_DMARX_ADDR, bp->rx_ring_dma + bp->dma_offset);
77
78 bw32(B44_DMARX_PTR, bp->rx_pending);
79 @@ -1873,13 +1872,7 @@ static int __devinit b44_get_invariants(
80 bp->mdc_port = (eeprom[90] >> 14) & 0x1;
81 }
82
83 - /* With this, plus the rx_header prepended to the data by the
84 - * hardware, we'll land the ethernet header on a 2-byte boundary.
85 - */
86 - bp->rx_offset = 30;
87 -
88 bp->imask = IMASK_DEF;
89 -
90 bp->core_unit = ssb_core_unit(bp);
91
92 /* XXX - really required?
93 --- a/drivers/net/b44.h
94 +++ b/drivers/net/b44.h
95 @@ -518,8 +518,6 @@ struct b44 {
96 #define B44_FLAG_ADV_100FULL 0x08000000
97 #define B44_FLAG_INTERNAL_PHY 0x10000000
98
99 - u32 rx_offset;
100 -
101 u32 msg_enable;
102
103 struct timer_list timer;
This page took 0.067828 seconds and 5 git commands to generate.