From df0120f12f93f2e11eb67d00ed8270de92d0134d Mon Sep 17 00:00:00 2001 From: Heiner Kallweit Date: Wed, 20 Nov 2019 21:08:47 +0100 Subject: [PATCH] r8169: add check for PHY_MDIO_CHG to rtl_nic_fw_data_ok Only values 0 and 1 are currently defined as parameters for PHY_MDIO_CHG. Instead of silently ignoring unknown values and misinterpreting the firmware code let's explicitly check. Signed-off-by: Heiner Kallweit Signed-off-by: David S. Miller --- drivers/net/ethernet/realtek/r8169_firmware.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/net/ethernet/realtek/r8169_firmware.c b/drivers/net/ethernet/realtek/r8169_firmware.c index 927bb46b32d7..355cc810e322 100644 --- a/drivers/net/ethernet/realtek/r8169_firmware.c +++ b/drivers/net/ethernet/realtek/r8169_firmware.c @@ -92,19 +92,24 @@ static bool rtl_fw_data_ok(struct rtl_fw *rtl_fw) for (index = 0; index < pa->size; index++) { u32 action = le32_to_cpu(pa->code[index]); + u32 val = action & 0x0000ffff; u32 regno = (action & 0x0fff0000) >> 16; switch (action >> 28) { case PHY_READ: case PHY_DATA_OR: case PHY_DATA_AND: - case PHY_MDIO_CHG: case PHY_CLEAR_READCOUNT: case PHY_WRITE: case PHY_WRITE_PREVIOUS: case PHY_DELAY_MS: break; + case PHY_MDIO_CHG: + if (val > 1) + goto out; + break; + case PHY_BJMPN: if (regno > index) goto out; @@ -164,12 +169,12 @@ void rtl_fw_write_firmware(struct rtl8169_private *tp, struct rtl_fw *rtl_fw) index -= (regno + 1); break; case PHY_MDIO_CHG: - if (data == 0) { - fw_write = rtl_fw->phy_write; - fw_read = rtl_fw->phy_read; - } else if (data == 1) { + if (data) { fw_write = rtl_fw->mac_mcu_write; fw_read = rtl_fw->mac_mcu_read; + } else { + fw_write = rtl_fw->phy_write; + fw_read = rtl_fw->phy_read; } break; -- GitLab