On Wed, Nov 07, 2018 at 05:50:57PM +0100, Paolo Pisati wrote:
[partial backport upstream 760db29bdc97b73ff60b091315ad787b1deb5cf5]
Upon invocation, lan78xx_init_mac_address() checks that the mac address present in the RX_ADDRL & RX_ADDRH registers is a valid address, if not, it first tries to read a new address from an external eeprom or the otp area, and in case both read fail (or the address read back is invalid), it randomly generates a new one.
Unfortunately, due to the way the above logic is laid out, if both read_eeprom() and read_otp() fail, a new mac address is correctly generated but is never written back to RX_ADDRL & RX_ADDRH, leaving the chip in an incosistent state and with an invalid mac address (e.g. the nic appears to be completely dead, and doesn't receive any packet, etc):
lan78xx_init_mac_address() ... if (lan78xx_read_eeprom(addr ...) || lan78xx_read_otp(addr ...)) { if (is_valid_ether_addr(addr) { // nop... } else { random_ether_addr(addr); }
// correctly writes back the new address lan78xx_write_reg(RX_ADDRL, addr ...); lan78xx_write_reg(RX_ADDRH, addr ...); } else { // XXX if both eeprom and otp read fail, we land here and skip // XXX the RX_ADDRL & RX_ADDRH update completely random_ether_addr(addr); }
This bug went unnoticed because lan78xx_read_otp() was buggy itself and would never fail, up until 4bfc338 "lan78xx: Correctly indicate invalid OTP" fixed it and as a side effect uncovered this bug.
4.18+ is fine, since the bug was implicitly fixed in 760db29 "lan78xx: Read MAC address from DT if present" when the address change logic was reorganized, but it's still present in all stable trees below that: linux-4.4.y, linux-4.9.y, linux-4.14.y, etc up to linux-4.18.y (not included).
Signed-off-by: Paolo Pisati p.pisati@gmail.com
So why not just take 760db29bdc completely? It looks safer than taking a partial backport, and will make applying future patches easier.
I tried to do it and it doesn't look like there are any dependencies that would cause an issue.
-- Thanks, Sasha