From 658cc524305c9759019c4430ded231f631472482 Mon Sep 17 00:00:00 2001
From: Abraham Arce <abraham.arce.moreno@gmail.com>
Date: Tue, 16 Mar 2010 12:24:54 +0000
Subject: KS8851: Avoid NULL pointer in set rx mode

Kernel NULL pointer dereference when setting mode for IFF_MULTICAST.
Tested on SDP OMAP4430 board.

ks8851 spi1.0: message enable is 0
ks8851 spi1.0: revision 0, MAC f2:f4:2f:56:37:de, IRQ 194
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = c0004000
[00000000] *pgd=00000000
Internal error: Oops: 5 [#1] PREEMPT SMP
last sysfs file:
Modules linked in:
CPU: 0    Not tainted  (2.6.34-rc1-01039-g38d7ed1-dirty #3)
PC is at ks8851_set_rx_mode+0x88/0x124
LR is at bitrev32+0x24/0x2c

<snip>

Backtrace:
[<c01bfbd8>] ? (ks8851_set_rx_mode+0x0/0x124)
[<c01d4164>] (__dev_set_rx_mode+0x0/0x90)
[<c01dc460>] (dev_mc_add+0x0/0x78)
[<c021f0bc>] (igmp_group_added+0x0/0x64)
[<c021f174>] (ip_mc_inc_group+0x0/0x150)
[<c021f3b8>] (ip_mc_up+0x0/0x64)
[<c0219eb0>] (inetdev_event+0x0/0x3d4)
[<c0066818>] (notifier_call_chain+0x0/0x78)
[<c00668b8>] (__raw_notifier_call_chain+0x0/0x24)
[<c00668dc>] (raw_notifier_call_chain+0x0/0x28)
[<c01d7484>] (call_netdevice_notifiers+0x0/0x24)
[<c01d7780>] (__dev_notify_flags+0x0/0x68)
[<c01d77e8>] (dev_change_flags+0x0/0x4c)
[<c001f0bc>] (ip_auto_config+0x0/0xf1c)
[<c0028490>] (do_one_initcall+0x0/0x1bc)
 [<c00084dc>] (kernel_init+0x0/0x234)
Code: e15130bc e1833012 e14130bc e5943000 (e5934000)
---[ end trace ed0fb00a94142792 ]---
Kernel panic - not syncing: Fatal exception in interrupt

Signed-off-by: Abraham Arce <x0066660@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 drivers/net/ks8851.c | 1 -
 1 file changed, 1 deletion(-)

(limited to 'drivers/net/ks8851.c')

diff --git a/drivers/net/ks8851.c b/drivers/net/ks8851.c
index 0573e0bb4444..13cc1ca261d9 100644
--- a/drivers/net/ks8851.c
+++ b/drivers/net/ks8851.c
@@ -976,7 +976,6 @@ static void ks8851_set_rx_mode(struct net_device *dev)
 			crc >>= (32 - 6);  /* get top six bits */
 
 			rxctrl.mchash[crc >> 4] |= (1 << (crc & 0xf));
-			mcptr = mcptr->next;
 		}
 
 		rxctrl.rxcr1 = RXCR1_RXME | RXCR1_RXPAFMA;
-- 
cgit v1.2.3