summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOllie Wild <aaw@rincewind.tv>2006-09-27 07:46:24 +0200
committerPaul Mundt <lethal@linux-sh.org>2006-09-27 07:46:24 +0200
commit24ab54cb49c099d691c68fdd1ac6a0c2f5177da4 (patch)
treea75607c77faadb28a994a056469165386406a8e4
parentsh: Fix fatal oops in copy_user_page() on sh4a (SH7780). (diff)
downloadlinux-24ab54cb49c099d691c68fdd1ac6a0c2f5177da4.tar.xz
linux-24ab54cb49c099d691c68fdd1ac6a0c2f5177da4.zip
sh: Fix TCP payload csum bug in csum_partial_copy_generic().
There's a bug in the Hitachi SuperH csum_partial_copy_generic() implementation. If the supplied length is 1 (and several alignment conditions are met), the function immediately branches to label 4. However, the assembly at label 4 expects the length to be stored in register r2. Since this has not occurred, subsequent behavior is undefined. This can cause bad payload checksums in TCP connections. I've fixed the problem by initializing register r2 prior to the branch instruction. Signed-off-by: Ollie Wild <aaw@rincewind.tv> Signed-off-by: Paul Mundt <lethal@linux-sh.org>
-rw-r--r--arch/sh/lib/checksum.S3
1 files changed, 2 insertions, 1 deletions
diff --git a/arch/sh/lib/checksum.S b/arch/sh/lib/checksum.S
index 7c50dfe68c07..cbdd0d40e545 100644
--- a/arch/sh/lib/checksum.S
+++ b/arch/sh/lib/checksum.S
@@ -202,8 +202,9 @@ ENTRY(csum_partial_copy_generic)
cmp/pz r6 ! Jump if we had at least two bytes.
bt/s 1f
clrt
+ add #2,r6 ! r6 was < 2. Deal with it.
bra 4f
- add #2,r6 ! r6 was < 2. Deal with it.
+ mov r6,r2
3: ! Handle different src and dest alignments.
! This is not common, so simple byte by byte copy will do.