p54: avoid accessing the data mapped to streaming DMA

Message ID	20200802132949.26788-1-baijiaju@tsinghua.edu.cn
State	New
Headers	show Return-Path: <SRS0=w5+A=BM=vger.kernel.org=netdev-owner@kernel.org> From: Jia-Ju Bai <baijiaju@tsinghua.edu.cn> To: chunkeey@googlemail.com, kvalo@codeaurora.org, davem@davemloft.net, kuba@kernel.org Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai <baijiaju@tsinghua.edu.cn> Subject: [PATCH] p54: avoid accessing the data mapped to streaming DMA Date: Sun, 2 Aug 2020 21:29:49 +0800 Message-Id: <20200802132949.26788-1-baijiaju@tsinghua.edu.cn> Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	p54: avoid accessing the data mapped to streaming DMA \| expand p54: avoid accessing the data mapped to streaming DMA

Message ID

20200802132949.26788-1-baijiaju@tsinghua.edu.cn

State

New

Headers

From: Jia-Ju Bai <baijiaju@tsinghua.edu.cn>
To: chunkeey@googlemail.com, kvalo@codeaurora.org, davem@davemloft.net,
	kuba@kernel.org
Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, Jia-Ju Bai <baijiaju@tsinghua.edu.cn>
Subject: [PATCH] p54: avoid accessing the data mapped to streaming DMA
Date: Sun,  2 Aug 2020 21:29:49 +0800
Message-Id: <20200802132949.26788-1-baijiaju@tsinghua.edu.cn>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

p54: avoid accessing the data mapped to streaming DMA | expand

Commit Message

Jia-Ju Bai Aug. 2, 2020, 1:29 p.m. UTC

In p54p_tx(), skb->data is mapped to streaming DMA on line 337:
  mapping = pci_map_single(..., skb->data, ...);

Then skb->data is accessed on line 349:
  desc->device_addr = ((struct p54_hdr *)skb->data)->req_id;

This access may cause data inconsistency between CPU cache and hardware.

To fix this problem, ((struct p54_hdr *)skb->data)->req_id is stored in
a local variable before DMA mapping, and then the driver accesses this
local variable instead of skb->data.

Signed-off-by: Jia-Ju Bai <baijiaju@tsinghua.edu.cn>
---
 drivers/net/wireless/intersil/p54/p54pci.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Kalle Valo Sept. 1, 2020, 9:34 a.m. UTC | #1

Jia-Ju Bai <baijiaju@tsinghua.edu.cn> wrote:

> In p54p_tx(), skb->data is mapped to streaming DMA on line 337:
>   mapping = pci_map_single(..., skb->data, ...);
> 
> Then skb->data is accessed on line 349:
>   desc->device_addr = ((struct p54_hdr *)skb->data)->req_id;
> 
> This access may cause data inconsistency between CPU cache and hardware.
> 
> To fix this problem, ((struct p54_hdr *)skb->data)->req_id is stored in
> a local variable before DMA mapping, and then the driver accesses this
> local variable instead of skb->data.
> 
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Jia-Ju Bai <baijiaju@tsinghua.edu.cn>
> Acked-by: Christian Lamparter <chunkeey@gmail.com>

Patch applied to wireless-drivers-next.git, thanks.

478762855b5a p54: avoid accessing the data mapped to streaming DMA

diff --git a/drivers/net/wireless/intersil/p54/p54pci.c b/drivers/net/wireless/intersil/p54/p54pci.c
index 80ad0b7eaef4..f8c6027cab6b 100644
--- a/drivers/net/wireless/intersil/p54/p54pci.c
+++ b/drivers/net/wireless/intersil/p54/p54pci.c
@@ -329,10 +329,12 @@  static void p54p_tx(struct ieee80211_hw *dev, struct sk_buff *skb)
 	struct p54p_desc *desc;
 	dma_addr_t mapping;
 	u32 idx, i;
+	__le32 device_addr;
 
 	spin_lock_irqsave(&priv->lock, flags);
 	idx = le32_to_cpu(ring_control->host_idx[1]);
 	i = idx % ARRAY_SIZE(ring_control->tx_data);
+	device_addr = ((struct p54_hdr *)skb->data)->req_id;
 
 	mapping = pci_map_single(priv->pdev, skb->data, skb->len,
 				 PCI_DMA_TODEVICE);
@@ -346,7 +348,7 @@  static void p54p_tx(struct ieee80211_hw *dev, struct sk_buff *skb)
 
 	desc = &ring_control->tx_data[i];
 	desc->host_addr = cpu_to_le32(mapping);
-	desc->device_addr = ((struct p54_hdr *)skb->data)->req_id;
+	desc->device_addr = device_addr;
 	desc->len = cpu_to_le16(skb->len);
 	desc->flags = 0;