| Message ID | 20201019030931.4796-1-baijiaju1990@gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | rtl8192ce: avoid accessing the data mapped to streaming DMA | expand |
On Mon, 2020-10-19 at 11:09 +0800, Jia-Ju Bai wrote: > In rtl92ce_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on > line 530: > dma_addr_t mapping = dma_map_single(..., skb->data, ...); > > On line 533, skb->data is assigned to hdr after cast: > struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data); > > Then hdr->frame_control is accessed on line 534: > __le16 fc = hdr->frame_control; > > This DMA access may cause data inconsistency between CPU and hardwre. > > To fix this bug, hdr->frame_control is accessed before the DMA mapping. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> > --- > drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c > b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c > index c0635309a92d..4165175cf5c0 100644 > --- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c > +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c > @@ -527,12 +527,12 @@ void rtl92ce_tx_fill_cmddesc(struct ieee80211_hw *hw, > u8 fw_queue = QSLT_BEACON; > __le32 *pdesc = (__le32 *)pdesc8; > > - dma_addr_t mapping = dma_map_single(&rtlpci->pdev->dev, skb->data, > - skb->len, DMA_TO_DEVICE); > - > struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data); > __le16 fc = hdr->frame_control; > > + dma_addr_t mapping = dma_map_single(&rtlpci->pdev->dev, skb->data, > + skb->len, DMA_TO_DEVICE); > + > if (dma_mapping_error(&rtlpci->pdev->dev, mapping)) { > rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE, > "DMA mapping error\n"); The changes of the series patches are good to me. But, please use 'rtlwifi: ' as subject prefix, like "rtlwifi: rtl8192ce: ...", and send them as a patchset I think this would be better to maintainer. Thank you --- PK
Jia-Ju Bai <baijiaju1990@gmail.com> wrote: > In rtl92ce_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on > line 530: > dma_addr_t mapping = dma_map_single(..., skb->data, ...); > > On line 533, skb->data is assigned to hdr after cast: > struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data); > > Then hdr->frame_control is accessed on line 534: > __le16 fc = hdr->frame_control; > > This DMA access may cause data inconsistency between CPU and hardwre. > > To fix this bug, hdr->frame_control is accessed before the DMA mapping. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Like Ping said, use "rtlwifi:" prefix and have all rtlwifi patches in the same patchset. 4 patches set to Changes Requested. 11843533 rtl8192ce: avoid accessing the data mapped to streaming DMA 11843541 rtl8192de: avoid accessing the data mapped to streaming DMA 11843553 rtl8723ae: avoid accessing the data mapped to streaming DMA 11843557 rtl8188ee: avoid accessing the data mapped to streaming DMA -- https://patchwork.kernel.org/project/linux-wireless/patch/20201019030931.4796-1-baijiaju1990@gmail.com/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c index c0635309a92d..4165175cf5c0 100644 --- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c @@ -527,12 +527,12 @@ void rtl92ce_tx_fill_cmddesc(struct ieee80211_hw *hw, u8 fw_queue = QSLT_BEACON; __le32 *pdesc = (__le32 *)pdesc8; - dma_addr_t mapping = dma_map_single(&rtlpci->pdev->dev, skb->data, - skb->len, DMA_TO_DEVICE); - struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data); __le16 fc = hdr->frame_control; + dma_addr_t mapping = dma_map_single(&rtlpci->pdev->dev, skb->data, + skb->len, DMA_TO_DEVICE); + if (dma_mapping_error(&rtlpci->pdev->dev, mapping)) { rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE, "DMA mapping error\n");
In rtl92ce_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on line 530: dma_addr_t mapping = dma_map_single(..., skb->data, ...); On line 533, skb->data is assigned to hdr after cast: struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data); Then hdr->frame_control is accessed on line 534: __le16 fc = hdr->frame_control; This DMA access may cause data inconsistency between CPU and hardwre. To fix this bug, hdr->frame_control is accessed before the DMA mapping. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)