Message ID | 20201019025420.3789-1-baijiaju1990@gmail.com |
---|---|
State | New |
Headers | show |
Series | rtl8180: avoid accessing the data mapped to streaming DMA | expand |
On Mon, 19 Oct 2020 10:54:20 +0800 Jia-Ju Bai wrote: > + if (info->flags & IEEE80211_TX_CTL_ASSIGN_SEQ) { > + if (info->flags & IEEE80211_TX_CTL_FIRST_FRAGMENT) > + priv->seqno += 0x10; > + hdr->seq_ctrl &= cpu_to_le16(IEEE80211_SCTL_FRAG); > + hdr->seq_ctrl |= cpu_to_le16(priv->seqno); > + } > + > mapping = dma_map_single(&priv->pdev->dev, skb->data, skb->len, > DMA_TO_DEVICE); > > @@ -534,13 +541,6 @@ static void rtl8180_tx(struct ieee80211_hw *dev, > > spin_lock_irqsave(&priv->lock, flags); > > - if (info->flags & IEEE80211_TX_CTL_ASSIGN_SEQ) { > - if (info->flags & IEEE80211_TX_CTL_FIRST_FRAGMENT) > - priv->seqno += 0x10; You're taking the priv->seqno access and modification from under priv->lock. Is that okay?
On 19.10.2020 04:54, Jia-Ju Bai wrote: > In rtl8180_tx(), skb->data is mapped to streaming DMA on line 476: > mapping = dma_map_single(..., skb->data, ...); > > On line 459, skb->data is assigned to hdr after cast: > struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; > > Then hdr->seq_ctrl is accessed on lines 540 and 541: > hdr->seq_ctrl &= cpu_to_le16(IEEE80211_SCTL_FRAG); > hdr->seq_ctrl |= cpu_to_le16(priv->seqno); > > These DMA accesses may cause data inconsistency between CPU and hardwre. > > To fix this problem, hdr->seq_ctrl is accessed before the DMA mapping. > This looks like a bug fix to me, shouldn't this have a Fixes: tag and be CC'ed to stable@? Maciej
diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c index 2477e18c7cae..cc73014aa5f3 100644 --- a/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c +++ b/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c @@ -473,6 +473,13 @@ static void rtl8180_tx(struct ieee80211_hw *dev, prio = skb_get_queue_mapping(skb); ring = &priv->tx_ring[prio]; + if (info->flags & IEEE80211_TX_CTL_ASSIGN_SEQ) { + if (info->flags & IEEE80211_TX_CTL_FIRST_FRAGMENT) + priv->seqno += 0x10; + hdr->seq_ctrl &= cpu_to_le16(IEEE80211_SCTL_FRAG); + hdr->seq_ctrl |= cpu_to_le16(priv->seqno); + } + mapping = dma_map_single(&priv->pdev->dev, skb->data, skb->len, DMA_TO_DEVICE); @@ -534,13 +541,6 @@ static void rtl8180_tx(struct ieee80211_hw *dev, spin_lock_irqsave(&priv->lock, flags); - if (info->flags & IEEE80211_TX_CTL_ASSIGN_SEQ) { - if (info->flags & IEEE80211_TX_CTL_FIRST_FRAGMENT) - priv->seqno += 0x10; - hdr->seq_ctrl &= cpu_to_le16(IEEE80211_SCTL_FRAG); - hdr->seq_ctrl |= cpu_to_le16(priv->seqno); - } - idx = (ring->idx + skb_queue_len(&ring->queue)) % ring->entries; entry = &ring->desc[idx];
In rtl8180_tx(), skb->data is mapped to streaming DMA on line 476: mapping = dma_map_single(..., skb->data, ...); On line 459, skb->data is assigned to hdr after cast: struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; Then hdr->seq_ctrl is accessed on lines 540 and 541: hdr->seq_ctrl &= cpu_to_le16(IEEE80211_SCTL_FRAG); hdr->seq_ctrl |= cpu_to_le16(priv->seqno); These DMA accesses may cause data inconsistency between CPU and hardwre. To fix this problem, hdr->seq_ctrl is accessed before the DMA mapping. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)