summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorJia-Ju Bai <baijiaju@tsinghua.edu.cn>2020-08-02 21:29:49 +0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2020-11-10 10:23:51 +0100
commitad3394d7f62b30afb824116a07dfe7b1b9900c85 (patch)
treeddfcd2e617ce3934cfe1639baf5a4cf6aa88aec5 /drivers
parent1b47891c58b8430fb87927c1d815ca8702e98478 (diff)
downloadlinux-stable-ad3394d7f62b30afb824116a07dfe7b1b9900c85.tar.gz
linux-stable-ad3394d7f62b30afb824116a07dfe7b1b9900c85.tar.bz2
linux-stable-ad3394d7f62b30afb824116a07dfe7b1b9900c85.zip
p54: avoid accessing the data mapped to streaming DMA
commit 478762855b5ae9f68fa6ead1edf7abada70fcd5f upstream. In p54p_tx(), skb->data is mapped to streaming DMA on line 337: mapping = pci_map_single(..., skb->data, ...); Then skb->data is accessed on line 349: desc->device_addr = ((struct p54_hdr *)skb->data)->req_id; This access may cause data inconsistency between CPU cache and hardware. To fix this problem, ((struct p54_hdr *)skb->data)->req_id is stored in a local variable before DMA mapping, and then the driver accesses this local variable instead of skb->data. Cc: <stable@vger.kernel.org> Signed-off-by: Jia-Ju Bai <baijiaju@tsinghua.edu.cn> Acked-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200802132949.26788-1-baijiaju@tsinghua.edu.cn Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/wireless/intersil/p54/p54pci.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/net/wireless/intersil/p54/p54pci.c b/drivers/net/wireless/intersil/p54/p54pci.c
index 57ad56435dda..8bc0286b4f8c 100644
--- a/drivers/net/wireless/intersil/p54/p54pci.c
+++ b/drivers/net/wireless/intersil/p54/p54pci.c
@@ -332,10 +332,12 @@ static void p54p_tx(struct ieee80211_hw *dev, struct sk_buff *skb)
struct p54p_desc *desc;
dma_addr_t mapping;
u32 idx, i;
+ __le32 device_addr;
spin_lock_irqsave(&priv->lock, flags);
idx = le32_to_cpu(ring_control->host_idx[1]);
i = idx % ARRAY_SIZE(ring_control->tx_data);
+ device_addr = ((struct p54_hdr *)skb->data)->req_id;
mapping = pci_map_single(priv->pdev, skb->data, skb->len,
PCI_DMA_TODEVICE);
@@ -349,7 +351,7 @@ static void p54p_tx(struct ieee80211_hw *dev, struct sk_buff *skb)
desc = &ring_control->tx_data[i];
desc->host_addr = cpu_to_le32(mapping);
- desc->device_addr = ((struct p54_hdr *)skb->data)->req_id;
+ desc->device_addr = device_addr;
desc->len = cpu_to_le16(skb->len);
desc->flags = 0;