Re: [PATCH] rtl8192ce: avoid accessing the data mapped to streaming DMA

[Pkshih <pkshih@realtek.com>]

On Mon, 2020-10-19 at 11:09 +0800, Jia-Ju Bai wrote:
> In rtl92ce_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
> line 530:
>   dma_addr_t mapping = dma_map_single(..., skb->data, ...);
> 
> On line 533, skb->data is assigned to hdr after cast:
>   struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
> 
> Then hdr->frame_control is accessed on line 534:
>   __le16 fc = hdr->frame_control;
> 
> This DMA access may cause data inconsistency between CPU and hardwre.
> 
> To fix this bug, hdr->frame_control is accessed before the DMA mapping.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
>  drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
> b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
> index c0635309a92d..4165175cf5c0 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
> @@ -527,12 +527,12 @@ void rtl92ce_tx_fill_cmddesc(struct ieee80211_hw *hw,
>  	u8 fw_queue = QSLT_BEACON;
>  	__le32 *pdesc = (__le32 *)pdesc8;
>  
> -	dma_addr_t mapping = dma_map_single(&rtlpci->pdev->dev, skb->data,
> -					    skb->len, DMA_TO_DEVICE);
> -
>  	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
>  	__le16 fc = hdr->frame_control;
>  
> +	dma_addr_t mapping = dma_map_single(&rtlpci->pdev->dev, skb->data,
> +					    skb->len, DMA_TO_DEVICE);
> +
>  	if (dma_mapping_error(&rtlpci->pdev->dev, mapping)) {
>  		rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
>  			"DMA mapping error\n");

The changes of the series patches are good to me. 
But, please use 'rtlwifi: ' as subject prefix, like "rtlwifi: rtl8192ce: ...",
and send them as a patchset I think this would be better to maintainer.

Thank you

---
PK