2020-08-02 09:16:54

by Jia-Ju Bai

[permalink] [raw]
Subject: [PATCH] atm: eni: avoid accessing the data mapped to streaming DMA

In do_tx(), skb->data is mapped to streaming DMA on line 1111:
paddr = dma_map_single(...,skb->data,DMA_TO_DEVICE);

Then skb->data is accessed on line 1153:
(skb->data[3] & 0xf)

This access may cause data inconsistency between CPU cache and hardware.

To fix this problem, skb->data[3] is assigned to a local variable before
DMA mapping, and then the driver accesses this local variable instead of
skb->data[3].

Signed-off-by: Jia-Ju Bai <[email protected]>
---
drivers/atm/eni.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c
index 17d47ad03ab7..09f4e2f41363 100644
--- a/drivers/atm/eni.c
+++ b/drivers/atm/eni.c
@@ -1034,6 +1034,7 @@ static enum enq_res do_tx(struct sk_buff *skb)
u32 dma_rd,dma_wr;
u32 size; /* in words */
int aal5,dma_size,i,j;
+ unsigned char skb_data3;

DPRINTK(">do_tx\n");
NULLCHECK(skb);
@@ -1108,6 +1109,7 @@ DPRINTK("iovcnt = %d\n",skb_shinfo(skb)->nr_frags);
vcc->dev->number);
return enq_jam;
}
+ skb_data3 = skb->data[3];
paddr = dma_map_single(&eni_dev->pci_dev->dev,skb->data,skb->len,
DMA_TO_DEVICE);
ENI_PRV_PADDR(skb) = paddr;
@@ -1150,7 +1152,7 @@ DPRINTK("doing direct send\n"); /* @@@ well, this doesn't work anyway */
(size/(ATM_CELL_PAYLOAD/4)),tx->send+tx->tx_pos*4);
/*printk("dsc = 0x%08lx\n",(unsigned long) readl(tx->send+tx->tx_pos*4));*/
writel((vcc->vci << MID_SEG_VCI_SHIFT) |
- (aal5 ? 0 : (skb->data[3] & 0xf)) |
+ (aal5 ? 0 : (skb_data3 & 0xf)) |
(ATM_SKB(skb)->atm_options & ATM_ATMOPT_CLP ? MID_SEG_CLP : 0),
tx->send+((tx->tx_pos+1) & (tx->words-1))*4);
DPRINTK("size: %d, len:%d\n",size,skb->len);
--
2.17.1


2020-08-03 22:53:00

by David Miller

[permalink] [raw]
Subject: Re: [PATCH] atm: eni: avoid accessing the data mapped to streaming DMA

From: Jia-Ju Bai <[email protected]>
Date: Sun, 2 Aug 2020 17:16:11 +0800

> In do_tx(), skb->data is mapped to streaming DMA on line 1111:
> paddr = dma_map_single(...,skb->data,DMA_TO_DEVICE);
>
> Then skb->data is accessed on line 1153:
> (skb->data[3] & 0xf)
>
> This access may cause data inconsistency between CPU cache and hardware.
>
> To fix this problem, skb->data[3] is assigned to a local variable before
> DMA mapping, and then the driver accesses this local variable instead of
> skb->data[3].
>
> Signed-off-by: Jia-Ju Bai <[email protected]>

Applied.