PT-2026-52939 · Undefined · Undefined
Published
2026-06-26
·
Updated
2026-06-26
·
CVE-2026-53300
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
net: enetc: fix NTMP DMA use-after-free issue
The AI-generated review reported a potential DMA use-after-free issue
[1]. If netc xmit ntmp cmd() times out and returns an error, the pending
command is not explicitly aborted, while ntmp free data mem()
unconditionally frees the DMA buffer. If the buffer has already been
reallocated elsewhere, this may lead to silent memory corruption. Because
the hardware eventually processes the pending command and perform a DMA
write of the response to the physical address of the freed buffer.
To resolve this issue, this patch does the following modifications:
- Convert cbdr->ring lock from a spinlock to a mutex
The lock was originally a spinlock in case NTMP operations might be
invoked from atomic context. After downstream support for all NTMP
tables, no such usage has materialized. A mutex lock is now required
because the driver now needs to reclaim used BDs and release associated
DMA memory within the lock's context, while dma free coherent() might
sleep.
- Introduce software command BD (struct netc swcbd)
The hardware write-back overwrites the addr and len fields of the BD,
so the driver cannot rely on the hardware BD to free the associated DMA
memory. The driver now maintains a software shadow BD storing the DMA
buffer pointer, DMA address, and size. And netc xmit ntmp cmd() only
reclaims older BDs when the number of used BDs reaches
NETC CBDR CLEAN WORK (16). The software BD enables correct DMA memory
release. With this, struct ntmp dma buf and ntmp free data mem() are no
longer needed and are removed.
- Require callers to hold ring lock across netc xmit ntmp cmd()
netc xmit ntmp cmd() releases the ring lock before the caller finishes
consuming the response. At this point, if a concurrent thread submits
a new command, it may trigger ntmp clean cbdr() and free the DMA buffer
while it is still in use. Move ring lock ownership to the caller to
ensure the response buffer cannot be reclaimed prematurely. So the
helpers ntmp select and lock cbdr() and ntmp unlock cbdr() are added.
These changes eliminate the DMA use-after-free condition and ensure safe
and consistent BD reclamation and DMA buffer lifecycle management.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Undefined