CVE-2024-56719

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: stmmac: fix TSO DMA API usage causing oops<br /> <br /> Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap<br /> for non-paged SKB data") moved the assignment of tx_skbuff_dma[]&amp;#39;s<br /> members to be later in stmmac_tso_xmit().<br /> <br /> The buf (dma cookie) and len stored in this structure are passed to<br /> dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that<br /> the dma cookie passed to dma_unmap_single() is the same as the value<br /> returned from dma_map_single(). However, by moving the assignment<br /> later, this is not the case when priv-&gt;dma_cap.addr64 &gt; 32 as "des"<br /> is offset by proto_hdr_len.<br /> <br /> This causes problems such as:<br /> <br /> dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed<br /> <br /> and with DMA_API_DEBUG enabled:<br /> <br /> DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]<br /> <br /> Fix this by maintaining "des" as the original DMA cookie, and use<br /> tso_des to pass the offset DMA cookie to stmmac_tso_allocator().<br /> <br /> Full details of the crashes can be found at:<br /> https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/<br /> https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/